7 Ways IoT device security can fail

Posted On

By Saksham Khandelwal

Share


Around the globe, there are over seven billion IoT devices connected, with video entertainment as the largest category of spending in iot device security. Recent statistics suggest that by the year 2030, there could be as many as 25.4 billion IoT devices.

IoT devices are changing the world’s landscape in how people live, work, and play. It is also adding ways that a hacker can hurt you. Hackers are not focusing their attention on IoT device security.

Are you prepared? 

If you are feeling a minor discomfort where you are sitting, thinking about your IoT security posture, that is understandable. However, do not succumb to fear. Now is the time to act.

In this article, you’ll find how IoT device security can fail, but you will also learn how you can prevent it from happening. Here are the details, and how to protect your iot device security with zero trust.

1. Outdated software

According to FEMA statistics, approximately 40% of businesses that suffer from data loss will go out of business. Data loss could occur as a result of outdated software.

Providers will often discover vulnerabilities in their software and then release an update for patches to protect against those vulnerabilities. To prevent iot device security issues, an IoT device must ship to a customer with up-to-date software on the device, right off the bat. When a customer first receives the IoT device, there should not be a vulnerability to the software in it that the vendor is aware of. 

After that, there must be a way to update the functionality of the IoT device should the provider or manufacturer find a vulnerability after you make a purchase.

Of course, if you allow any unauthenticated process to update your device with arbitrary code, you’re opening an opportunity for an attacker to take over your device with their software.

That’s why devices all need secure boot. Secure boot assures that only authenticated software is running on the device and that it hasn’t been modified. Similarly, software updates must be digitally signed as well. This lets only an authenticated party change the software on a device.

2. Lack of encryption

Having a “man-in-the-middle” or MitM can be dangerous for IoT security. This happens when an IoT device will communicate in plain text.

All the information on the user’s iot device security or backend service exchanges. It can be intercepted by a MitM.

This means that a bad actor, or hacker, can get to the network path that is between your IoT device and its endpoint. A cyber attacker can inspect the network traffic, getting any sensitive information they can find, including your login credentials.

This is challenging when a protocol uses a plain text version like HTTP, instead of HTTPS, which is a version that is encrypted and available. The MiTM could access the communication in secret and alter it, without either party, including you, aware this is occurring.

Encryption provides protection, but even encrypted data could still possess a weakness. Maybe the encryption does not have the correct configuration, or the encryption may not be complete. This is how a MiTM can attack even when a connection has encryption.

Further, when an IoT device is “at rest” and stores sensitive data, it does not mean that you have protection. Stored data needs encryption, too. Usually, you will find there is a lack of encryption or weakness when credentials are in plain text on the iot device security or if you are storing API tokens on the IoT device. 

These security challenges were behind the development of Intertrust’s Explicit Private Network (XPN), which provides end-to-end security in zero trust network architectures. Unlinke HTTPS, which only protects data in transit, Intertrust XPN protects data at rest as well as in transit.  

3. Incorrect access control

Only the owner and the immediate people they trust should have access to an IoT device. However, too often, the IoT device security system will not enforce this policy. Instead, the system could trust the local network.

This means that no other authorization or authentication methods are required for the IoT device. Not only that, but every other device on the same network is trusted, too.

To put this in further perspective, how dangerous this can be if someone connects the IoT device to the internet, then every person around the globe could access the device’s functionality.

What happens when all the IoT devices that are of the same model have the same default password upon selling them? Default settings and firmware are usually the same, too.

Recent statistics suggest that only 33% of IoT device users change their default password. 

This means that when you purchase an IoT device, accessing it is public knowledge until you, the user, change the login credentials. Until then, any IoT device in the same series could gain access from a hacker, especially if there is only a single level of protection, instead of offering 2FA or another way to add layers of authentication protection.

4. Weak passwords

Even if a customer changes a default password, they may choose a new password that is weak or guessable. Poor password management makes customers a target for hackers.

If your IoT devices are for company usage, you can create policies for your employees. Employees should alter their default passwords with character combinations before they can use the IoT devices in a live environment.

For consumers using a personal device, it can be more difficult to deploy such initiatives. A vendor or service provider should promote strong passwords to their customers. They could even create their IoT devices to force a password change and only accept strong passwords to help their private customers stay safe.

5. Lack of privacy protection

Often a consumer device keeps sensitive information, including storing a password to their network if the device uses their wireless network to function. If there is a camera as a part of the IoT device, then that means a hacker could access video and audio recordings from inside or outside your home.

Many consumers are concerned about it. Recent statistics suggest that 44% of smart homeowners in America are “very concerned” about their private data being stolen. 

This is your personal privacy at grave risk, should a bad actor violate it and access your private details. The storage and distribution of your private, sensitive information should be handled with care and securely. Plus, they should keep it only with your consent.

It’s not just a hacker breaking into your personal device, either. The vendor plays a pivotal role in your privacy. If the vendor or service of the IoT device is storing your personal information without your consent, they handle a privacy breach, too.

6. Vendor security response

If the vendor or service provider discovers a vulnerability, their time to react is critical. This directly relates to how much impact a vulnerability, or intrusion, can have on their customers.

The vendor or service provider is responsible for finding vulnerabilities, creating a way to mitigate them, and updating the devices in use. The process that a vendor has in place and how they execute it in these situations is critical to customers. They should have the means to handle such IoT security issues adequately.

Further, once they find iot device security issues, they must be excellent communicators. Customers will identify a brand based on how they handle and communicate such issues and how they fix them.

If a vendor or service provider does not tell customers how to correct a vulnerability or provide contact information at their organization to contact them for additional details and questions, it could become tricky to mitigate the issue. Also, a customer should have contact information with the vendor to report a security issue if it is the customer who discovers the issue.

Without open lines of effective communication, the provider leaves the environment vulnerable and less secure.

7. Vendor privacy protection

If a user of an IoT device deletes their personal data from their device, it is the provider who then has the responsibility to make sure the user’s data is removed from the third party’s database, too.

Websites often have easy-to-view privacy policies. However, many iot device security do not work the same way as a website.

They may have their privacy policy in the IoT device manual, or it could be available after you would open and install the system. Other times, you must visit the manufacturer’s website.

There may not be a simple method to tell a user they are collecting their data. Further, some IoT devices have privacy policies that are simply unclear about how they collect your data.

IoT device security protection

Now that you understand some ways these devices can fail you in terms of security, here are ways you can protect yourself. Security breaches are increasing in scale and damage, so even if you have not experienced a cyberattack yet, the future’s not set.

Here is what you need to do:

First, change your password as soon as you use a new iot device security. Don’t just do this when you first get it, either. Change it often.

Make sure you choose a strong password. If you dislike remembering your password for every account, there are password management tools you can use to help you keep track of this.

Next, update your IoT devices regularly. If there is a software update, do not wait to install it. Time can be of the essence.

Third, if you see a “universal plug and play feature,” while it sounds convenient, it is best to avoid it. It is nice because you do not need to configure each IoT device separately. However, they are more prone to attacks.

A bad actor can attack you by targeting your universal plug-and-play iot device security to access multiple IoT devices more easily, all at once. You do not need to make the life of a hacker more convenient. Turning off this feature will help you sleep better at night.

Last, Wi-Fi users should create a secondary network or multiple networks. Particularly, one with restricted access.

Security problems with IoT devices

When you learn about all the ways IoT device security can fail, you may feel you have zero trust. That is where Intertrust comes in. We are building trust for a connected world.

We can help you secure your data and computations so that you can trust making transactions over open networks. Do not let hackers get the best of you. Instead, let’s create solutions together.

Contact Intertrust today.

Share

Related blog posts

Blog

Why device authentication is so important

Read more

Blog

What is IoT authentication and why does it matter?

Read more

Blog

Ten critical concerns in IoT security

Read more