Blog April 15, 2021

What happens to customers when an IoT device manufacturer gets hacked?

Canadian IoT device manufacturer, Sierra Wireless, suffered a ransomware attack on its internal IT systems that caused it to shut down production lines and withdraw its Q1 2021 financial guidance.

Sierra reported that customer-facing IoT products weren’t affected because its IT systems for internal and customer operations are separated. However, there are many questions that still have not been answered – at least publicly – including:

  • How long ago did the breach occur?
  • Was customer data ultimately impacted or could it be impacted?
  • What kind of ransomware was it? What demands were made and has it been paid?

After learning of the attack on March 20, Sierra Wireless IT and operations teams quickly implemented established counter-attack measures and are working with a third-party to investigate the attack.

2021 is not starting out kind to IoT vendors. Between Verkada and this attack, it is a clear reminder that IoT security risks can initiate earlier in the supply chain process, to the manufacturer, or one of its supply chain partners.

When considering these two latest hacks on IoT manufacturers, key questions come to mind: To what extent are a customer’s own efforts to secure IoT devices undermined if the device manufacturers themselves have left the devices vulnerable? And what, if anything, can the organization do to mitigate this risk?

The answers, unfortunately, are complicated.

Hacks along the supply chain not only open up device manufacturers to vulnerabilities, but can also open up customers to unwittingly bringing compromised devices into the fold. However, most organizations aren’t taking device security seriously enough long before these hacks started to occur.

Basic security measures for IoT devices often go overlooked as part of a broader cybersecurity posture. The average timeframe for applying vulnerability patches and rotating credentials is seven years, making them the softest targets on the network today. Considering that IDC predicts that as many as 152,200 IoT devices will be connecting to the internet every minute in 2025, that’s a risk that’s too big to ignore.

As part of a zero-trust strategy, which verifies users’ credentials each time they try to access data, organizations should pay close attention to the “things” that make up a large part of their technology footprint. In fact, recent data from IBM estimates that more than 40% of the average enterprise network is IoT devices.

Device manufacturers, and their customers alike, should be regularly taking inventory, applying patches and rotating credentials to protect IoT devices. If this sounds like a massive job given the number of Things in a typical technology stack, you’d be right. But, automation of these basic security hygiene measures can help IT teams scale alongside the growth in devices.

Luckily, there is a lot that organizations can do to shore up their own defenses. By automating basic security measures, such as inventory management, patching and credential management, organizations can protect the influx of devices on the network while being careful not to overtax IT teams.

To learn more about automated remediation of the biggest threats facing IoT devices––out of data firmware and default credentials––please check out our on-demand webinar on the Verkada hack.