Security researcher Andrei Costin started to work from home many years ago, and when it comes to security internet of things (IoT) devices, he had his fair share of eyebrow-raising moments. “There were several instances where I had replaced my home routers because the vendor did not provide security fixes nor firmware updates,” Costin says, adding that current security practices are not keeping up with the changing landscape of working from home.
Costin, who is a senior lecturer in cybersecurity at the University of Jyvaskyla, Finland, and the co-founder of IoT cybersecurity startup binare.io, says that remote work poses additional risks not only for employees, but for companies, too. “If an employee’s smartphone is connected to the company network via VPN, but is paired with CCTV systems, wellness trackers, or light bulbs, there is a risk for potential malicious gateway,” Costin says.
The Palo Alto Networks Unit 42’s IoT Threat Report paints a grim picture: “57% of IoT devices are vulnerable to medium- or high-severity attacks, making IoT the low-hanging fruit for attackers,” the study reads. Moreover, the researchers found that 98% of all IoT traffic is unencrypted, exposing confidential data on the network.
In fact, in 2020, IoT devices were to blame for 32.72% of all infections detected in mobile networks, up from 16.17% the year before, according to Nokia’s Threat Intelligence Report. Researchers believe that the numbers will continue to increase “dramatically” in the years to come as people will continue to purchase more products.
Every consumer device an employee connects to their router or smartphone increases the potential attack surface for a company now that many people work from home. “Many IoT devices people buy, such as smart light bulbs, are less secure than enterprise-level equipment or even normal PCs, laptops, or smartphones,” Costin says.