It is now an undeniable fact that smart technology has invaded almost every aspect of our life. Ranging from self-driving cars to smart vending machines and self-driving cars, our homes and workplaces are occupied with internet-connected devices. Taking into account the speed we are going at, businesses are constantly endeavouring to connect everything virtually. To put things into perspective, in 2017 the worldwide market for the Internet of things (IoT) touched $100 billion in revenue and it is suggested that this will reach $1.6 trillion in the forthcoming future.
Nevertheless, there is an often-unheeded threat involved with extensively and rapidly embracing these technologies: the supplementary attack routes they open to cybercriminals.
IoT Devices and Threats:
Cyber attacks implicating IoT devices are rising at an unparalleled rate. Our hyper-connectivity and dependence on IoT devices offer innumerable conveniences, but they also generate cyber security blind spots through enterprises and consumer markets.
IoT devices are usually often not designed with security in mind. They are adaptable, yet susceptible. Designed with constrained security controls, these devices are frequently targeted by cybercriminals and utilized to initiate attacks on other parts of the networks connected to these. A lone threat to any part of the system can put the entire network in danger.
As an example, in 2016, by using and exploiting the susceptibilities in IoT devices such as DVRs and digital cameras, the Mirai botnet instigated the largest ever DDoS (distributed denial of service) attack. Upon becoming infected with Mirai, computers would repeatedly search the internet for susceptible IoT devices and then infect them with the malware.
More recently in 2019, the Amazon Ring faced a cyber security breach when hackers were able to access Ring’s smart security devices. Unapparent to the users, hackers accessed their Ring devices to watch and even communicate with people. This is an absolute example of bad actors taking benefit of vulnerabilities in IoT devices.
Why are IoT devices so vulnerable?
While IoT devices are not essentially new, they are still in their relatively early stages, and some industries are only just starting to use them. Nevertheless, this has not stopped internet-connected devices from becoming increasingly popular day by day. They are quickly espoused for the conveniences they deliver, even if users do not fully appreciate the dangers involved.
IoT devices are characteristically built with convenience-first-design philosophy, not security-by-design ideology. Therefore these devices are easy targets for hackers who can use them as bridges to other parts of the network, and this is why threats to IoT networks can quickly develop into greater security risks. In order for them to function and efficiently deliver, IoT devices collect a lot of data from their users and environments. However, if these devices are vulnerable, it would unleash many other consequences including full-network violations, theft of all the data, and closing down entire businesses.
IoT Attack Routes:
A draft of IoT attack vectors has been published by The Open Web Application Security as part of its Internet of Things Project. The list describes areas in IoT systems that may pose cyber security vulnerabilities. The list is quite handy and should be comprehended by device manufacturers, security experts, IT teams, and anyone devising on installing connected technology in their organizations. The most prominent attack routes include:
- Devices – The most commonly known attack route in IoT environments are devices that include anything connected to the internet, from laptops, cell phones, to less conventional devices, such as smart printers, thermostats, video cameras, and industrial control systems. Hackers can misuse device ports, firmware, web interfaces and unprotected APIs, while also playing upon weak passwords, unencrypted data, redundant components, and fragile privilege escalation.
- Applications – Attackers can also take advantage of web applications and IoT device software to threaten entire networks. Unprotected data storage, weak passwords, flawed access controls, or ineffectual authentication can undoubtedly lead to violations. Moreover, the exponential growth of micro services in conjunction with the intensified intricacy of micro service architecture increases the attack surface, thereby rendering application security an even bigger issue. As we gradually advance into the future, supervising applications and threats at scale will entail even more automation.
- Communication Protocols – Hackers also tend to target the channels that devices use to transfer data or send and receive commands. Unprotected public-facing Wi-Fi, erratic protocols, update pushes and network attacks like DDoS can influence these essential channels.
There are a number of reasons for security vulnerabilities in IoT devices. The most prominent reason is that while developing IoT devices, security concerns are not given any attention unless a major issue arises. Furthermore, after the launch of an IoT device, it is periodically tested and updated, making it more susceptible to malware attacks. Other security issues on the part of manufacturers include using old operating systems and software’s, weak and easily conceived passwords, unprotected data transfer and storage, issues with the hardware, etc.
Securing the IoT:
As we all know, our data is utilized and divvied between more entities than ever. The more connected we become, the more important it is that we retain our focus on cyber security and updating to keep pace with the increasing number of “things” that are being connected to our networks. To develop a really wide-ranging cyber security strategy, organizations have to deem every IoT device as a possibility of compromise. Besides updating and reorganizing security strategies, there are many commonly known steps which can help shield your business or home from hackers:
- Education – Customers should be educated on how to defend their own privacy and personal data as well as organizations are required to confirm data security to protect their financial well-being, client data, and brand repute. In addition to taking advantage of the available educational resources, and built-in security processes should always be checked prior to purchasing and implementing IoT devices into the ecosystem. One should make sure that the devices use strong password protection and robust user authentication, encrypted communication channels, and reinforced physical components.
- Appropriate Cyber Hygiene – One of the basic, but most vital, factors to keep your network safe from hackers. Some of the common cyber hygiene practices include using distinctive passwords and robust multi-factor authentication when possible, installing antivirus and malware software, employing device encryption, and regularly performing updates and backing up data.
- Zero-Trust Architecture – Organizations should implement a zero-trust policy by default. They should assume that nothing inside or outside their network is safe. The differentiation between “inside” and “outside” a modern business network is getting blurred day by day to such an extent that organizations need to operate on the conjecture that their business could be compromised by anything. In several organizations, IoT devices are added without supervision from security or IT teams. Bring Your Own Device (BYOD) policies also pose a great threat here. It is important that the security controls can appropriately see and manage all devices connected to the network. Also, in today’s continuously-evolving threat scenario first-generation security solutions are no longer effective. Therefore, organizations should keep their security architecture updated.
- Physical Security – Cybercriminals could exploit or tamper with any IoT device that lacks any physical safeguards. Using locks and other tools where possible, might not help you in restricting access to every IoT device on the network but will act as an additional layer of security against bad actors.
- IoT Security Analytics – Implementing security analytics involving gathering, correlating and analyzing the data from various sources and it helps IoT security providers by helping in identifying possible threats.
The abundance of IoT devices has certainly changed the business landscape along with the threat landscape. Increase in security incidents comprising connected devices highlights the need to consider progressive technologies when developing security strategies. Cyber security can no longer be a second thought. Securing the IoT is a daunting task that involves large-scale collaboration and effort, but this needs to be done.
Unfortunately, in spite of all efforts, in terms of securing IoT, there are no foolproof solutions. Eventually, utilization of better-automated cyber security tools empowered by machine learning will help minimize breaches. In explicit regards to IoT security, there is a proverb that rings true that it is better to be more secure than less secure (and avoid making yourself a target). Using an all-inclusive risk management approach to understand and mollify the threats of the Internet of Things can be of major help to that regard in ameliorating mitigating security lapses. To be more cyber security ready should be a priority pursuit for everyone connected.