The Internet of Things (IoT) isn’t only about cool consumer technologies such as Alexa-controlled light bulbs and Internet-accessible washing machines. Companies have embraced IoT in a big way, using it to gather information from a multiplicity of sources that enable better business decisions and enhance productivity. The IoT makes it possible to offer new services to customers and get real-time feedback to help you serve them better.
However – isn’t there always a “however?” – this brave new world of connected devices that communicate with each other brings with it new security challenges. They present attackers with new vectors by which they can gain access to your systems and data or bring down your network.
According to Gartner, the 14 billion plus devices connected to the Internet in 2019 will grow to 25 billion by 2025, but Netscout’s Threat Intelligence Report from late 2018 found that the average time it took for an IoT device to be attacked after connecting to the Internet was only five minutes. If your business is enjoying the benefits of IoT solutions through connected “things,” you need to be aware of the associated security issues. As with any other technology, it pays to understand how your IoT devices work and how they can be exploited by hackers and attackers.
The IoT threat
IoT devices are or contain computers – albeit in many cases very specialized ones. These computers run operating systems and application software that, like the OS and apps on any computer, are prone to vulnerabilities and misconfiguration that can leave them open to be exploited. The types of threats are the same as those that can hit desktop or mobile computer systems: denial of service, ransomware, botnets, remote code execution, and so forth.
IoT DDoS attacks
IoT devices that connect to your corporate network put that entire network at risk. For example, an attacker can use a vulnerable IoT device to overload the network and slow it down or congest it to the point where it’s not accessible to legitimate users. This in turn can result in lost worker productivity and/or customers’ inability to contact your company, get information from your web site, place orders, or otherwise interact online – and that can lead to damage to your business’s reputation as well as direct loss of revenues.
Distributed Denial of Service (DDoS) attacks that utilize IoT devices is not just a theoretical problem; it’s already happening. In October, a massive DNS outage was caused by malware on IoT devices including cameras and DVRs.
We’re all familiar with ransomware that encrypts user files and holds them hostage while demanding a payment to release them. Attackers can also deploy a sophisticated version of ransomware that can take over an IoT device and change its settings or behavior unless and until the attacker’s demands are met. For example, the attacker would take over control of your company’s surveillance cameras and make them go black, or turn off all the lights and not turn them back on until the ransom is paid.
With so many smart devices now connected to the Internet, you can see how this could have serious or even life-threatening implications for an organization such as a hospital with a plethora of connected medical devices. Smart locks could be hacked to lock you out of (or in) your building. Connected company vehicles present another scary scenario. With both ransomware incidents and the number of IoT devices increasing annually, there is a perfect security storm in the making.
Botnets are made up of dozens, hundreds, or thousands of systems that have been infected by malware that puts them under control of a botmaster, who can then use the combined power of those multiple devices to attack another targeted system or network or to distribute spam or ransomware. Sophisticated botnets can seek out and infect vulnerable systems – including IoT devices – automatically.
The myriad of IoT devices on the Internet has dramatically expanded the prospects for botmasters to add to their “armies.” Botnet malware can infect routers, printers, cameras – almost any kind of Internet-facing device.
The trouble with IoT
IoT devices are particularly attractive to attackers because they often aren’t carefully monitored, frequently aren’t updated as regularly as full-fledged computers, many of them use the default passwords assigned by the vendors, and they tend to be “always on” devices which also means “always available for exploit.”
Sometimes even if organizations and individuals who own IoT devices want to keep them up-to-date, they may not be able to because the vendors don’t issue updates on a timely basis. The big OS vendors such as Microsoft or Apple or Ubuntu have many security researchers actively hunting for vulnerabilities in their software all the time and are under pressure to address those that are discovered. IoT devices are made by many different companies, both large and small, that may or may not have expertise in the security aspects of their products and may or may not have the budgets (or the inclination) to make their devices secure.
Many IoT devices use third party software components that are out of date or inherently insecure, which compromises the security of the device (and thus the network to which it’s connected). Data collected by the device may be transmitted and/or stored without encryption. And in the effort to make devices more “user friendly,” some vendors may put convenience above security in the design of their devices.
IoT devices are usually managed through a web interface or a mobile app, and the security of these components is a concern, as they could be used by attackers to gain unauthorized access to and control over the devices.
How to make IoT more secure
You can’t make vendors more conscientious about security – at least not directly. But you can do your homework and choose IoT devices made by vendors that focus on security as well as functionality. Research the reputations of the companies that make the devices you’re considering. Avoid those that make broad statements about security without any details as to the security mechanisms they use.
Choose IoT products that allow you to configure security options such as password policies, to grant different permissions to different users, to encrypt data both in transit and at rest, to log security events, and to send notifications of security events such as failed logon attempts.
Do not take the easy way out and install IoT devices with the default settings and passwords. Change the password to a strong one following standard best password practices. Don’t buy/use devices that don’t allow you to change the default password or don’t allow you to password protect it at all. If possible, choose devices that allow for two factor authentication for administrative access.
Disable features and services that you don’t need (for example, there is no need to have the microphone enabled if you plane to use a device for visual monitoring only). Disable ability of the device to connect automatically to open wifi networks; you want to have control over what network the device connects to.
When possible, put your IoT devices on a different network from your production machines and servers to protect your critical applications and data. Isolating your IoT devices on their own physical network or VLAN behind a firewall will help protect your other resources.
Update IoT devices when updates are available, even if you have to manually check for and install the updates. Don’t use devices that vendors no longer support or made by companies that have gone out of business, even if they work well. You’re leaving yourself wide open to attacks by doing so.
The Internet of Things has the potential to transform the way companies – from small businesses to enterprises – operate. Increased productivity, more enlightened business decisions through better business intelligence, and reduced operating costs are only a few of the benefits. Just don’t forget that these advantages can be offset by the monetary and reputation cost of downtime, data breaches, or a ransomware attack if you don’t plan carefully to ensure the security of your IoT deployments.