The Invisible Attack: Why Edge Devices Are a Hackers' Favourite Target...

By Lara Hellman, Staff Product Manager

Lara Hellman is Staff Product Manager at Wireless Logic, leading strategy and development for the company's security products and customer platforms. She has spent her career of over 20 years in software development across SaaS and cybersecurity — and has a particular obsession with the security challenges that live outside the traditional perimeter

The best parasites don't kill their hosts. They move in quietly, make themselves comfortable, and carry on entirely undetected, helping themselves to whatever they want, while the host goes about its day completely unaware anything has changed.

That, in a nutshell, is what's happening right now inside thousands of organisations' edge environments and devices.

A compromised IoT device such as a smart camera, a logistics sensor, an EV charging point will, in most cases, keep doing exactly what it's supposed to do. It'll report its readings. It'll check in on schedule. From the outside, everything looks fine. What you can't see is that somewhere in the background, it's also quietly participating in a botnet, harvesting credentials, or feeding an attacker a steady stream of operational intelligence about your business. And it's been doing it for months.

This is the invisibility problem. And it's bigger than most organisations realise. 

How did we get here?

For years, cybersecurity was built around a fairly straightforward idea: protect the perimeter. Secure the data centre. Lock down the corporate LAN. Put decent software on the laptops. That model worked reasonably well when most of what mattered sat inside a defined boundary.

But modern architectures don't work that way anymore. Today's organisations have hundreds, or sometimes thousands, of devices operating well outside that boundary.  

EV charging infrastructure. Medical monitoring equipment. Retail systems. Industrial sensors. Smart cameras. Logistics trackers. These are all devices ‘edge devices’ -things that live out in the world, not in your safe protected buildings , and they all need to connect back to the centre to do their jobs. They're functional, they're distributed, and in the vast majority of cases, they're essentially invisible to the security teams responsible for protecting the organisation.

That invisibility wasn’t intentional. The devices were designed to work not to be watched but now that’s a flaw.

The trifecta that attackers love

From an attacker's perspective, edge and IoT devices combine three extraordinarily attractive qualities.

The result: a vast, distributed, inconsistent fleet of devices that nobody's really watching…

Mirai: the wake-up call we're still ignoring

In 2016, a piece of malware called Mirai brought down a significant chunk of the internet. Twitter. Netflix. Reddit. GitHub. Unavailable for hours across large parts of the US and Europe.

What made Mirai remarkable wasn't its sophistication. It didn't use zero-day exploits or advanced techniques. It simply scanned the internet continuously for IoT devices still running default credentials, compromised them automatically, and recruited them into an enormous botnet. The scale of what it assembled, which was hundreds of thousands of devices, produced a DDoS attack nobody had the infrastructure to absorb.

The lesson was stark: attackers don't need to be clever if the ecosystem is careless. Default passwords, outdated firmware, no oversight - that's all it takes.

Nearly a decade on, many of those same conditions still exist. Some of those original Mirai-era devices are still running, still operational, possibly still carrying the same vulnerabilities. Long-lived operational environments consisting of industrial systems, healthcare infrastructure, utilities, the sort that replace hardware infrequently. And the devices themselves are often supplied with layered, complex software stacks: third-party firmware, embedded Linux distributions, open-source libraries, cloud APIs from multiple vendors. Somewhere in that stack, there may be hard-coded credentials, undocumented debug interfaces left over from development, or legitimate vendor telemetry pathways that an attacker can piggyback on. The organisation didn't create these risks. They inherited them.

The visibility gap CISOs can't afford

The role of a CISO has shifted considerably in the last few years. It used to be a case of: prevent malware. Now it's: maintain operational resilience, manage regulatory compliance, protect customer trust, and enable digital transformation and do this simultaneously, continuously, across an environment that's expanding in every direction. A little bit exhausting!

Edge devices make all of that harder. Not just because they're difficult to secure, but because most organisations don't have the visibility to know what normal looks like for them in the first place. And if you don't know what normal looks like, you can't spot abnormal.

Security teams may know a device exists. But do they know which IP addresses it normally communicates with? How much traffic it sends? Which protocols it uses? Whether the slight uptick in outbound connections at 3am on a Tuesday is fine, or is lateral scanning?

In many cases, no. They don't. And that's what keeps the attack invisible.

A compromised device that's still doing its job gives you no obvious signal. The malware is designed that way. Disrupting normal operations would be like raising a flag. So it doesn't. It just quietly gets on with whatever it's been told to do in parallel.

The practical implication is that if you're relying on "it's still working" as your primary indicator of "it's not compromised," you're working from a flawed assumption.

What good looks like

In environments where you can't deploy agents and that, for IoT and edge, is essentially all of them, the network becomes your primary observation point. It may be your only one.

That means understanding what each device's normal behaviour looks like: who it talks to, when, how much, using which protocols. Build that baseline, and suddenly you have something to compare against. Unexpected outbound connections to unfamiliar IP addresses. Lateral scanning. Unusual DNS requests. A sudden increase in traffic volume with no operational explanation.

None of those things are definitive on their own. But they're signals, and right now most organisations aren't collecting them.

The encouraging news is that behavioural monitoring at network level also happens to be one of the most practical ways to demonstrate compliance with regulations and frameworks like NIS2, ISO 27001, and PCI DSS 4.0, that don't always spell out exactly how you achieve visibility into distributed environments, but that make it essentially impossible to demonstrate compliance without it.

The edge attack surface isn't going away. If anything, it's growing! There are more devices, more distribution, more complexity. The organisations that get ahead of it won't necessarily be the ones who secure every device perfectly. That's arguably impossible at scale. They'll be the ones who achieve continuous behavioural visibility across their fleet, so that when something changes, they know about it.

Because you can't defend what you can't observe. And right now, most of what's at the edge is invisible.

Lara Hellman is Staff Product Manager for Cyber Security Products at Wireless Logic.

Wireless Logic's Anomaly and Threat Detection is built specifically for the security challenges of IoT and edge environments. Agentless for quick deployment.