Threats to IoT Devices
IoT devices face a variety of threats. Firmware (software on all IoT devices that operates the hardware) may be exploited, and even if vulnerabilities are known, patches may not be available or applied.
Attackers also may break into a network using default usernames and passwords that customers have not changed — or cannot change. This vulnerability was exploited by the Mirai malware, which utilized 61 common default credentials to launch devastating distributed denial of service attacks.
Devices also may be vulnerable to on-path attacks, in which an attacker is positioned between an IoT device and a server — for example, between a security camera and its cloud server — and intercepts communications between them. The risk of data exposure in these scenarios is high, since many devices do not encrypt communications by default.
Because IoT devices connect to the internet, attackers can exploit known vulnerabilities and take over devices as a first step in conducting attacks that allow them to move laterally through an enterprise network, stealing data, implanting malware or accessing sensitive information.
IoT devices can be risky for two reasons: They are easy to exploit, and once exploited, they can wreak serious havoc.
Many devices are not designed with security as a top consideration: They may have poor internal controls, come with default passwords that are difficult to change, be unable to encrypt data or have known vulnerabilities for which the manufacturer has not issued a timely patch.
Once an IoT device is exploited, the harm cyberattackers can do can be severe. Compromised IoT devices that provide physical access, such as card reader systems, could allow unwanted visitors to enter a facility with no audit trail. IoT-based HVAC systems without adequate security could enable cyberattackers to take remote control of a building’s temperature and humidity, damaging inventory or disrupting work.
What Steps Can IT Leaders Take?
Ultimately, organizations should work to secure every device or node on an IoT network. Following these steps below should help IT leaders improve their IoT security.
IT teams should make sure devices are sufficiently authenticated (with an authentic TLS certificate, for example) so requests to applications, services and protocols come from authorized devices.
- Know what you have: Many IT professionals are unaware of all the IoT devices on their networks. A 2020 Infoblox study found that over a 12-month period, 80 percent discovered unknown IoT devices on their networks. IoT device management platforms can provide teams with visibility into their entire inventory and potential security issues. A device management system can identify and profile all devices and monitor them regularly.
- Choose the right devices: Organizations should acquire only IoT devices designed with effective security features, and only from manufacturers who release timely security updates. California and Oregon laws require devices sold in those states to be fitted with reasonable security features, such as unique passwords, regular security updates and vulnerability disclosures. Organizations should avoid devices without an external interface or with unchangeable credentials, and they should turn off any unneeded features such as microphones and ports.
- Secure your device access: Cybercriminals access devices in uncontrolled environments, or via stolen credentials, to upload malware, access unencrypted data or incorporate the devices in botnets. IT professionals should change default credentials when installing an IoT device and should avoid the reuse of the same credentials across multiple similar devices.
- Secure the data: Encryption helps protect data at rest and in transit, even if it were to be accessed or stolen by an unauthorized entity. Encryption is essential to preventing eavesdropping, which is especially prevalent in industrial espionage.
- Patch, patch, patch: When a manufacturer releases a security update for a discovered vulnerability, IT teams should update devices in the field immediately. Waiting even a couple of days can mean that hackers can exploit the vulnerability.
The convenience and functionality of IoT networks are game changers for the industry. But it’s worth taking the time to make sure IoT networks have not also opened the door to cybercriminals. There are several additional actions organizations can take to protect IoT workloads and data, including network segmentation, monitoring and analyzing network traffic. But taking these five steps will give you a head start on addressing the most common risks.