The Internet of Things (IoT) has changed the way we live, communicate, and do business. But while we have managed to connect the physical devices around us to the Internet at a rapid pace, IoT security is still playing catch-up, with innovative solutions needed to deal with complex threats, vulnerabilities, and issues.
Internet of Things (IoT) security refers to strategies and mechanisms that can be used to protect IoT devices against vulnerabilities and exploits, including malware, cyberattacks, and device hijacks.
As a point of reference, personal computers first used antivirus software in the 1980s – around 40 years ago. With IoT, one of the greatest security challenges is that most IoT devices were never built with security in mind. This makes it exceedingly difficult to install any kind of security software directly onto an IoT device.
So, should you just throw away your fitness trackers or security cameras? How are smart factories going to cope with cybersecurity threats when they install hundreds of connected devices? Are things going to get worse before they get better? Dgtl Infra answers all of these questions and more.
What is the Internet of Things (IoT) Security?
Internet of Things (IoT) security is designed to overcome IoT device vulnerabilities through methods like detached networks, access control, and behavior monitoring. These methods protect against various security risks, including, most commonly, information theft and malware.
There is a well-known joke about IoT, which is that “The S in IoT stands for security”. If you read that and thought that there is no “S” in “IoT”, that is precisely the point – security is sorely missing in the connected things around us.
According to Gartner research, more than 14 billion connected devices are expected to be in use by the end of 2022, up from just 2 billion in 2013. This staggering rise in the number of IoT devices has come at a cost.
To quickly capture the IoT device market, vendors are shipping cheap, unsupported solutions (i.e., developer is not issuing any software patches or security updates), with little to no concern given to cybersecurity.
Four in five device vendors were found to be failing in basic cybersecurity practices, according to a recent report from the Internet of Things Security Foundation (IoTSF). After analyzing hundreds of popular IoT product makers, the organization found that only about one in five provide a way for users to report security vulnerabilities to vendors so that the product can be fixed.
Overall, everything from home and personal IoT devices to enterprise systems have been exposed for containing significant security vulnerabilities. Below are examples of IoT devices that have the highest share of security issues:
IoT Devices with the Highest Share of Security Issues
|IoT Devices||Share of Security Issues|
|Medical Imaging Systems||51%|
|Patient Monitoring Systems||26%|
|Medical Device Gateways||9%|
|Energy Management Devices||6%|
Unsecured networks have also played a key role in leaving the door open to threats. According to the Unit 42 IoT Threat Report, 98% of all IoT device traffic is unencrypted. This has allowed attackers to collect personal, as well as confidential information, and exploit that data for profit on the dark web.
Over 1.5 billion attacks were recorded on smart devices in the first-half of 2021, with attackers mostly seeking to steal data, mine cryptocurrency, or build botnets. In one of the largest ever security attacks, hackers used Mirai malware to take control of 100,000 webcams, DVRs, and other connected IoT devices, and launched a massive distributed denial-of-service (DDoS) attack causing websites like Netflix, Twitter, and Spotify to go down.
As IoT devices become increasingly pervasive and have a prominent impact in our lives, there is a need to step-up security beyond the basics. Especially, considering how limited our efforts have been in attempting to identify and respond to malicious activity.
What are the Types of IoT Security Threats?
The three leading categories of IoT security threats are exploits, such as remote code execution and command injection, malware such as botnets and trojans, and user-related vulnerabilities, such as weak passwords and phishing.
Every IoT device on a network represents a potential entry point for hackers. The term “attack surface” is often used to refer to the total number of entry points for unauthorized system access, including all IoT devices, network connections, and software.
While IoT devices have improved in recent years, their potential vulnerabilities have more or less remained the same. Even as politicians and industry participants look to plug the security holes in new devices, legacy systems continue to remain as susceptible as ever.
Per Unit 42, an estimated 57% of all IoT devices are vulnerable to attacks of medium- or high-severity, making them an easy target for bad actors. After compromising the first device, an attacker often uses it as an avenue to compromise other systems in the network.
Exploits are one of the most frequently experienced IoT device threats. They are usually a piece of code written to cause damage or steal data from a system.
As shown below, 41% of attacks are exploits of IoT device vulnerabilities, with the largest component of this category originating from scans through network-connected devices.
Summary of Top IoT Threats by Category
Still, it is worth noting that attack tactics on IoT devices are hardly considered ‘advanced’. In fact, a majority of these attack techniques are considered to be obsolete by modern IT security standards.
Top 5 Types of IoT Security Threats
Below are the five most common types of IoT security threats:
Botnets are a network of malware-infected IoT devices controlled remotely. They are used to carry out large-scale cyberattacks such as a distributed denial-of-service (DDoS) attack, in order to overwhelm the target’s network traffic.
Presently, IoT worms are more commonplace than botnets. Worms are self-propagating malware with the ability to duplicate themselves and spread to uninfected systems on the network.
In a typical “Man-in-the-Middle” attack, a hacker intercepts messages between multiple IoT devices and gains control over their communications.
4) Social Engineering
Hackers use social engineering techniques to manipulate people into giving up sensitive information such as passwords. These attacks are often executed using phishing e-mails.
Ransomware attacks are another commonly used tactic among cyber criminals, where malware is used to lock users out of their IoT devices. Access is only given back once the attackers receive a ransom payment.
What are Examples of IoT Security Breaches?
Hacking IoT devices has been surprisingly easy over the last few years. Experts state that an IoT device without adequate security can be hacked in a matter of hours, thanks to an array of software and hardware tools that are readily available online.
Below are some major examples of IoT security breaches:
Stuxnet, first discovered in 2010, was likely the first well-known malicious worm to exploit the vulnerabilities of industrial control systems connected to the Internet, initially targeting multi-national conglomerate Siemens. Ultimately, the worm became infamous for its role in crippling Iran’s nuclear program.
DDoS attacks on Dyn
Subsequently, in 2016, the largest IoT security breach occurred when a public release of Mirai malware prompted bad actors to launch DDoS attacks by creating massive IoT botnets. One such attack was targeted at domain name system (DNS) provider Dyn, leading to significant portions of the internet going down, including Netflix, Twitter, Reddit, and CNN.
Once infected with Mirai, systems continued to search for vulnerable IoT devices online and then gained access based on commonly used login credentials (e.g., admin/admin).
WannaCry Ransomware Attack
Lack of basic security standards in connected medical devices has dealt huge blows to the healthcare industry. For example, in 2017, hospitals were among the worst hit by the WannaCry ransomware attack. Attackers locked down hospital systems in the UK and demanded ransom payments in Bitcoin, leaving hundreds of lives at risk.
As of 2020, 83% of medical devices were found to be running unsupported operating systems (after Windows 7 updates were stopped), leaving them vulnerable to threats and IoT security issues.
As cryptocurrencies hit their prior all-time highs in 2018, a new type of attack called cryptojacking began to emerge. The idea was simple: find a way to use the processing power of a computer you do not own, to mine cryptocurrency for yourself. This kind of malicious mining malware was made possible when a group called Coinhive created a mining module that could be embedded into any website.
In one high-profile attack, cryptojacking code was found hidden in the Los Angeles Times’ Homicide Report page, which was being used to mine a popular cryptocurrency called Monero.
Security Cameras and Connected Cars
In 2021, an international hacker collective took over 150,000 live surveillance camera feeds by compromising security camera startup Verkada. Their cameras monitored schools, hospitals, and private facilities of companies like Tesla.
Regarding Tesla, a Belgian security researcher recently hacked into a Tesla Model X in less than 90 seconds using a Raspberry Pi computer, by exploiting vulnerabilities in the electric SUV’s keyless entry system.
How Can we Secure the Internet of Things?
While IoT attacks have recently doubled, security spending is yet to keep pace with the growing vulnerabilities.
Gartner has previously estimated that more than 25% of identified enterprise attacks will involve IoT, but that IoT will account for only 10% of IT security budgets. Global IoT security spending is predicted to reach $6 billion by 2023. It does not appear to be nearly enough.
The IoT security challenge is not just isolated to the sheer number of devices that need to be secured. There is also the fundamental security issue stemming from how IoT devices are manufactured. A large number of IoT products are just an everyday device with a computer chip installed, making it virtually impossible to secure them in the same way you can with a personal computer (PC).
So how do you go about securing your IoT portfolio? A one-size-fits-all approach does not work, given how IoT devices are different across industries.
Security leaders in organizations are looking beyond legacy network solutions and adopting approaches that tackle security flaws at every stage of the IoT lifecycle.
Key points and processes used to safeguard IoT devices include:
The first step in IoT security is to discover the exact number of IoT devices on the network. Maintaining a detailed, up-to-date inventory of all connected devices allows you to determine the risk profile of each device and how it behaves with the rest of the network.
The more segmented your network, the smaller your attack surface will be. By dividing your network into two or more sections, it will be harder for hackers to threaten your entire network by compromising just one device.
Most IoT devices come with weak, preset passwords that can be easily found online. The first thing you should do when you connect an IoT device to your network is to reset the password to a more complex one.
Unlike IT systems, most Internet of Things (IoT) devices are not designed with the ability to patch security flaws via regular updates. As such, it is important for you to work with your IoT device vendor to establish a firmware upgrade strategy and plug security vulnerabilities before issues arise.
By implementing a real-time monitoring solution that continuously analyzes the behavior of all your Internet of Things (IoT) devices, you can respond to security threats swiftly.
What are the IoT Security Solutions?
IoT security solutions are software and embedded tools which can be used to monitor, detect, and rapidly respond to threats to connected devices and networks.
The rise in the number of vendors offering IoT security solutions signals a shift in the industry – organizations are finally taking IoT security seriously. To this end, the PSA Certified 2022 Security Report noted that 9 out of 10 surveyed organizations placed security in their top-three business priorities, while 83% of respondents are looking for specific security credentials when purchasing IoT products.
Today, IoT security solutions include capabilities such as encryption, firewalls, endpoint detection and response (EDR), identity and access management (IAM), as well as network segmentation tools.
Most vendors provide solutions which are specifically designed to secure the most common IoT configurations. Other providers in network and endpoint security have added IoT support to their existing bundle of offerings.
Internet of Things (IoT) Security Solutions Providers
Microsoft Defender for IoT offers unified security and threat protection for all Internet of Things (IoT), operational technology (OT), and industrial control system (ICS) devices with agentless network detection and response (NDR).
Palo Alto Networks takes a complete lifecycle approach to securing IoT devices. Their IoT security framework includes endpoint detection and response (EDR), zero trust network access (ZTNA), vulnerability management, asset management, and network access control (NAC).
Fortinet is addressing IoT security with its FortiGuard IoT Service that combines its firewall and network access control service, into a software as a service (SaaS) solution, known as FortiNAC.