Study: Consumer security savvy is way behind IoT threat landscape

With the rapid expansion of Internet-connected devices, both consumer and industrial, the cyber-threat landscape is growing faster than individuals’ ability to keep up. Consumer prowess at noticing threats, much less defending against them, is lagging. With consumers indifferent about securing their web touchpoints comes risks to commerce as well as public and private infrastructure and systems.

Comcast’s biennial take on consumer cyber health, the 2022 Xfinity Cyber Health Report, found that there are an average of 15 connected devices per household, up 25% from 2020 — with “power users” having as many as 34.

Home IoT: Backdoor to infrastructure attacks

The implications are not just dire for individuals: Vulnerabilities at any node — whether a home climate control system, car, or major appliance — can serve as entry points for threat actors, according to Yury Dvorkin of Johns Hopkins University’s Ralph O’Connor Sustainable Energy Institute, an expert on power infrastructure and cyber-physical resiliency.

SEE: Internet of Things (IoT) cheat sheet: Complete guide for 2022 (TechRepublic) 

Must-read security coverage

• UK Police Convicts Pair in £5.5 Billion Bitcoin Launder Case
• Blackpoint Cyber vs. Arctic Wolf: Which MDR Solution is Right for You?
• How GitHub Is Securing the Software Supply Chain
• 8 Best Enterprise Password Managers

“The hypothesis that such IoT devices can be hacked at scale is something that underpins our work on EV security,” Dvorkin said.

Dvorkin co-authored research on how EVs and other high wattage appliances can be subject to demand-side cyberattacks with implications for the grid. This is because they have IoT communication and control interfaces, including integration with smartphone apps.

The poster-child for IoT vulnerabilities might well be the infamous Mirai botnet DDoS attack that in 2016 infected over a half-million IoT devices with factory-set default authentication credentials. The attack on the Dyn DNS provider temporarily took down Airbnb, PayPal and Twitter, and it cost Dyn roughly 8% of its customers.

“An attacker can potentially modify the power consumption of compromised IoT-controlled loads to maliciously cause load shedding, reduce security margins or even trigger a cascading failure,” Dvorkin said.

Why you’re underestimating the cybersecurity risk

Noopur Davis, chief information security and product privacy officer at Comcast, wrote in the study that the rapid cultural shift to remote and hybrid work and the evolution and growth of IoT has “continued to blur the lines between our professional and private lives, which — unknowingly to many — create new vulnerabilities and openings for cybercriminals” (Figure A).

Figure A

In the paper, which combines data from a new consumer survey with threat data collected by Comcast’s Xfinity’s xFi Advanced Security platform:

• 58% of survey respondents reported that they plan to buy at least one connected device during the upcoming holiday shopping season.
• 61% either somewhat, strongly or completely believe (erroneously) that new smart home devices are protected from most cyber threats by default.
• 78% of respondents admitted to risky online behaviors that open them up to cyber threats, such as reusing or sharing passwords and skipping software updates — a 14% percent increase from just two years ago
• When asked how soon they would know whether they were a victim of a cyberattack, only 20% said immediately, while roughly one-third (32%) of consumers said they aren’t sure they’d ever know if they were a victim of a cyberattack and 51% of respondents noted they are not really confident that they would know if a non-screen device was hacked.
• Three-quarters of Americans wrongly believe that fewer than 10 attacks hit their home network every month — Comcast reported that security protocols block an average of 23 unique threats per household each month, with the total number of attacks actually landing at three-to-four times that number, as many attacks are repeated.

SEE: Top 5 ways industrial IoT differs from IoT (TechRepublic)

On the plus side, the study found an improvement in people’s general awareness of threats: In the 2020 study, 53% of respondents had heard of phishing, but only 28% believed they could confidently describe what it is. In the new survey, 71% of respondents said they’ve heard of phishing, with 39% noting they’d be able to confidently explain it (Figure B).

Figure B

Generational differences in personal cybersecurity

Nearly three-quarters of baby boomers said they take such risks as reusing passwords and declining multifactor authentication, but 80% of Generation X, 82% of millennials and 87% of Generation Z said the same.

A little over three quarters of millennials surveyed said they are most likely to purchase a smart device this holiday season, including new smartphones, laptops and gaming consoles. Only 56% of Gen Z respondents reported that they had heard of malware, and only 38% had heard of phishing. By contrast, 72% of millennials have heard of malware and 65% of phishing.

Defending your enterprise against risks

You can’t control who is attacking you nor from which direction they are approaching, but there are several ways to reduce your organization’s exposure by taking such actions as conducting security risk assessments, identifying which risks are unique to your operation and conducting an asset inventory. To learn how to reduce security risks in your organization, download these best practices.