Quantum IoT Protection from Check Point identifies compromised connected devices

The Internet of Things is everywhere. From connected light bulbs to IP cameras, clothes, and even connected kitchen appliances, the Internet of Things offers many benefits to all businesses, allowing employees to be more productive and essential to work smoothly. A more flexible, intuitive, and efficient way. These are the risks that IoT revenues are expected to reach $549 billion in 2022, and the number of connected IoT devices is expected to reach $15.9 billion by 2030. (CompTIA)

However, the rush to bring this IoT technology to market also increases the cyber attack surface for organizations when the security of these assets is neglected. According to Gartner, more than 25% of all cyber attacks against businesses will involve the Internet of Things in some way.

This article provides a real-world example where Check Point’s Quantum IoT security solution identified a vulnerable device and protected the organization from a catastrophic cyber attack. But first, let’s quickly recall why these devices are weak in nature. To summarize a previous blog we posted on IoT devices a few months ago: IoT devices often come to market with an inherent flaw that makes them vulnerable to security:

• Real chaos in the absence of standardization

• Inadequate security approach, including weak or non-existent passwords

• Old and unmodifiable hardware, firmware or software

• The presence of a larger number of devices, which expands the attack surface

Therefore, it is very easy for hackers to gain access to these devices and wreak havoc on IoT devices or switch to other critical systems and steal personally identifiable information (PII) of customers, employees, intellectual property or other assets. Hackers can also take control of the network and demand a ransom. Their last tip? Combine these strategies in a double blackmail attack that guarantees more attractive payouts.

How can Check Point help businesses?

Quantum IoT Protect technology allows customers to see all connected IoT devices on their network and track connections from IoT devices, on and off the network to the Internet. To do this, profiles are created based on an understanding of the expected behavior of IoT devices. Based on these profiles, customers benefit from zero-trust access policies that only allow connections necessary for normal IoT operations. Other connections have been detected and blocked, for example an attempt to connect to a suspicious internet destination will be blocked.

Now that we have a basic understanding of how and why, here’s what happened in this specific use case.

What happened ?

(Out of respect for the customer, we will keep their names anonymous and call them the “Customer”)

Quantum IoT Protect is deployed in the customer network and has begun to discover and identify all connected IoT devices. Since this was their first experience with IoT Protect, the customer chose to install security policies in discovery mode only, rather than enabling the solution to effectively block suspicious traffic.

For several weeks, no suspicious activity or incident was detected until the customer noticed that Quantum IoT Protect had detected that the IoT device had communicated with several suspicious domains within a short period of time. The client then noticed that the device had stopped connecting to suspicious domains, and therefore decided to continue monitoring its logs.

At this point, the client has chosen not to take any further action because he believes everything is back to normal. This step is understandable, as the system has been virtually “silent” for two weeks, showing no abnormal activity from the IoT device.

However, after two weeks of inactivity, the same device appeared again and this time started communicating with dozens of suspicious domains on the Internet. That’s when the customer realized something was wrong and decided to contact the IoT team at Check Point for further assistance.


Early in the investigation, the Check Point team determined that the device was communicating with several domains that were categorized as high risk. Further investigation of these events concluded that the device was communicating with one or more command and control (C&C) servers.

The response team confirmed that this IoT device was infected with Mirai crypto-mining bots. Further analysis of the logs revealed exactly how the device was infected and identified the different stages of the infection, which helped the customer describe his whereabouts in the cybercriminals’ chronology.

lessons learned

At the beginning of this story, we described how the customer installed Quantum IoT Protect and why it was only working in detection mode. In other words, the customer did not actually enable the protections that would have enabled them to secure their IoT devices.

The customer simply did not want to disable or “break” the functionality of the device. This fear is very common and understandable. IoT devices simply don’t come with well-defined instructions indicating which connections should be allowed for normal operations and, by default, which should be blocked or simply blocked. With its Quantum IoT Protect solution, Check Point is addressing this legitimate concern.

Quantum IoT Protect technology provides customers with trustless, independent, and independent access policies that automatically secure IoT devices without disrupting or interrupting their normal operation. To take full advantage of their IoT devices without additional security risks, customers can choose to safely deploy Quantum IoT Protect in block mode.

Our customer story ends on a positive note: Quantum IoT protection has blocked the infected device’s connection to the command and control servers and has been able to clean up the infected device and reconnect to the Internet.

Leave a Reply

Your email address will not be published.