Study: Knowledge of consumer security lags far behind the IoT threat landscape
A new Comcast study suggests a major risk to businesses, governments and public systems due to poor cybersecurity in the booming Internet of Things industry.
With the rapid expansion of Internet-connected devices, both consumer and industrial, the cyber threat landscape is growing faster than the ability of individuals to keep up. Consumers’ ability to notice threats, much less defend against them, is lagging behind. With consumers indifferent to securing their online touchpoints come risks to commerce as well as public and private infrastructure and systems.
Comcast’s biennial version of consumer cyber health, the 2022 Xfinity Cyber Health Report, found that there are an average of 15 connected devices per household, a 25% increase from 2020 — with “power users” having as many as 34.
Home IoT: Backdoor to infrastructure attacks
The implications aren’t just dire for individuals: Vulnerabilities at any node — whether a home climate control system, car or major appliance — can serve as entry points for threat actors, according to Yury Dvorkin of Johns Hopkins University’s Ralph O’Connor Sustainable Energy Institute, an expert on power infrastructure and cyber -physical resilience.
SEE: Internet of Things (IoT) Cheat Sheet: Complete Guide for 2022 (TechRepublic)
“The hypothesis that such IoT devices can be hacked at scale is something that underpins our work on EV security,” said Dvorkin.
Dvorkin co-authored research on how electric cars and other high-power devices can be vulnerable to demand-side cyberattacks with implications for the grid. This is because they have IoT communication and control interfaces, including integration with smartphone apps.
The poster child for IoT vulnerabilities may well be the infamous Mirai botnet DDoS attack that in 2016 infected over half a million IoT devices with factory default authentication credentials. The attack on the Dyn DNS provider temporarily took down Airbnb, PayPal and Twitter, costing Dyn about 8% of its customers.
“An attacker could potentially alter the power consumption of compromised IoT-controlled loads to maliciously cause load shedding, reduce safety margins, or even trigger a cascading failure,” Dvorkin said.
Why you’re underestimating your cybersecurity risk
Noopur Davis, head of information security and product privacy at Comcast, wrote in the study that the rapid cultural shift to remote and hybrid work and the development and growth of the IoT have “continued to blur the lines between our professional and private lives, which – unwittingly for many – creates new vulnerabilities and openings for cybercriminals” (Figure A).
In the paper, which combines data from a new consumer survey with threat data collected by Comcast’s Xfinity’s xFi Advanced Security platform:
- 58% of respondents reported that they plan to purchase at least one connected device during the upcoming holiday shopping season.
- 61% either somewhat, strongly or completely (incorrectly) believe that new smart home devices are protected against most cyber threats by default.
- 78% of respondents admitted to risky online behaviors that open them up to cyber threats, such as reusing or sharing passwords and skipping software updates – up 14% from just two years ago
- When asked how quickly they would know if they were the victim of a cyber attack, only 20% answered immediately, while about a third (32%) of consumers said they are not sure they would ever know if they were a victim of a cyberattack and 51% of respondents noted that they are not entirely sure they would know if a non-display device was hacked.
- Three-quarters of Americans mistakenly believe fewer than 10 attacks hit their home network each month — Comcast reported that security protocols block an average of 23 unique threats per household each month, with the total number of attacks actually landing at three-to-four times that number, so many attacks are repeated.
WATCH: Top 5 Ways Industrial IoT Differs From IoT (TechRepublic)
On the plus side, the study found an improvement in people’s overall awareness of threats: In the 2020 study, 53% of respondents had heard of phishing, but only 28% thought they could confidently describe what it is. In the new survey, 71% of respondents said they have heard of phishing, and 39% said they would be able to explain it confidently (Figure B).
Generational differences in personal cyber security
Nearly three-quarters of baby boomers said they take risks such as reusing passwords and declining multi-factor authentication, but 80% of Generation X, 82% of millennials and 87% of Generation Z said the same.
Just over three-quarters of millennials surveyed said they are most likely to buy a smart device this holiday season, including new smartphones, laptops and gaming consoles. Only 56% of Gen Z respondents reported having heard of malware, and only 38% had heard of phishing. In contrast, 72% of millennials have heard of malware and 65% of phishing.
Defend your business against risk
You can’t control who is attacking you and from what direction they are approaching, but there are several ways to reduce your organization’s exposure by taking such actions as performing security risk assessments, identifying which risks are unique to your business, and conducting an asset inventory. To learn how to reduce security risk in your organization, download these best practices.