In 1990, the world contained exactly one Internet of Things (IoT) device: a toaster connected to the Internet by a guy named John Romkey acting on a trade-show dare. Now, experts predict we’re on track to have 41 billion IoT devices in the world by 2027.
That means the security risks of IoT devices must be a key part of the security plan in every business and home-office setting. These devices make us smarter and more efficient by disseminating a staggering amount of data from every corner of our daily experience. One popular statistic estimates the daily data stream adds up to 2.5 quintillion bytes (that’s 18 zeroes). The nationwide arrival of 5G wireless technology will only increase that number.
All that data collection introduces an entirely new realm of risk where the key concept is “attack surface.” A few years ago, “only” computers and servers presented exposure to the internet, but modern hackers can now find doorways into networks through watches; cars; smart thermostats; medical devices; wearable safety devices; Programmable Logic Controllers (PLCs) in valves and switches; and more. Even your kid’s adorable electronic teddy bear could go all Chucky on you if it has an Internet connection and spy-ready features like a camera and speakers. With exponentially more devices connected to the Internet, the attack surface now looks like the Pacific Ocean.
An obvious solution is to keep all these devices offline. In other words, reduce the attack surface. But as we’ll see below, IoT’s tremendous business advantages require you to find a way to safely implement these devices in a way consist with your business’ risk tolerance.
Along with the obvious convenience of having data wherever you need it (remember that your smart phone once seemed like a revolutionary IoT device), the technology lets businesses monitor equipment and personnel in real-time, even in remote settings. A continuous data stream, whether it’s from a weather station in a far-off location or a machine across the shop floor, allows more current, informed decisions. It also produces efficiencies, as information can flow back to a central location for tracking and administration.
Cell towers provide one common use case. In that space, effective monitoring is fundamental to proper maintenance, tower uptime, energy consumption tracking, adherence to stringent service level agreements (SLAs), etc. However, monitoring cell sites remotely keeps getting more challenging because of expanding networks, rising operational costs and security issues. IoT solutions enable 24/7 monitoring of passive assets across multiple remote locations. These devices can now communicate and feed data into a cloud-analytics engine, leading to increased tower uptime and better power management.
Routine patches help keep computers secure, but the core design of IoT devices allows for minimal, if any, software and firmware updates. Because this space is growing at a rapid pace, devices are only supported for short periods of time before manufacturers allocate more time and resources to the development and support of new products. In a related challenge, many vendors are rushing products into this seeming gold rush of a market, giving security less attention than it deserves.
Plus, many IoT devices suffer from basic security flaws that are routinely addressed on servers and endpoint computers in organizations that have solid security policies. For example, many IoT devices use unencrypted communications, use default passwords and don’t implement multifactor authentication.
You should be particularly wary of certain high-risk IoT devices, such as off-brand devices (which rarely have the same security protection as higher-priced versions) and Internet-enabled toys, which often lack sufficient security features. These devices can sometimes be used in second-order attacks on a home network, which could quickly lead back to business data in today’s work-from-home environment.
Your unique situation will determine which threats you should focus on. For example, a Department of Defense employee who frequently deals with information requiring certain levels of security clearance probably won’t have a Google or Amazon virtual assistant in the office or use remotely controlled security systems. Your business needs may not require quite that level of security.
Common IoT Attack Vectors
The following list covers some of the most common ways hackers go after IoT devices:
- Web application attacks – Attackers compromise the application that monitors and controls IoT devices and then uses trusted credentials to remotely control devices. Once they have access, hackers can use the devices to install rogue software or use unsecured operating systems to pivot within the environment.
- Pivoting – Bad actors can use unsecure but trusted IoT devices as a pivot point into more critical systems.
- Wireless intercepts – Unsecured wireless communications can be intercepted, and unauthenticated communications can be used to inject commands.
- Credential or information stealing – Unsecure devices have credentials used to communicate with backend systems, and hackers can use stolen credentials to pivot into more critical systems. Sensitive information can be stolen as the target or used in additional attacks.
How to Protect IoT Devices
In late 2020, the National Institute of Standards and Technology (NIST) issued four new publications that offer recommendations to the government and manufacturers for effective IoT security. These publications fulfill requirements outlined in the IoT Cybersecurity Improvement Act of 2020, which became law in December 2020. For a business, NIST’s new documents provide insight on what you should consider when purchasing and integrating IoT devices. You can read the guidelines here.
We also recommend implementing the following best practices as part of your IoT strategy:
- Network isolation – Segment IoT devices in separate logical or physical networks. Implement ingress and egress filtering to restrict data flow.
- Device isolation – Isolate functions or services within the device. Require authentication to the device or service. Restrict communications to or from the device or service.
- Review security event logs – This includes watching firewall events, intrusion prevention system events, application events and device events. Use a SIEM tool to analyze log data and detect suspicious activity.
- Penetration testing – Test devices for vulnerabilities and retain a team of white hat hackers to attempt to compromise the device. Use the device to cause mechanical or physical impacts and learn from what happens.
- Product development activities – Set up devices to eliminate as many problems as you can. Remove unnecessary services, require authentication, encrypt storage and communications, patch systems and apply updates.
For a full assessment of your IoT risks and consulting on how to control the risks for your organization, contact us.Editor's Note: This post was originally published in November 2020 and has been updated to reflect new legal developments.