Report: IoT devices a popular target for hackers

Move over, compromised employee laptops, hacked personal phones, and company servers. A survey from Forrester found that the No. 1 target in external attacks was Internet-of-Things, or IoT, devices.

The top spot for IoT demonstrates how the range of tough-to-track enterprise devices—from printers to projectors to smart refrigerators—are attractive to hackers. The internet-connected gadgets hold valuable data and can form a command-and-control point to reach other devices in a network.

“People think, ‘You can’t do a full-blown attack off of this device,’” said Paddy Harrington, a senior analyst at Forrester. “Well, people prove them wrong.”

What’s IoT to ya? An Internet-of-Things device can be defined as a nonstandard computing device that connects wirelessly to a network and can transmit data. (Looking at you, smart toilet.) For an enterprise, that could include a printer, a smart refrigerator, or a camera.

Those unassuming devices pose unique security risks as entry and pivot points, according to Microsoft’s 2022 Digital Defense Report. “Millions of IoT devices are unpatched or exposed,” the study said.

Hackers recently have looked for—and often found—vulnerabilities in IoT devices at both home and the office, including garage doors, smart intercoms, and casino fish tanks.

Forrester’s found that 33% of 490 global security decision-makers surveyed said that IoT devices had been targeted in an external attack, ranking just above employee- or corporate-owned mobile devices or computers. (A study from the previous year observed IoT to be a leading, but not the No. 1, vector.)

The open ports, often used for remote management of devices, can be found by hackers and their scanning tools, and can then become “pivot points,” as Microsoft calls them, which allow unauthorized users to access those ports.

“This can now be my command-and-control point in the network,” Harrington said. “Or this can simply be a way I can compromise that device, reside on it long term, and now start probing your network to find other things that I can attack.”

Some advice:

• Asset management tools offer passive and active scans to find a network’s many connected devices, including that outdated private radio.
• Is that bulk scanner still in the office? Check on the firmware of devices and make sure they’re updated and not past their end of life.
• If a device is no longer supported by its manufacturer, enact firewall rules that understand connectivity changes or a new presence on the network, Harrington said. Maybe an Airplay device that usually connects to Apple suddenly connects to an AWS site? Maybe a device that normally sends 1 megabyte of data is now all of a sudden sending 5 MBs. Intrusion detection systems can spot suspicious activity.

One reason why IoT might be a top target: The devices are perceived to be simple and performing basic tasks.

“It’s been pushed to the side for such a long time,” Harrington told IT Brew.

Maybe not anymore. IoT is No. 1.