Security has always been at or near the top of the to-do list for all heads of IT. The last two years have given security considerations a savage twist. Working From Home and providing remote access to systems and data has become a necessity for many organisations. Because IT has little or no control over remote devices, that in effect, is an implementation of an IoT environment.
Simply put, IoT expands the attack surface exposed to threats and potential malware attacks. Add to that, many organisations don’t have the resources or skills to implement the best practices in IoT security. The increasing spread of IoT devices into homes also opens domestic networks to attack.
Estimates put the number of IoT devices in 2022 at over 50Billion worldwide.
IoT Security – Why is it Important?
One simple example illustrates the point. Driverless Vehicles. Hacking into a sensor or control mechanism could have serious or even fatal consequences. Extend this to automated manufacturing environments, and the seriousness of potential malware attacks on IoT devices is obvious.
IoT devices are not just for businesses. Fibre to the Home and domestic WiFi has brought IoT into the front parlour. A smart home could have a security system with IP cameras, smart locks and motion sensors. Individuals could have smart devices, laptops, digital wearable devices like watches and fitness monitors. Internet attached Smart TVs have recently become common, with the children using gaming consoles to compete on Internet gaming platforms. Some cable companies offer an Internet-based streaming service.
The wide diversity in IoT devices brings security and operational issues in its wake. Currently, there is a determined move towards standardisation and compatibility between devices, but this is by no means complete. Device portability also raises security concerns. These gaps are exploited by hackers to carry out information thefts and attacks on corporate and increasingly on home networks.
Unfortunately, as described below, as yet, IoT security has not had the rigorous attention as have other aspects of network security.
IOT Security Issues
Many IoT devices have not been designed with security in mind, and many lack the capacity to operate a security environment. Another reason is the short development cycle of secure firmware and limited budgets intended to ensure a fast time to market and a low price point for the devices.
Two malware attacks have been recorded on IoT devices, URGENT/11 and Ripple20.
A second attack surface is the applications software used to manage the IoT device, which sometimes is not part of the anti-malware defence environment.
Device portability is also an issue. Users can bring flash drives, smart devices and e-readers from home to work and attach them to the corporate network. Even if they do not carry malware, they can be used to steal confidential information.
This is a particular issue of home systems, where users don’t activate or configure the inherent security features in their IoT device. They may also use easily hacked passwords. Hijacking an IoT device can be used as a prank or can be used as an entry point to a domestic or corporate network.
Cybercriminals are increasingly looking at IoT devices as a target in themselves, or as an entry point to networks and systems. One recorded exploit was when the Mirai botnet downed major websites and services worldwide. Ransomware is a recent and rapidly growing threat.
Compromised IoT devices can also be used as the base for DDoS attacks, as the source for infecting other devices, or as an entry point to a corporate network.
Quite apart from using an IoT device as the entry point to a corporate network, some devices store information that could be stolen. In a research environment, this could be valuable IP data.
The FBI say that most successful malware attacks are because of actions, malicious or otherwise, initiated between the keyboard and the back of the chair. A complex network (some home networks are at or beyond this status), needs proper management, an understanding by users of what constitutes a cyber threat, and what to do if they suspect they have found one.
One other operational issue is the misconfiguration of IoT devices, or not setting up the security features at all.
Step 1 – Does it need to be on?
Look at all your IoT devices. Not all will need to be switched on and connected 24/7/365. Switch them off when not needed.
Step 2 – Create a separate network for IoT devices
If a hacker does manage to break into an IoT device, limit his ability to move on into the corporate network by having all IoT devices on a separate logical network. This means that your router needs to be completely secure.
Step 3 – Check for Updates
Regularly check for firmware upgrades for your IoT devices.
Step 4 – Check your Anti-Malware Software
Make sure you are using anti-malware software that provides coverage for IoT devices. Not all do. If necessary change.
IoT security can be a minefield, particularly for the home user. However, there are tried and trusted solutions and techniques too make an IoT environment as secure as possible.