The Internet of Things has never seen so many devices come online in such a short period.
IoT Endpoint Statistics
Post-pandemic, endpoint numbers are booming. Experts expect them to double over the next decade, from 10 billion in 2020 to 40 billion worldwide in 2033.
There’s no denying that devices like smart doorbells, connected tablets and industrial controllers are integral to the smart home, office and warehouse. But, on the other hand, we can’t ignore how bigger device ecosystems are creating greater attack vectors and enabling bad actors.
This is reflected in a recent report from Verizon and the overall feeling on the ground. Take a look at the news and you won’t have to look far for malware sneaking in the backdoor and compromised devices becoming powerful and frightening botnets. Clearly, as more devices come online, admins need new tools and know-how to best protect themselves.
Let’s explore how they can — and should — fight back in the new year.
How Booming Endpoints Are a Double-Edged Sword
As someone who’s worked in this space for more than two decades, I find the ongoing endpoint boom equal parts exciting and concerning. Of course, as both a connected device fan and platform creator, the sector is proving its value across various contexts. For business insights or home conveniences, enterprise and home consumers are finding newfound usefulness for our products. This is the kind of mainstream moment that many have waited years for.
This level of adoption, however, comes with security and privacy pitfalls that keep me up at night. For starters, cheaper devices often ship with dangerous security gaps and rely heavily on cloud connections. If breached, devices reveal sensitive data points and can introduce cameras and microphones into our most private spaces. These kinds of backdoors on a growing scale should set off alarm bells.
Verizon demonstrates the dangers of devices if left unprotected. Today, 95 percent of surveyed organizations are actively using IoT devices, according to the Verizon study. Companies aren’t always adequately protecting them, though. In critical infrastructure sectors, more than half state that they have experienced severe security incidents that led to data loss or system downtime. In this landscape, endpoints are double-edged swords, delivering more insights and more security problems.
Why the IoT Security Situation Is Dire
Hackers are thriving in this new digital status quo. IoT malware attacks are up 400 percent year-on-year thanks to smarter phishing methods, remote work adoption and default security vulnerabilities.
Once inside a device, malware wreaks havoc in multiple ways. At the most basic level, it can steal sensitive data like passwords, financial information and other personal details. It can also hijack cameras and microphones for surveillance, manipulate device settings and operations or install ransomware that locks you out until payment. More insidiously, compromised devices can act as gateways, allowing attackers to move laterally through networks to reach high-value targets like industrial systems or corporate databases.
Hackers are even using compromised devices to make ever-larger botnets — networks of systems they can hijack for coordinated attacks. The scale of this threat is up significantly: devices involved in botnet-driven distributed denial-of-service attacks jumped from 200,000 to 1 million in just one year, now generating more than 40 percent of all DDoS traffic, according to Nokia. As a result, these massive botnets are increasingly being weaponized to disrupt telecom services by state-sponsored groups and profit-driven cybercriminals.
Something’s got to give. If we’re going to continue to adopt greater device numbers at work and home — and I hope that we will — we require stronger frameworks and better standards across the board.
How Device Users and Admins Can Fight Back
The good news is that both large-scale initiatives and individual actions can improve device security. At the regulatory level, major reforms are set to launch in 2025. The European Union’s Cyber Resilience Act is taking aim at basic vulnerabilities, banning default passwords, and requiring manufacturers to support devices throughout their lifespan.
In the United States, The Cyber Trust Mark is driving change through market incentives, encouraging manufacturers to meet security baselines in exchange for a product tick of approval. Both initiatives are a welcome start to weeding out the bad apples and enforcing bare minimums in this device wild west.
These are great initiatives for the long-term but leave a gap in the interim. While waiting for regulations to kick in, users and businesses should take immediate steps to strengthen their device security. On the simpler side of things, prefer known makes and models. Bigger brands, despite premium prices, often deliver a better bang for your buck in terms of performance and security. Budget-friendly devices are tempting but you’ll often pay for them in security backdoors and more likely hacks. This simply isn’t worth the peace of mind.
On the more technical side, take extra precautions to shut out bad actors. For example, tailoring the communication type away from the cloud is a good way to cut out middleman servers (that can then be intercepted). Instead, adopt peer-to-peer connectivity and IoT platforms with direct communication. Likewise, ensure your connection is encrypted and that your passwords require multi-factor authentication, and segment your devices and networks to prevent lateral movement.
When it comes to data and device storage, keep it under your own local network lock and key. Keeping things at the edge rather than the cloud removes your information from public networks but also delivers better performance through reduced latency — a win-win for both protection and speed.
While I’m optimistic these are growing pains that users, makers and regulators are actively addressing, securing our connected future requires vigilance from all stakeholders.
