Mitigating IoT security risks through the use of deception technology

oT presents an unconventional attack surface, opening additional access points where attackers can establish a foothold and exploit corporate networks — often undetected by traditional perimeter defenses. A recent Kaspersky Labs report confirmed that these weaknesses are being exploited with alarming regularity. In the first half of 2018 alone, researchers identified three times as many malware samples attacking IoT-enabled devices than in all of 2017 — and 10 times the 2016 total. Not only are attackers aware of these vulnerabilities, they are targeting them at an accelerating rate.

Recognition of this threat is growing, not just within the industry, but within law enforcement as well. This August, the FBI issued a public service announcement titled “Cyber Actors Use Internet of Things as Proxies for Anonymity and Pursuit of Malicious Cyber Activities.” The PSA warned both manufacturers and users of IoT-enabled devices of the vulnerabilities inherent to the network and common ways that attackers attempt to exploit them. While the PSA also made a number of suggestions regarding how to address these vulnerabilities, these recommendations are neither comprehensive nor enforceable.

States, too, have begun to take notice, and this year California became the first state in the U.S. to pass a bill regulating IoT security. The bill, SB-327, will require manufacturers to equip connected devices with a “reasonable security feature or features that are appropriate to the nature and function of the device” when it takes effect in January 2020. The bill also includes specific security measures, including a mandate that smart devices must come preprogrammed with a password “unique to each device manufactured”– a statute aimed at addressing one of the most well-known IoT vulnerabilities, and one famously exploited by malware such as the Mirai botnet.