Remote work raises threats from consumer IoT devices

With the rise of working from home, companies need to protect themselves against a wide range of consumer devices, including smart light bulbs.

Technology as infrastructure / IoT / Internet of Things / Smart Home / building automation
Metamorworks / Getty Images

Security researcher Andrei Costin started to work from home many years ago, and when it comes to security internet of things (IoT) devices, he had his fair share of eyebrow-raising moments. “There were several instances where I had replaced my home routers because the vendor did not provide security fixes nor firmware updates,” Costin says, adding that current security practices are not keeping up with the changing landscape of working from home.

Costin, who is a senior lecturer in cybersecurity at the University of Jyvaskyla, Finland, and the co-founder of IoT cybersecurity startup binare.io, says that remote work poses additional risks not only for employees, but for companies, too. “If an employee’s smartphone is connected to the company network via VPN, but is paired with CCTV systems, wellness trackers, or light bulbs, there is a risk for potential malicious gateway,” Costin says.

The Palo Alto Networks Unit 42’s IoT Threat Report paints a grim picture: “57% of IoT devices are vulnerable to medium- or high-severity attacks, making IoT the low-hanging fruit for attackers,” the study reads. Moreover, the researchers found that 98% of all IoT traffic is unencrypted, exposing confidential data on the network.

In fact, in 2020, IoT devices were to blame for 32.72% of all infections detected in mobile networks, up from 16.17% the year before, according to Nokia’s Threat Intelligence Report. Researchers believe that the numbers will continue to increase “dramatically” in the years to come as people will continue to purchase more products.

Every consumer device an employee connects to their router or smartphone increases the potential attack surface for a company now that many people work from home. “Many IoT devices people buy, such as smart light bulbs, are less secure than enterprise-level equipment or even normal PCs, laptops, or smartphones,” Costin says.

Until recently, the responsibility of protecting home IoT devices fell in the hands of the user. Now, many internet providers and businesses are stepping in, coming up with solutions—some of which are easy to apply. 

Users often judge risk poorly

The boundaries between work and home had started to collapse even before the massive shift of 2020, which only accelerated the trend. Many businesses, though, felt unprepared to deal with an increased attack surface due to remote work. Comcast’s Cyber Health Report found that “the new normal” made 86% of the users rely more on their home internet connection, while an AT&T survey showed that 64% of the businesses in the Asia-Pacific region felt more vulnerable to attacks because of the increase in remote working. 

In many homes, employees still use the same ISP line as their myriad IoT devices, some of which are unpatched. A typical American household has 12 smart gadgets on average, and in some homes the number can go as high as 35, according to Comcast. “A lot of the IoT devices are invisible; they kind of fade into the background,” Comcast’s CISO Noopur Davis says. 

Often, these gadgets have very little security built in. “They are relatively low-priced, they are made by companies with small profit margins, and the market is highly competitive,” says Costin.

Most users tend to underestimate how often their IoT devices are hit. They believe, on average, that their homes are attacked 12 times over the course of a month, when in reality it happens nine times more often, according to Comcast. Soon after companies made the decision to keep their employees at home, researchers saw a 12% growth in attacks, as hackers leveraged the increased online activity of connected homes.

There’s a gap between what we think we do and what we actually do, Davis says. Eighty-five percent of the respondents claimed they are taking all the necessary security precautions to protect their home network. Still, many admitted that they neglect to update the firmware of their devices, leaving them open to compromise. 

“It’s like diet and exercise,” Davis says. “We all know what’s the right thing to do, but as soon as it becomes hard, we kind of take the easy way out. This is a challenge to our industry.”

How users, service providers, companies keep the network safe

The corporate network has never been a safe haven, but the shift to remote working made the process of keeping everything secure even harder. The European Union Agency for Cybersecurity has issued recommendations for employees working from home, such as turning off and unplugging devices not used in a long time to reduce the attack surface, and doing a factory reset before disposing of them. 

Comcast’s Davis also advises employees working from home to enable multifactor authentication whenever possible and turn on auto-updates on their devices to get security patches as soon as they are released. 

They should also use the security tools their service providers offer. Comcast’s xFi Advanced Security, for example, allows home users to monitor their home through a dashboard and get real-time notifications if one of their devices starts behaving strangely. The tool, available free of charge to their 20 million clients who use xFi Gateways, is a competitor to devices such as the Netgear Armor powered by Bitdefender.

When a customer installs, for instance, a smart thermostat, xFi Advanced Security recognizes the vendor, the model number, and the software version. Then, the tool uses artificial intelligence to learn what normal behavior of each device is. When things go awry, it blocks threats in real-time at a customer’s broadband gateway before the traffic enters the home.

To further increase security, the internet provider also open-sourced its own service for digital certificates,  xPKI, targeted to the small footprint of IoT devices that have small memory and small computing power. Individual xPKI certificates are securely embedded in products at the time of manufacturing.

As for the supply chain, often targeted by attackers, as happened in the recent SolarWinds breach, the internet provider tries to secure it all the way from the hardware of the device to the operating system and the applications, an approach that’s called Chip-to-Cloud security.

“Chip-to-Cloud Continuous Security (3CS) is a security framework that is designed to allow Comcast devices to establish secure tunnels to the cloud, using specialized security chips,” a spokesperson said. “Using this framework, the secure tunnel is established from the specialized chip to a cloud service, making it opaque to the rest of the operating system, including system processor and main memory. This helps to provide protection from memory attacks, side-channel attacks and business logic errors.”

Not just internet providers and users have a responsibility to increase the security of IoT devices. Companies that employ remote workers need to step in, too, Costin says. One suggestion is to cover the costs of an additional ISP line, so that the employee could set up a separate network for their home devices, as well as a separate one only for remote work.

“If everything goes via a single ISP router/modem, make sure that the router/modem is not directly VPN-ed into the enterprise network,” Costin says. “This can expose the enterprise network more to the attacks coming directly from compromised consumer devices.”

He also advises against posting information about the work from home setup online, because it might give hints to potential hackers who could stage targeted attacks. 



Copyright © 2021 IDG Communications, Inc.

How to choose a SIEM solution: 11 key features and considerations