In October 2016, one of the most complex and devastating cyberattacks ever took down major sites like Twitter while greatly deteriorating user experience on multiple other high profile sites including PayPal, Spotify, CNN, Mashable, Yelp, The Wall Street Journal, and The New York Times. The scale of this DDoS attack was particularly astonishing thanks to the enormous traffic emanating from hundreds of thousands of unique Internet addresses. It turns out a hacker had identified a loophole in a certain model of security camera. By taking over these gadgets, the attacker could direct massive traffic to targeted sites. This renders the websites inaccessible to legitimate users. There’s no question that the Internet of Things (IoT) has numerous advantages. Yet, this attack is a classic example of how IoT can be a hugely destructive weapon in the hands of persons with ill intent. And it’s not just cameras that can be hijacked in this way. From cars and refrigerators to thermostats and smart locks, anything with an Internet connection is a tempting target for hackers.
The Internet is no longer just a network of traditional computing devices like servers, routers, switches, desktop computers, laptops, tablets, and smartphones. In fact, the number of IoT gadgets is expected to eventually far exceed conventional computing gadgets. From refrigerators relaying an update of the freshness of food, to a car transmitting oil level information to its owner, IoT is a convenience in many ways. However, as several IoT-related cyberattacks show, it also comes with formidable risks that cannot be ignored. We cover some of the biggest IoT risks below.
1. IoT device manufacturing process
Manufacturers release an untold number of IoT devices into the market each day. Many of these are new models and have undiscovered vulnerabilities. Manufacturer omission is responsible for the vast majority of security issues bedeviling IoT devices. Many device manufacturers see Internet connectivity as a plus to their device’s function and not a core feature. They, therefore, do not devote as much time and resources as they should on ensuring their product is secure from cyberattack.
For instance, some fitness trackers with Bluetooth connectivity remain visible after their first-ever pairing. Some smart refrigerators expose Gmail credentials. There isn’t a universal standard for securing IoT devices. That, however, is not a justifiable reason for creating poorly secured devices. The biggest IoT risks emanating from the manufacturing process include weak passwords, unsecured hardware, absence of a patching mechanism, and insecure data storage.
2. Lack of user awareness and knowledge
Thanks to decades of awareness, the average Internet user is fairly adept at avoiding phishing emails, disregarding suspicious attachments, running virus scans on their computer, or creating a strong password. But IoT is new territory and remains unfamiliar and misunderstood even for many seasoned IT professionals.
Whereas the majority of the biggest IoT risks can be traced to the manufacturing process, users are a far more dangerous driver of IoT security risks. This is especially so when users are ignorant of IoT functionality. Deceiving a human is often the easiest means of infiltrating a restricted network without raising suspicion. Hackers can do that using IoT devices.
The 2010 Stuxnet worm attack on an Iranian nuclear facility was caused by the infection of centrifuge-controlling software via a USB flash drive plugged into one of the plant’s computers. Modern centrifuges are a type of IoT device as they are heavily IT-dependent. Some reports estimated that Stuxnet physically damaged about 1,000 centrifuges.
3. Difficulty in patching and update management
No matter how much work a manufacturer puts into creating secure hardware and software for its IoT-ready product, new vulnerabilities will inevitably be discovered at some point in the future. Updates are therefore needed to keep IoT devices secure and should be applied as soon as they are released. Yet, the nature and use of IoT devices don’t always make them easy to update regularly — if at all.
Think about sensors spread across hundreds of acres of farmland. Or IoT devices on a factory floor that cannot be taken offline for updates without hugely impacting production. Worse still, even where patches can be applied regularly, there’s often no means for the user to rollback changes to the last known good state in the event that an update leads to software corruption or instability.
4. Physical security
IoT devices should run with little to no human intervention. Sometimes, these devices are installed in remote locations where they may stay for weeks or months without anyone physically checking on them. Such isolation leaves them in grave danger of theft or physical tampering. Criminals could steal the device or use a flash drive to introduce malware. This could see the attacker gain access to sensitive information. They could also interfere with the functioning of the IoT device rendering any data it collects and relays, unreliable.
The massive 2016 Mirai botnet DDoS attack is an indicator of the potential danger posed by unsecured IoT devices. A single infected IoT device isn’t a significant threat except to the data it collects. However, it’s different when centrally commanded malware infects thousands or millions of devices. The destruction such a multitude of rogue gadgets could cause to websites and networks is immense. IoT devices are much more vulnerable to malware botnet takeover since they are less likely to receive regular updates. IoT-powered botnets can not only bring down leading websites but also jeopardize electricity grids, transportation systems, water treatment facilities, and manufacturing plants.
6. Loss of privacy and confidentiality
Hackers, governments, and business competitors can use IoT devices to spy on and intrude on the privacy of unsuspecting individuals and organizations. Such third parties may access, compromise, and use sensitive confidential information without the owner’s permission or knowledge. At the most basic level, someone could take over a security camera and use it to spy on their target’s movements and habits. At a more industrial scale, hackers may capture data from multiple IoT devices and use it to extort their target or sell it to competitors in the black market.
7. Device discovery challenges
Before you can even start to plan for the security of your gadgets and networks, you must have a clear idea of what you are securing. IT teams already struggle with device discovery when everyday computing devices are involved. It’s much more difficult to do for IoT gadgets given the diversity in device types, brands, models, and versions.
Identifying the IoT devices connected to your network is just the start. You have to then perform a risk assessment to develop a clear understanding of what network permissions the device has and whether these are necessary. Lastly, you have to include the gadgets in your scheduled enterprise-wide penetration tests.
Biggest IoT risks and rewards
IoT seeks to bring efficiency to everyday processes. However, IoT still has numerous security and risk challenges and even more will emerge in the future. As the diversity of IoT devices grows, so will the complexity of the security challenge. To reap the benefits of IoT, keeping these devices secure by mitigating against the biggest IoT risks is paramount.
Featured image: Shutterstock