Pajama-Clad Security: The Cyber Risks of Working from Home

A year ago, we would step into the office each morning, swipe our badge at reception, pass the security cameras, and sit down at our desks beside our colleagues. The safety-savvy IT department — home to complex security technologies, bottomless coffee cups and handy tips — was mere steps away.

Today, we skip the commute and the morning chit chat, and fire up our computers from our kitchens or living rooms. In so doing, we up-end years of well-honed corporate security practices. And we face the trickery of phishing and ruthlessness of ransomware while still battling the fog of sleep.

Even worse, our home networks are generally less equipped to meet the demands of constant connection to the office, with its flow of proprietary information, customer secrets and sensitive data. The protection we rely on at home comes in the form of antivirus and maybe a VPN. These security tools, though, are added on top of a network typically consisting of a mix of old and new hardware jumbled together.

Home infrastructure staggered last year under the sudden load increase as government-imposed lockdowns prompted a surge in network traffic, with peaks in April and November. On top of the new demands of working from home, people started spending more of their free time online too.

After a tumultuous 2020 and the chaos unleashed by COVID-19, enterprises in 2021 are now starting to realize that they must close the considerable cybersecurity gaps of living room-based hardware.

Some fixes, though, are only possible in the long term, such as improved industry-wide regulation. Some quicker fixes do exist. For example, ISPs are discovering they could implement security solutions directly in customers’ routers. Even that, though, won’t address the problem overnight.

Unpatched Home Routers

A quest for a solution must start by examining the most serious problems. A 2020 study by the Fraunhofer Institute found that home router security is even worse than people imagined.

Researchers analyzed 127 routers from various vendors. They fully extracted 117 of the 127 firmware images; four images were extracted partially, and six couldn’t be extracted at all. Ninety-one percent of all routers were powered by Linux.

Of the 127 routers, 45 had no updates in the previous year, and many were afflicted by hundreds of vulnerabilities. Twenty-two had no update in two years, and, at least one hadn’t received a single update in five years.

Such routers are common in people’s homes. And now they are tasked with protecting employees when they connect to the company’s infrastructure from home. The same network also hosts other home devices, such as other laptops and PCs, smartphones, consoles, smart TVs and security cameras.

Misconfiguration Is a Hacker’s Best Friend

A work computer may be more secure than a personal one, but it still resides in a dangerous neighborhood. Attackers often use lateral movement inside a network to pivot to other devices after compromising more exposed hardware.

As if the security problems in people’s homes weren’t enough, misconfigurations at the company level present another rash of threats. In many situations, enterprise security policy is confusing and scattered, allowing unsecure remote desktop sessions (RDP) or permitting users to run macros, one of hackers’ main tools.

According to Bitdefender telemetry, malicious actors gain entry through endpoint misconfigurations 27 percent of the time. Issues related to accounts, password storage and password management are among the most common problems, but internet settings come a close second.

The most significant issue employees face is phishing. People working in their pajamas might not be as acutely aware of the threats lurking in their email client. When the pandemic hit, malicious campaigns proliferated, particularly phishing and business email compromise attacks. But some 86 percent of companies say that attacks are rising. More worrisome, 43 percent of global employees are not sure what a phishing attack is.

Even Garage Doors Can Present a Risk

Many of these issues don’t require massive cybersecurity investments. Organizations could solve them with employee training, helping them spot phishing emails and teaching about the perils of a modern smart home.

Bitdefender’s telemetry shows the most common vulnerabilities in people’s homes affect NAS devices, media players, smart TVs, IP cameras, routers, streaming devices, home monitoring systems, and even seemingly innocuous like garage doors.

The most common vulnerability, by far, is denial of service, which attackers use to disrupt a particular service or functionality. Buffer overflow vulnerabilities are also common, affecting a quarter of monitored IoT devices, along with memory corruption and privilege escalation.

Since most homes are now full of these smart devices, they harbor various vulnerabilities. The only way to find, and possibly mitigate, them is via endpoint risk analytics and a powerful security solution to lord over the home network.

There’s no silver bullet, but using the right tools in the right place can help restore security back to the level of the old days of subway rides, badge swipes and morning chit chat at the office.

To do even better than that, companies must remember, even in this era of social distancing and face masks, that people are their main asset. Employees that are competently educated on security matters are the closest to bullet-proof that a company can come.

Even if those employees work in their pajamas.