Blog April 16, 2021

Remediating the downstream security challenges of IoT device manufacturer breaches

Since a Swiss hacktivist took control of more than 150,000 Verkada cameras a few weeks ago to illustrate how easy it is to hack embedded IoT devices, we’ve seen a drastic increase in reported hacks against IoT manufacturers.

Now, an anonymous whistleblower from Ubiquiti––a Silicon Valley-based IoT device maker––confirmed that customer account credentials were exposed with hackers gaining full read/write access to Ubiquiti databases in the cloud.

In his coverage of the incident, Brain Krebs suggests that if you have Ubiquiti devices installed you should: change the passwords on any devices that haven’t been changed since Jan. 11 of this year; delete any profiles you had on these devices, make sure they’re up to date on the latest firmware, re-create those profiles with new (and preferably unique) credentials; and seriously consider disabling any remote access on the devices.

He’s spot on with this advice, it’s the first step in making sure IoT devices are secure––like locking your front door. But what happens if you have thousands, or even tens of thousands, of these devices installed? That is what organizations are facing as they react to IoT manufacturer breaches.

On average it takes 4 hours per year to manually secure each device. If an organization has 30,000 devices, that nets out to 120,000 man-hours per year to keep those devices secure without automation. 30,000 devices may seem like a lot or an exaggerated number, but consider that any device with a TCP/IP connection counts towards that total––entry access point devices, printers, security systems, KVM switches, biometric scanners, digital signage, smart lighting, logistics trackers, smoke detectors, air quality sensors, and the list goes on. In most office settings, employees pass through an average of 25 internet-connected devices just to enter the building.

The case for automating the basic security hygiene measures that keep IoT devices secure––inventory management, patching and credential management––becomes very clear when looking at the scale of typical IoT deployments. It’s unreasonable to think that IT teams can keep up with manual inventory, patching and credential management for thousands of devices. Especially considering that oftentimes devices are deployed without IT department knowledge or approval, as they are often owned and managed by other teams such as printer teams, facilities management or physical security teams.

With what we’ve seen of IoT device manufacturers being targeted during the first three months of this year, it’s likely that this trend will continue as the year progresses. We expect that the downstream security implications for users of these devices–government, enterprise and consumer alike–will continue to grow as well.

To get a better understanding of the devices on your network and eliminate the IoT security gap in your organization join us for a demo of the only enterprise IoT remediation platform available today––Phosphorus Enterprise.