Many of you reading this may have figured that IoT security isn’t perfect. Connecting various devices to the internet offers multiple security challenges, like hacking.
The Sony Pictures Hack is an excellent example of how people can circumvent IoT security. But there are plenty of other concerning problems with IoT device security.
Read on if you’d like to know more about the Internet of Things and ten critical concerns with IoT security.
What Is the Internet of Things?
The Internet of Things, simply put, is the ability of devices to connect to the internet. Explaining IoT gets complicated because it involves the internet connectivity of all smart devices worldwide.
“All smart devices” include home security systems, smart fridges, fitness trackers, medical sensors, and agricultural technology.
We’ve only listed a few items with IoT connectivity, but essentially, if it’s other than a traditional internet device (laptop, tablet, PC, mobile phone) and able to connect to the internet, it’s an IoT device. IoT devices fall into three categories:
- Sensors that collect and send data
- Devices that receive and act on information
- Items that do both
For example, a heart rate monitor counts as an IoT device because it collects information (your pulse) and displays the information to you (sending data). A printer receives a document and prints it – thus acting on the information.
An irrigation system is an IoT device that falls under the “both” category. A fully automated irrigation system can collect data on soil moisture and water the crops accordingly.
The irrigation system collects and sends data via the soil moisture sensors, and the irrigation system receives the information and waters the soil if it’s dry.
Ten IoT security concerns
While IoT connectivity is convenient, it can also be risky. IoT technology is still relatively young and evolving. Earlier, we’d said that there are a lot of security challenges with IoT technology, especially where not all the devices within an IoT network are protected.
Hacking was the first problem we mentioned, but user error and lack of awareness are also significant problems. Here are the top ten major IoT security issues you should know.
1. IoT device hacking
We’ve mentioned hacking twice now, so we may as well discuss it first. The problem with everything having IoT compatibility is that nefarious parties can hack your devices.
We talked about the Sony Pictures Hack. You may be familiar with the incident, but did you know that the hackers erased Sony’s computer infrastructure?
The hackers – called the Guardians of Peace – used a modified version of the Shammon wiper virus. This malware is infamous for the destruction it causes and how difficult it is to recover erased files.
Ransomware is another type of hack parties can perpetrate. Ransomware allows outside parties to highjack and take control of your IoT devices.
One bit of “good” news about ransomware is hackers may not be able to access and lock your sensitive information. But, access to the device is still held for ransom and may require a ransom fee.
2. Poor IoT manufacturer compliance
Another IoT security issue is a lack of compliance. What we mean is many device manufacturers create products with poor security. Many IoT devices have inadequate zero trust security measures.
“Zero trust” means users must always verify their authentication. Zero trust assumes everything is dangerous and blocks device use until the user confirms their identity via fingerprint, password, security pin, etc.
Often, manufacturers don’t design their products with security in mind. Weak, easily guessed passwords and hardware issues are components in devices lacking IoT compliance.
3. User error and lack of awareness
One security issue is that many users don’t understand the Internet of Things very well. As previously discussed, many IoT internet threats come from manufacturers.
Many people don’t understand IoT functionality enough to avoid hacks and other attacks.
People know to protect their WiFi with strong passwords. But they may not know that plugging a flash drive they found into their computer can infect it with ransomware or wiper viruses.
4. Lack of physical hardening
There seems to be a trend of forgetting IoT devices also need physical protection from outside attacks. The “random flash drive” example we gave is an excellent example of why you need physical hardening.
Physically hardening an IoT device protects it from physical, exterior tampering. When people leave an automated system alone for too long, it becomes vulnerable to outside parties.
While it’s the manufacturer’s job to provide physical protection for IoT devices, it’s not an easy job. It’s also up to users to keep their devices safe from physical tampering and harm.
5. Industrial sabotage
Industrial sabotage may sound like something from a spy movie, but it is a real threat to IoT security. Security companies must keep an eye out for saboteurs collecting sensitive industry secrets.
The problem is you can theoretically use any IoT device to listen to and record sensitive company data. Security companies must keep abreast of IoT technologies to protect their customer’s interests.
There was an incident where saboteurs used an IoT children’s toy (a doll) to spy on a German company. The doll ended up banned in Germany.
6. Healthcare IoT security risks
Some data collected through healthcare IoT devices is sent to the cloud without encryption. Encrypting data makes it harder for people to gain unauthorized access to it by converting it to code.
Unencrypted medical data is often accessed and modified by hackers. Medical devices under hacker control can send false data and may result in medical officials harming their patients.
Hacked medical devices can include pacemakers and other medical tools. Hackers can make it, so battery percentages don’t match how much power the instrument has and inhibit medicine creation.
7. Botnet attacks
One device infected with malware isn’t too much of an issue. Multiple infected devices can do serious harm. A hacker looking to infect various instruments at once can launch a botnet attack.
A bot is an autonomous program that can interact with other users, programs, or systems. A botnet attack is when someone sends thousands of bots to infect other systems with malware.
Many other IoT devices don’t come with security updates as computers do. The lack of security makes IoT devices more vulnerable to botnet attacks.
Botnet attacks can infect transportation systems, water treatment plants, and electrical grids. As you may have guessed, a hacker can do severe damage with an army of bots at their disposal.
8. Lack of security update management
An enormous flaw in IoT device security is the lack of update management. Software and firmware are often insecure and prone to weaknesses.
Even if a product does have the latest software update, someone may have quickly discovered its vulnerabilities. Some smart devices are relatively good about updating their security measures.
However, it’s not uncommon for other IoT devices to lack regular updates. Devices that do receive regular updates are still prone to security weaknesses because the process results in a minor downtime.
Temporary downtime results from the device sending a backup of the new update to the cloud. An unencrypted backup may contain sensitive information that hackers can steal.
9. Rogue IoT devices
A rogue IoT device replaces the original product or enters a group to gather and change sensitive data. You may have heard the term “BYOD” or “bring-your-own-device” before.
BYOD means people can use non-officially provided devices. BYOD devices aren’t inherently wrong. Many people enjoy using their electronics in place of industry-provided ones.
The issue is when people turn these devices into rogue APs (access points) to intercept data without others knowing.
10. IoT bot crypto mining
Many people aren’t too fond of crypto mining because it uses many CPU and GPU resources. But crypto mining also poses security challenges to IoT devices.
Crypto mining bot attacks aren’t launched with the intent to harm devices but instead mine cryptocurrency.
Despite the intention, these devices still cause damage. Armies of bots can flood and disrupt the crypto market pretty thoroughly.
Cybersecurity protection measures
Using IoT devices doesn’t have to be as terrifying as the previous list sounds. There are protective measures security companies can (and should) take to keep data and devices safe.
The National Institute of Standards and Technology (NIST) is a U.S.-based cybersecurity agency that promotes industry and innovation competitiveness via science and technology to improve citizens’ quality of life.
NIST outlines standards that uniform the United States cybersecurity measures. Remember, IoT technologies all connect to the internet. It makes sense that there would be an organization for standardizing IoT security.
One goal of NIST is to help companies adhere to the Federal Information Security Management Act (FISMA).
FISMA is a law created in 2002 to protect sensitive data created, stored, or made on behalf of the federal government or by associated entities.
The European Technical Standard Institute
The European Technical Standard Institute (ETSI) develops systems that allow multi-vendor IoT products to work in an interconnected environment that offers multiple services on various networks.
The ETSI develops uniform standards for trust service providers, so IoT devices are less prone to attacks from dubious, outside parties.
Understanding IoT security
As the Internet of Things evolves, so does IoT security. There are various existing threats, thanks to how new the technology is.
Many nefarious parties are looking to take advantage of our ongoing struggle to refine and improve IoT device security. Understanding internet threats helps fight against the numerous IoT security challenges.
Contact Intertrust today if you’re looking for safe, reliable methods to authorize access to and operate IoT technologies.