Plaintext: Security Rules to Prevent Zombie IoT

Welcome to Dark Reading in Plaintext, brought to your inbox this week by Axonius. In this issue of Plaintext, we look at the latest push to define security rules and regulations around Internet of Things, specifically how to handle devices that have reached end-of-life. We also look at some of the eye-opening data points from the FTC regarding consumer fraud and losses. If you enjoy Plaintext, please share with friends and colleagues!

No More Zombies. Devices that reach end-of-life (EoL) introduce dangerous risks to organizations and individuals. The devices no longer receive support or updates from the manufacturer but remain online, increasing their susceptibility to attacks. Attackers infect older devices with malware and take control of them. Each individual device is small, but when harnessed into larger botnets, they can be used to carry out large devastating attacks. Securing Internet of Things is increasingly important, as well as knowing what to do with EoL devices.

The latest initiative, a joint effort led by Consumer Reports, Secure Resilient Future Foundation and US PIRG, is a model bill calling on vendors and internet service providers to be more proactive about communicating when devices reach end-of-life status, and what to do with those devices. At the moment, manufacturers don't have to disclose when devices reach end-of-life, and there is nothing stopping sellers from continuing to sell end-of-life devices. It is an impossible task for most buyers to know whether something is no longer supported, or will soon stop receiving support. The goal of the Connected Consumer Products End of Life Disclosure Act is to encourage state and federal lawmakers to enact legislation around IoT security and EoL communication. But the issue is wildly complicated.

"We have externalities associated with connected devices that are invisible to the consumer, an unwillingness or inability to price security into the cost of these products by manufacturers, and an active market for malware to infect these devices and use them for nefarious purposes," says Stacey Higginbotham, a policy fellow at Consumer Reports.

"The biggest cyber issues with EoL devices include lack of firmware updates, exposure to zero-day vulnerabilities, and the increased risk of supply chain compromise when acquiring hardware through unofficial channels." — Juan Carlos B. Armis

The IoT attack surface continues to grow as well amid a rising remote workforce where employee and corporate networks are connected. While EoL transparency is an important step, there are other IoT security initiatives, such as the White House-backed Cyber Trust Mark label to indicate a product has been developed with security in mind.

Dark Reading in Plaintext is brought to you by Axonius

Adapt in Action: Join the Global Cybersecurity Event Series

Meet Axonius and industry leaders in a city near you. Learn new tech, hear success stories and gain actionable insights to strengthen cybersecurity.?Find your city and register today.

Latest Fraud Numbers From the FTC. Total losses due to fraud exceeded $12.5 billion in 2024, an increase of over $2 billion compared to the previous year, according to the Federal Trade Commission. Data collected from the FTC Consumer Sentinel Network show that of the not-quite 6.5 million consumer reports filed in 2024, more than half involved fraud and identity theft. These numbers reveal a fraction of actual losses to fraud, because victims tend to underreport these incidents.

About a third of the individuals reporting fraud said they lost money. Consumers lost $5.7 billion to investment scams and $2.95 billion from imposter scams. The category includes romance scams as well as scams involving someone claiming to be a government employee or technical support staff. Bank transfers and payments were the most frequently used payment methods in fraud incidents that resulted in losses, totaling $2.09 billion in 2024. Cryptocurrency was not too far behind, at $1.42 billion.

What We Are Reading

• [Axonius] How to Build Cybersecurity Metrics from the Ground Up
• Randolph Barr ( Cequence Security ) on the CISO as a business resilience architect.
• [DR Global] Abu Dhabi releases guidelines for healthcare cybersecurity.
• [The Edge] NIST finalizes guidance explaining differential privacy and implementation.
• [DR Technology] Democratizing cybersecurity to improve overall security posture across organizations.

What We Heard On-Air

Tune in to our on-demand webinar Tips on Managing Cloud Security in a Hybrid Environment.

"...the 'one key to rule them all' problem..." —Jake Williams, Hunter Strategy

From Our Library

Check out some of the latest reports from our Dark Reading Library!

[Axonius] The State of Cyber Resilience

Tech Insight: EDR, SIEM, SOAR, and More: What's The Right Endpoint Strategy

Dark Reading Reports: Understanding Social Engineering Attacks, What to Do About Them

Dark Reading Reports: What Issues and Challenges Cybersecurity Pros Care About

Tech Insight: Building Blocks for Next-Gen Security Operations

On That Note

It's March Madness here in the US and that means filling out brackets. Bishop Fox has its own challenge, The 2025 Ultimate Red Team Tool Showdown. Check out the various pairings of offensive security tools and vote on the "winners" of each set. The categories are C2 Frameworks, Active Directory & Network Exploitation, Cloud & Identity Exploitation, and Developer Libraries & Evasion. Let the games begin!

Dark Reading in Plaintext is brought to you by Axonius