You probably already heard that the Internet of Things (IoT) is growing fast – in fact, let’s make that very fast. The installed base of devices connected to the internet is currently estimated at more than 23 billion, which is five times the current number of internet users globally.
The IoT comprises of everyday devices – e.g. heating thermostats, fridges, security cameras, speakers, (robotic) personal assistants and cars – being connected to the internet. Amongst other things, this enables the devices to be controlled remotely, controlled via automation, and for usage data to be collated centrally for analysis and performance improvement.
In addition to consumer applications, there are many commercial and industrial applications of IoT, e.g.:
- Automation of farming techniques based upon the weather and ground conditions.
- Remote monitoring of infrastructure such as bridges, railway tracks and offshore windfarms.
- Real-time optimisation of manufacturing processes using internet connected sensors.
Thanks to the steady decline in the price of sensor and communication technologies, more businesses are discovering how IoT technology can increase insight, enhance customer satisfaction and deliver greater efficiency in many areas.
However, whilst the use cases and benefits of IoT devices are clear to see, some caution must be taken in respect of the cyber security threats that they may introduce to your home or business environment.
More endpoints, more risk
Businesses need to remain aware that without proper management, IoT devices can significantly increase the risk of security breaches occurring. This is due to the creation of more endpoints on the network and, as a result, substantially more opportunities for hackers to seek out vulnerabilities to exploit.
Governments are particularly concerned about the vulnerability of critical infrastructure to cyberattacks – from either criminal organisations or state-sponsored. The US Department of Homeland Security recently warned of a “multi-stage intrusion campaign by Russian government cyber actors” who introduced malware and gained remote access into the corporate networks of energy companies, the DHS claims.
It’s not just operators of critical infrastructure that need to be vigilant. A wide range of industrial equipment and consumer devices also use the internet to collect data, access cloud-based services or communicate with other devices.
A botnet is a collection of internet-connected devices infected and controlled by a common type of malware without the knowledge of the device owners. Not surprisingly, it didn’t take long for cyber criminals to take advantage of IoT devices for this purpose.
The first IoT botnet was discovered in 2013 by enterprise security firm Proofpoint. According to Proofpoint, more than 25 percent of the botnet was made up of devices that were not classified as computers – this included smart TVs, baby monitors and other household appliances.
Unfortunately, the majority of IoT devices, especially those targeted at consumers, were not manufactured with security as a primary requirement. Manufacturers often place more emphasis on reducing cost so the devices can be sold at a certain price-point or adding usability features that make the product more marketable. Overall, security is typically not something that “sells” to the average consumer.
In some cases, it may be argued that IoT devices have little memory and limited computing power to support sophisticated on-board security. However, putting sophistication to one side, there is no excuse for shipping devices with a default and easy-to-guess password e.g. “Admin”. Most users will fail to change this which serves up an easy meal for hackers to feast upon.
Patching the vulnerabilities
A further weakness with IoT products is the usage of old and unpatched operating systems embedded within the devices; these will typically contain a series of known vulnerabilities. Unfortunately, many IoT products are not designed so that they can be easily patched/updated – unlike smartphones, for example, which will automatically patch or update the operating system “over the air”.
Cybercriminals wanting to hack a corporate network will typically seek out devices running old firmware and use these entry points to launch a wider attack. Many of these vulnerabilities may have been known about for a year or longer, and the manufacturer may have provided information on how to fix them. However, a lack of resources or procedures within an organisation’s IT department may prevent the required updates being made to IoT devices on a timely basis.
What can be done to protect your IoT?
A good place to start is to “lock down” the devices by disabling features that may be built into the device but will never be used. Open software ports are highly vulnerable; therefore, you should close all ports except for those that are needed to “listen” for incoming traffic.
Secondly, you must implement the processes to ensure the embedded software within devices is kept up-to-date with all the latest security patches. If devices are not easy to update or vendors do not release timely patches, then you should consider seeking an alternative manufacturer.
Finally, in addition to patching the devices, business needed to heavily restrict who can access the devices via the internet– particularly admin level access. This means updating default passwords, enabling two-factor authentication and restricting user permissions to the minimum required to use the device.
Hopefully you made it this far without running off to throw all of your Alexa devices into the (recycling) bin? Good. IoT devices do not need to be feared. By selecting the right vendor products and implementing appropriate security controls around them, you can safely leverage their significant benefits within your organisation.