Protecting internet-of-things (IoT) devices is not easy. With few exceptions, you can’t take a traditional endpoint protection approach and install a local agent on the IoT device for protection. Proprietary OSes/firmware in many cases precludes installing an endpoint. Even when the device runs embedded Linux or Windows Embedded OS, standard endpoint defensive measures aren’t available either, as those are locked OSes that require complicated processes to update. This leaves you with network defenses, and if you haven’t taken the time to lay out your network segmentation strategy (VLANs alone don’t cut it; you need to restrict traffic from crossing segment boundaries), your organization is still vulnerable to an attack from a compromised IoT device.

IoT-based attacks come in many forms, but one that exploits this lack of proper network segmentation is the lateral movement attack. This attack is compounded when it’s not just a simple DDoS but starts delivering payload. We saw this in late 2024 with the Androxgh0st botnet, and this type of attack should worry security practitioners, as it uses devices that can’t be protected locally to deliver exploits within your enterprise.

The most recent attack by Akira used a compromised remote access solution and then tried to compromise traditional endpoints with a ransomware payload. When an endpoint detection and response solution detected the attack, Akira turned to unprotected IoT devices and utilized these devices to conduct a network-based encryption attack against endpoints. This type of attack exposes a common flaw in network design in that, once I’m “in the enterprise,” I’m considered a trusted device and have unfettered access to any other device within the enterprise. While this approach is not consistent with Zero Trust principles, many enterprises continue to take this approach because the alternative is a lot of work.

Tough.

Blaming the victim is never a pretty thing, but sometimes you have to call it as you see it.

When looking at the Akira attack, if proper network segmentation was in place, those IoT devices would only talk internally to their approved workloads and only communicate externally to the internet properties required for the device’s daily operations. But this requires a lot of network and, possibly with newer devices, local policy control. There is a chance that these IoT webcams could be compromised, but that means the blast radius of a cyberattack would be limited to the data or application servers where they’re delivering their video payloads, and if proper Zero Trust principles are being followed, other connected assets would only accept certain data streams from these video cameras and potentially ignore the remote encryption commands.

Protecting IoT devices is not like protecting Windows or Mac desktops. For devices that use vibration-based energy, the resources required to run a local agent to analyze threats targeting the endpoint are not available. Edge, network, and gateway security devices are critical portions of IoT security design, and with that, proper segmentation with limits on data flows in and out of the device will be what protects your enterprise from attack and what prevents malicious actors from extracting critical information from your organization.