Complex Made Simple

2020 Unit 42 IoT Threat Report, revealing declining IoT security posture

While the internet of things (IoT) opens the door for innovative new approaches and services in all industries, it also presents new cybersecurity risks

98% of all IoT device traffic is unencrypted, exposing personal and confidential data on the network 57% of IoT devices are vulnerable to medium- or high-severity attacks, making IoT the low-hanging fruit for attackers Seeing a shift from IoT botnets conducting denial-of-service attacks to more sophisticated attacks on Medical organizations

According to a 2019 Gartner report, “By the end of 2019, 4.8 billion [IoT] endpoints are expected to be in use, up 21.5% from 2018.” While the internet of things (IoT) opens the door for innovative new approaches and services in all industries, it also presents new cybersecurity risks. To evaluate the current state of the IoT threat landscape, the Unit 42 threat intelligence team analyzed security incidents throughout 2018 and 2019 with the Palo Alto Networks IoT security product, Zingbox ® , spanning 1.2 million IoT devices in thousands of physical locations across enterprise IT and healthcare organizations in the United States. We found that the general security posture of IoT devices is declining, leaving organizations vulnerable to new IoT-targeted malware as well as older attack techniques that IT teams have long forgotten. This report details the scope of the IoT threat landscape, which IoT devices are most susceptible, top IoT threats, and actionable next steps to immediately reduce IoT risk.

Read: Cybersecurity firm reports detecting a total of 5.5 million malware attacks in GCC in 2019

IoT devices are unencrypted and unsecured

98% of all IoT device traffic is unencrypted, exposing personal and confidential data on the network. Attackers who’ve successfully bypassed the first line of defense (most frequently via phishing attacks) and established command and control (C2) are able to listen to unencrypted network traffic, collect personal or confidential information, and then exploit that data for profit on the dark web. 57% of IoT devices are vulnerable to medium- or high-severity attacks, making IoT the low-hanging fruit for attackers. Because of the generally low patch level of IoT assets, the most frequent attacks are exploits via long-known vulnerabilities and password attacks using default device passwords.

IoMT devices are running outdated software 

83% of medical imaging devices run on unsupported operating systems, which is a 56% jump from 2018, as a result of the Windows ® 7 operating system reaching its end of life. This general decline in security posture opens the door for new attacks, such as cryptojacking (which increased from 0% in 2017 to 5% in 2019) and brings back long-forgotten attacks such as Conficker, which IT teams had previously been immune to for a long time. The internet of medical things (IoMT) devices with the most security issues are imaging systems, which represent a critical part of the clinical workflow. For healthcare organizations, 51% of threats involve imaging devices, disrupting the quality of care and allowing attackers to exfiltrate patient data stored on these devices.

Read: 2019 sees an increase in the number of users attacked with mobile malware

Healthcare organizations are displaying poor network security hygiene

72% of healthcare VLANs mix IoT and IT assets, allowing malware to spread from users’ computers to vulnerable IoT devices on the same network. There is a 41% rate of attacks exploiting device vulnerabilities, as IT-borne attacks scan through network-connected devices in an attempt to exploit known weaknesses. We’re seeing a shift from IoT botnets conducting denial-of-service attacks to more sophisticated attacks targeting patient identities, corporate data, and monetary profit via ransomware.

IoT-focused cyberattacks are targeting legacy protocols

There is an evolution of threats targeting IoT devices using new techniques, such as peer-to-peer C2 communications and worm-like features for self-propagation. Attackers recognize the vulnerability of decades-old legacy OT protocols, such as DICOM, and are able to disrupt critical business functions in the organization.