Last updated: 25 April 2021
Businesses can reap impressive benefits from the Internet of Things (IoT).
But more IoT devices and a more complex IoT ecosystem also mean increased security vulnerabilities from edge to cloud.
Sadly, many companies still put off adopting an IoT cybersecurity strategy and don't realize IoT security risks until it's too late.
And COVID-19 has only made the threats more prominent.
Developing a thorough understanding of IoT cybersecurity issues and executing a strategy to mitigate the related risks will help protect your business and build confidence in digital transformation processes.
In this new article, we will review six significant IoT security challenges:
- Weak password protection
- Lack of regular patches and updates and weak update mechanism
- Insecure interfaces
- Insufficient data protection
- Poor IoT device management
- The IoT skills gap
We explain the potential threats for each topic, illustrate the issue with IoT attack examples, and results from recent research papers.
We will also see how to address these risks and move forward.
But before that, here's a quick reminder….
IoT security challenges
"Myriad devices provide mountains of information that businesses can leverage, analyze and act on. The digital transformation involves first connecting devices, and then implementing the analytics to turn data into added value."
Unsurprisingly, the global pandemic has underlined just how vital digital strategy is to business resilience.
But rushing is risky.
A report conducted by IDC and commissioned by Thales reveals that the rush to deploy new digital technologies often comes without the proper security measures in place.
There are often vulnerabilities around the security of new IoT infrastructure and gaps in protecting legacy systems that may connect to more open environments.
In that case, a breach of an IoT device may even result in unauthorized access to legacy systems.
Let us show you how.
#1. Weak password protection
Hard-coded and embedded credentials are a danger for IT systems and as much hazardous for IoT devices.
Guessable or hard-coded credentials are a windfall for hackers to attack the device directly.
With default passwords, the attacker may already know the password to the machine!
The Mirai malware is a good illustration of such an attack.
Mirai infected IoT devices from routers to video cameras and video recorders by successfully attempting to log in using a table of 61 common hard-coded default usernames and passwords.
The malware created a vast botnet. It "enslaved" a string of 400,000 connected devices.
In September 2016, Mirai-infected devices (who became "zombies") were used to launch the world's first 1Tbps Distributed Denial-of-Service (DDoS) attack on servers at the heart of internet services.
It took down parts of Amazon Web Services and its clients, including GitHub, Netflix, Twitter, and Airbnb.
Based partly on Mirai, Reaper first came to light at the end of 2017.
Around 20-30,000 devices were found to have been compromised by Reaper, which can be used to launch crippling DDoS attacks.
Arbor Networks says that it thinks Reaper has been created for the "DDoS-for-hire" market, in which criminals can rent out botnets to attempt to take down websites that they disagree with.
These are old stories.
That's what you're thinking, right?
In January 2020, ZDNet detailed how a hacker published a list of Telnet credentials for 515,000 servers, routers, and IoT devices. This password dump was obtained by using factory-preset default usernames and passwords and guessing easy custom passwords.
ZDNet shared that information with security researchers who notified ISPs in early 2020.
In 2021, Mozi, a Mirai-type variant, has been the most active botnet since 2019.
- Mozi's infrastructure seems to be operated mainly from China.
- According to Security Intelligence and IBM MMS, Japan is the most targeted country, followed by the USA (22 April 2021).
They should include flexible, secure default settings and, in particular, optional mechanisms like password complexity, password expiration, account lock-out, one-time password that forces users to modify the default credentials when setting up the device.
Network managers using adapted IoT Identity and Access Management solutions have a wide range of device authentication features to reduce IoT attack exposure.
Two-factor authentication, multi-factor authentication, biometric authentication, or digital certificates (using a Public Key Infrastructure) can ensure that no one can get unauthorized access to the connected devices.
Gartner notes that privileged access management (PAM) for all devices is essential for slashing IoT security issues and ensuring IoT networks cannot be hacked.
Let's move to challenge #2.
#2. Lack of regular patches and updates and weak update mechanism
IoT products are developed with ease of use and connectivity in mind.
They may be secure at purchase but become vulnerable when hackers find new security issues or bugs.
If they are not fixed with regular updates, the IoT devices become exposed over time.
Let us explain this IoT security concern with Satori.
Satori is another malware that spreads and acts similarly to Mirai.
Satori delivers a worm so that infection can spread from device to device with no human interaction.
- First, it doesn't just spread via credential guessing but has been found to target known vulnerabilities in specific ranges of WiFi routers.
- Second, Satori has been discovered infecting smart processor architectures previously ignored by IoT malware, SuperH, and ARC.
What's the magic formula here?
Enterprises can then provide critical security updates to IoT devices in the field.
Network managers should also pay special attention to update mechanisms, including only signed updates and encrypted exchanges for authenticity.
Unexpected firmware updates have taught developers some hard lessons about the importance of a well-planned Firmware Over the Air (FOTA) strategy.
If you're eager to use Low Power Wide Area network technologies (LPWAN), incremental FOTA solutions should be explored.
It comes as no surprise that California's and Oregon's IoT cybersecurity laws (effective 1 January 2020) or the UK's proposed IoT cybersecurity law (2020) require the IoT devices sold in their respective territories to be fitted with "reasonable security features".
These include unique passwords, regular security updates, and vulnerability disclosure, in particular.
#3. Insecure interfaces
All IoT devices process and communicate data. They need apps, services, and protocols for communication and many IoT vulnerabilities originate from insecure interfaces.
They are related to web, application API, cloud, and mobile interfaces and can compromise the device and its data.
Common issues include a lack of/or insufficient device authentication and authorization and weak encryption or none.
- Device authentication. It is used to secure access to a connected device and data it generates, only to authorized people and applications who can prove they know the secret.
- Digital certificates. They enable a digital entity (IoT device, computer, etc.) to transfer data securely to authorized parties. X509 certificates are standard certificate formats usually signed by a trusted Certificate Authority. They allow us to identify and verify each IoT device uniquely.
Don't get left behind.
The first thing to do is build applications using the latest security standards and protocols. Various policies, standards, best practices, and guidelines are available from different sources.
- In the United States, the National Institute of Standards and Technology (NIST) released in January 2020 its second draft of its "Recommendations for IoT Device Manufacturers: Foundational Activities and Core Device Cybersecurity Capability Baseline."
- The European Union Agency for Network and Information Security (ENISA) actively contributes to European cybersecurity policy. ENISA is about to create a certification framework for IoT devices in particular. ENISA recently published "Good Practices for Security of IoT - Secure Software Development Lifecycle" (November 2019). This document details how to implement security by design for IoT. It comes as a supplement to its 2017 publication on "Baseline Security Recommendations for IoT Security."
It's a consequence of the US IoT Cybersecurity Improvement Act that became a public law on 4 December 2020 and the Cybersecurity Act (Regulation 2019/881 of 17 April 2019) that came into force on 27 June 2019 and became law in the European Union and the UK.
Let's move to the privacy challenge.
#4. Insufficient data protection (communication and storage)
The most frequent concerns in the data security of IoT applications are due to insecure communications and data storage.
One of the significant challenges for IoT privacy and security is that compromised devices can be used to access confidential data.
In 2017, researchers from Darktrace revealed that they had discovered a sophisticated attack on an unnamed casino.
The cyber hackers accessed a database of "high rollers" (i.e., big spenders) by accessing the network through a thermostat attached to a fish tank.
Once they got a foothold in the network, they exfiltrated about 10GB of data.
The importance of secure data storage and network segregation has never been more evident.
An IoT privacy issue: The Cayla doll (2014-2017): "Cayla, Can I trust you?" answer: "I don't know."
Cryptography is an effective way to address this challenge.
Data encryption prevents data visibility in the event of unauthorized access or theft. It is commonly used to protect data in motion and is increasingly utilized for protecting data at rest.
The data encryption and decryption make certain that data privacy and confidentiality are preserved, and the risks of data theft are minimized.
It's an efficient solution against eavesdropping attacks (used in industrial espionage), also known as sniffing attacks, when the cybercriminal passively accesses data as it is being sent or received on the network.
Cryptography is also the standard defense against active eavesdropping (aka Man-in-The-Middle attack) in which the hacker intercepts all relevant messages and injects new ones between two devices.
The same rule applies to communication between connected smart objects and interfaces such as web and mobile apps.
But let's dive into some shocking 2020 findings.
#5. Poor IoT device management
A study published in July 2020 analyzed over 5 million IoT, IoMT (Internet of Medical Things), and unmanaged connected devices in healthcare, retail, and manufacturing as well as life sciences.
It reveals an astonishing number of vulnerabilities and risks across a stunningly diverse set of connected objects.
They include shadow IoT (devices in active use without IT's knowledge), compliance violations, and US Food and Drug Administration recalled (defective and risky) medical devices.
The report brings to light disturbing facts and trends:
- Up to 15% of devices were unknown or unauthorized.
- 5 to 19% were using unsupported legacy operating systems.
- 49% of IT teams were guessing or had tinkered with their existing IT solutions to get visibility.
- 51% of them were unaware of what types of smart objects were active in their network.
- 75% of deployments had VLAN violations
- 86% of healthcare deployments included more than ten FDA recalled devices.
- 95% of healthcare networks integrated Amazon Alexa and Echo devices alongside hospital surveillance equipment.
But wait - there's more.
Magnetic Resonance Imaging and Computed Tomography machines were discovered running social media platforms.
On one site, a Tesla was even connected to the hospital network.
These hazardous connections are putting organizations at risk.
Ransomware gangs specifically target healthcare more than any other domain in the United States. It's now, by far, the #1 healthcare breach root cause in the country.
- According to Health IT and security, ransomware attacks on healthcare providers rose by 350% in Q4 2019, and 560 healthcare providers fell victim to ransomware in 2020.
- A Checkpoint Research paper published at the end of 2020 showed that the average number of daily ransomware attacks increased by 50% in Q3 than in H1 2020.
Think about it for a moment.
The mix of old legacy systems and connected devices like patient monitors, ventilators, infusion pumps, lights, and thermostats with very poor security features are sometimes especially prone to attacks.
So, these criminals understand that stopping critical applications and holding patient data can put lives at risk and that these organizations are more likely to pay a ransom.
The outcomes of recent ransomware attacks included:
- disruption of operations,
- compromised customer data and safety,
- loss of information, financial losses,
- reputational damage.
Here's the good news.
These vulnerabilities and IoT security threats can be radically reduced by implementing IoT device management platforms.
They provide class-leading lifecycle management capabilities to deploy, monitor, maintain, manage and update IoT devices.
They respond to end-to-end solution needs from customers and the essential security challenges tackled with device management.
They deliver a single view of all devices that helps enabled unified security and unified client abstraction for fragmented device profiles.
These types of platform functions can, for example, help improve asset provisioning, firmware upgrades, security patching, alert, and report on specific metrics associated with IoT assets.
The combination of such intelligence data can prove very effective in detecting harmful threats and finding solutions.
But who's going to manage IoT for your business?
#6. The IoT skill gap
Companies are facing a vital IoT skills gap that is preventing them from exploiting new opportunities to the full, according to Forbes (30 July 2019).
Training and upskilling programs need to be put in place.
Additional insightful workshops, hands-on newsletters, and bulletins, "Hacker Fridays," where team members can try to hack a specific smart device, can make a huge difference.
The more your team members are capable and prepared about the IoT; the more powerful your IoT will be.
Addressing IoT security risks
There's no denying that IoT security is complicated, but professionals in the field know perfectly well the best practices for efficient risk assessment and mitigation.
Expert collaboration simplifies IoT deployments.
One of the key tenets is that security must be considered at the very beginning of the design process, with the expert knowledge mobilized as early as possible – from outside the firm if necessary.
This method leads to better security - no doubt about it.
- The later the process of assessing, testing, and hardening IoT solutions is left, the more difficult and costly it is to get it right.
- Worse yet, discovering critical weaknesses or inadequate contingency plans only after a breach has happened can be more costly still.
This is especially true for small businesses.
A 2018 report by Hiscox found that it takes small businesses longer to recover from a cyberattack, which means more disruption and revenue loss.
In other words, call the experts, and the sooner you start, the better.
IoT cybersecurity from the ground up
Cybersecurity in IoT is absolutely vital, according to Steffen Sorrell, a Principal Analyst at Juniper Research.
The first stage for companies is building security from the ground up and focusing on the fundamentals.
That means assessing the risks the devices and the networks are involved in.
For smaller businesses or businesses that are not overly familiar with security best practices, the best way forward is to bring in some third-party expertise to assess risk and provide them with the best solution to move forward.
Technology that can be implemented to improve IoT security involves several solutions.
- First of all, it's the secure element, for example. It can be soldered onto the device and will provide secure cryptographic functions.
- Another key hardware element of the security chain is the hardware security module (HSM). Here this will combine with public key infrastructure to handle the secure distribution of cryptographic keys to ensure that data and communications are encrypted.
Wrapping up with Steffen Sorrell
"Really, the fundamental aspect is to ensure that data and applications are protected all ways."
The importance of security by design in achieving proper IoT security cannot be overstated, particularly when IoT devices will be in the field for ten or twenty years.
So, security solutions need to be flexible. That means that credentials, digital certificates, and cryptographic keys must be renewed.
Life cycle management is essential.
We need to be considered security from the ground up (devices, networks, applications, cloud) holistically in terms of how they can be protected not only now but for future considerations.
Effectively handling IoT security concerns.
Overall cybersecurity strategy must aim to protect three core pillars that underpin connected devices and services:
Ensuring that the goals of the three security pillars are met is a question of proper security by design.
By implementing the suggested security options such as device and authentication management solutions, based on encryption techniques, with the expert knowledge mobilized as early as possible, companies can prevent unauthorized access to data, devices, and software.
In turn, these controls help ensure data integrity and service availability.
More on IoT security and privacy issues, solutions, norms, and regulations
We have our finger on the pulse of security standards, compliance, and regulations that businesses should be aware of.
We also know security is a critical dimension of every IoT design.
We'll be delighted to share more resources to help you understand how to secure IoT devices and mitigate risks properly.
- An unprecedented look at STUXNET
- Triton is the world's murderous malware – the MIT Technology Review (March 2019)
- Is your FOTA solution efficient enough for LPWAN?
- The UK government press release on new mandatory requirements for IoT device manufacturers (January 2020)
- GSMA IoT Security Guidelines
- Center for Internet Security: Cybersecurity best practices
- What Are The Fastest Growing Cybersecurity Skills In 2021? (Forbes, November 2020)
- Thales' IoT security solutions
- Thales's IoT Identity Management solution
- Privacy and the Internet of things – Emerging frameworks for policy and design– Center for Long-term cybersecurity (2018)
- Thales IoT resource center