The bulk of major corporate hacks follow time-tested strategies, like phishing emails that trick employees into giving up their credentials, or hackers exploiting a bug in a web portal. While effective, these strategies also open an attacker to early detection. So increasingly, hackers have taken the scenic route—through the Internet of Things.
Vulnerabilities in internet-connected devices are well-documented by this point, but the most common exploitations generally involve conscripting thousands of vulnerable IoT devices into botnets, or getting onto a network through a weak IoT device for ransomware attacks. These aren't using data-stealing missions. But researchers from the IoT security firm Senrio have shown that a company's publicly exposed IoT devices can form an unsupervised backroad path into networks. Attackers can jump from one vulnerable IoT device to the next, totally bypassing mainstream devices like PCs and servers, and charting a course that's much harder to detect.
“We were seeking to answer the question ‘why does one device matter?’” says M. Carlton, Senrio’s vice president of research. “An attack like this shows why it’s important to know what’s really on your network. These devices are all connected to each other and can create a hole in the network. It would be very difficult to catch this.”
Internet of Hacks
Many, many IoT gadget characteristics make them risky to deploy. Manufacturers tend to patch vulnerabilities slowly, if at all. Each model of each device is a special snowflake, running inscrutable, proprietary code and making it difficult to create one-size-fits-all security scanning tools. Meanwhile, large institutions and industrial environments already struggle to prioritize PC and server patching; finding and cataloging IoT devices and hustling to apply every update quickly becomes unwieldy. So