The proliferation of Internet of Things (IoT) devices has led to a slew of security and privacy challenges, as highlighted by Bitdefender and NETGEAR. A recent report, drawing data from 3.8 million homes and 50 million IoT devices, documented a staggering 9.1 billion security events over a year-long period.
The escalating number of connected devices, estimated at over 15 billion globally, has vastly expanded the potential attack surface. Vulnerabilities in IoT frameworks, such as those identified in the ThroughTek Kalay platform, pose significant risks for millions of users, potentially exposing them to privacy breaches.
The average household now boasts 21 connected devices, with home networks enduring more than 10 attacks per day, a noticeable uptick from the previous year’s figure of 8 attacks. In 2023, a surge in vulnerabilities was detected in TV sets, smart plugs, and digital video recorders. TVs, in particular, are prone to vulnerabilities, primarily due to their extended lifespan and manufacturers discontinuing support prematurely while devices are still in active use.
Similarly, smart plugs and DVRs exhibited notable vulnerability counts relative to their device populations. Despite serving as convenient additions to smart home setups, smart plugs’ vulnerability count underscores potential security weaknesses in seemingly harmless devices. In the case of DVRs, vulnerabilities raise concerns about the security of video surveillance systems commonly utilized in residential and commercial settings.
Highlighting the critical need for manufacturers to prioritize security in the design and production of such devices, these findings underscore the integral role of security in modern connected environments. A separate study by Bitdefender revealed that a significant proportion (78.3%) of respondents utilize mobile devices for sensitive transactions, yet a concerning 44.5% do not employ any mobile security solutions, leaving them vulnerable to malware, phishing, and data breaches.
In response to the escalating risks related to IoT security deficiencies, the US government has introduced the Cyber Trust Mark, a certification aimed at assisting consumers in identifying IoT devices meeting stringent security standards. These standards encompass robust credentials, regular updates, and data protection to ensure the security of connected devices. While the trust mark aims to guide consumers towards selecting secure IoT products, its widespread implementation remains a work in progress, thereby emphasizing the continued individual responsibility for IoT security.
Certain industries or product categories adhere to enhanced security standards and practices, resulting in reduced vulnerability counts. For instance, devices classified under “Home Automation” may exhibit relatively fewer vulnerabilities due to standardized security protocols and certifications within the home automation sector. The prevalence of vulnerabilities also varies based on manufacturers’ adherence to security practices during the design, development, and updating processes.
Denial of service (DoS) attacks emerged as the most common vulnerability type across diverse device categories, with notable percentages witnessed in TV sets, smart plugs, DVRs, routers, and set-top boxes. This underscores the widespread prevalence of DoS vulnerabilities that compromise the availability and functionality of connected devices. While memory corruption vulnerabilities are less frequent than overflow and DoS vulnerabilities, they remain a significant concern given their ability to exploit weaknesses in memory management systems, potentially leading to arbitrary code execution attacks.
Furthermore, 99% of IoT exploitation attempts hinge on known Common Vulnerabilities and Exposures (CVEs), underscoring the paramount importance of deploying patches and running the latest software versions. Only a fraction of attacks leverage vulnerabilities such as weak passwords or plaintext authentication, highlighting the critical need for robust security practices in the evolving IoT landscape.