September 4, 2022

Understanding IoT (Internet of Things) Security: Issues, Threats, and Defences

What is IoT Security?

The Internet of Things (IoT) is increasingly becoming a part of our homes, businesses, and public services with a wide range of uses from ‘smart’ home appliances to complex industrial tools. With the increasing adoption and application of IoT devices, they have also become increasingly targeted by malicious actors looking to take advantage of opportunities to access them. In this article we will discuss IoT security and its challenges, vulnerabilities that have been exposed and steps to protect your IoT devices against them.

The Importance of Securing IoT Devices

The Internet of Things (IoT) is a connected system of smart devices through a network, typically the internet. When discussing IoT security then, we must be aware that connecting these devices exposes them to the same threats as other internet-connected devices.

‘Allowing devices to connect to the internet opens them up to a number of serious vulnerabilities if they are not properly protected.’

The connectivity of IoT relies on sharing information between devices, meaning a hacked device causes security issues for the entire network. Hackers are adept at manipulating systems to gain increasing levels of access. Therefore, identifying, managing, and protecting your IoT devices is fundamental to their security, as well as the data that they share with the network.

Security Vulnerabilities of IoT Devices

Anything that’s connected to the internet poses cybersecurity issues, however, the unique challenge with IoT cybersecurity is the additional interaction between physical devices, and that hackers could access them is a cause for concern. This is especially true due to IoT’s widespread applications in industries such as healthcare and manufacturing, where data breaches or disruption could have very serious repercussions.

IoT devices are a part of the network and therefore store and exchange information with other applications in the network. It is vital both to the functionality of these services, as well as good data security practice, to implement measures to keep these devices secure. A study last year found that “from January to June of 2021, there were 1.51 billion breaches of IoT devices.” Though whilst breaches are so prevalent, IoT cybersecurity is often overlooked when compared with endpoints such as laptops and phones. Unsecured IoT devices can be a backdoor for hackers due to their often-limited security features, leaving the organisation vulnerable to malware and exposure of unencrypted data.

Common IoT Device Security Threats

Hackers’ aims can vary broadly depending on the organisation and type of attack. For example, in a ransomware attack they aim to target critical infrastructure, often to extort the organisation. Ransomware attacks targeting essential IoT infrastructure can have devastating financial effects for businesses. According to Coveware, ‘companies pay an average of $220,298 and experience 23 days of inactivity after a ransomware attack’.

A threat which uses access to devices to create further breaches is botnet malware. This enables the hacker to control a network of devices which can be then be used to enact cyberattacks such as DDoS attacks, which use IoT devices as remote sources to attack and overwhelm online services. Some have become infamous due to the scale of the effects of the attacks, such as the Mirai Botnet (aka Dyn Attack). An IoT botnet attack using malware termed ‘Mirai’ caused a DDoS shutdown of Dyn, a DNS provider for many large sites including Netflix, Reddit and Twitter.

Each connected device is an endpoint in the network and so should be treated as a potential vulnerability for IoT security. Because of the connected nature of IoT, each of these endpoints is a potential weakness through which a hacker could gain a footing to get further access by targeting the least secured devices. Research found that ‘91.5% of data transactions performed by IoT devices in corporate networks were unencrypted’, leaving them vulnerable to a variety of hacks such as ‘Spoofing’ and ‘Man-in-the-middle attacks’.

Securing Your IoT Infrastructure

So, how can you ensure that your devices and data are protected? There are a few key areas of IoT security that will help protect you from the issues discussed above.

  • Software and firmware vulnerabilities – Many connected devices lack the cybersecurity measures we would see in other endpoint devices. Regularly update your devices firmware, as there are often updates to security which may not be automatic.
  • Data Security – Make sure your sensitive data is secure through encryption and one time use keys. According to csoonline.com, over 90 percentof all IoT device traffic is unencrypted, which leaves any confidential data at risk.
  • Password/Certificate management – Putting in place measures such as unique, strong passwords and enabling multi-factor authentication where possible will help secure devices.
  • Control Access – Managing who can access specific devices will reduce the risk of them falling victim to a specific targeted attack and reduces the need for additional security measures.

Adopting a Zero Trust Approach

The Zero Trust architecture [link: https://www.deviceauthority.com/blog/zero-trust-continuous-authorization/] approach to cybersecurity is designed to lessen the impact a malicious actor could have once they have already gained access to some part the network. The Zero trust approach is reliant on strong authentication of user identity and high levels of authentication, to lower the risk of a malicious actor both gaining access to and compromising the network further.

Applied to IoT, this means increased identification for connected devices and the applications that they run. Smart devices have introduced new access points which therefore need to be monitored and secure. Identity and Access Management (IAM) provides extra authentication for the device, giving only trusted users access and monitoring for unauthorised requests.

Click Here to learn more about Device Authority and the Keyscaler platform

 

WRITTEN BY
Louise José