Alan runs a start-up that provides smart home security solutions. Just eight months into his operations, customers complained of exorbitant electricity bills and poor performance. Initially, he considered them a one-off incident, but when the customer support team prioritized the issue, he was forced to sit up and take notice. It being a small team, Alan took it upon himself to investigate the matter.
Tracing the complaints backward from the current date, he could pinpoint the week when the number of complaints was four times the average. And after that, the number of cases increased slowly but steadily. Further research showed that a device in their latest client's corporate network had been breached.
The attacker had placed crypto mining bots on all the weak devices in that client's network, using the devices' processing power to mine cryptocurrencies in the background. Hence the decreased performance of operating systems and inflated power bills. Through that single vulnerability, the attacker was slowly able to penetrate other clients' networks via the company's access mechanisms to provide support.
If you feel that attackers using crypto bots on the IoT devices installed in your clients' network is a far-fetched idea, you couldn't be more wrong. The 2019 Ponemon Sullivan Privacy Report revealed that data breaches due to unsecured IoT devices or applications had increased from 15 % to 26% in just three years. In the same period, cyberattacks increased from 16 % to 24%.
The actual number of data breaches in any organization would be much higher. This is because, for surveys, a data breach is defined as attacks that have been confirmed to gain access to sensitive protected data and/or disclosed to unauthorized persons. This essentially means that breaches that have not been detected do not count.
According to the 2019 Statista report, there will be 38.6 billion IoT devices by 2025. Considering the rapid digitization and IoT adoption by organizations post-COVID-19 restrictions, this number is bound to increase. As the number of connected devices increases, IoT security incidents increase proportionately.
What are the top IoT security threats?
If the experts were asked to point at the single biggest problem with IoT device security, it would be this — device security is the last priority in the development life cycle. With so many things to consider while designing the device — reliability, minimum utilization of resources, wi-fi enablement, inexpensive, etc. — IoT security is usually added as an afterthought. IoT architecture is multi-layered. Smart devices are at its core but are only one layer.
Let us look at the threats that arise if even one of these layers is left insecure:
- Devices are shipped with default passwords that are usually very weak.
- Counterfeit IoT devices that can be plugged into any existing IoT network are flooding the market to provide cheaper options to the end-users.
- Users are not aware of security risks.
The managers neglect minor IoT attacks.
- Homes and offices that are seeing an exponential increase in IoT devices that can be compromised are at the maximum risk of physical security and financial crimes.
- Hacked healthcare IoT devices can lead to loss of lives.
- Smart vehicles can be hijacked remotely without hackers needing to be physically present.
Someone who is not part of the solution is part of the problem. Let us look at the solutions to these problems.
How to ensure IoT security
IoT security must be implemented at multiple levels. The most crucial task is securing the devices that make up the IoT ecosystem. Next comes the communication channels between the network-connected devices and the cloud, where data is stored. As IoT is a relatively new technology, the standard protocol for communication between the devices is still being developed by the formation of IoT alliances.
As an IoT provider, whatever the product or service you offer, you must use the latest and strongest available protocols per the use case. Data privacy and integrity must be taken care of after the networked devices and communication channels are secured. Last, all web, mobile, and cloud applications built on the IoT must be completely secure.
Here we discuss some of the ways to take care of multi-layer IoT security:
Use strong, non-default passwords to enhance IoT Security
Saying this seems childish, but strong passwords are always the first defense against any security threat. But it is also a fact that many organizations continue using the default passwords; thus, launching brute force attacks on such vulnerable devices is just a matter of time.
In 2016, the Mirai botnet brought down US East Coast Internet service in a DDoS attack by using a public list of 62 standard passwords to enter open ports on the network. Unfortunately, the lesson does not seem to have been learned because even two years later, 15% of IoT devices still used the default password they were shipped with.
Here is what can be easily done to overcome this challenge:
- Hardware manufacturers must stop shipping IoT devices with default passwords. How difficult can it be to intimate the username and password to the customers in separate communication via Email? If financial Institutions handing out debit and credit cards to their customers can do this securely, surely the hardware manufacturers can, too. The system is already in place; it’s just a matter of adoption.
- After installation, the user must be forced to change the default password the first time the device is switched on. In smart offices or homes where the device may be accessed by multiple users, continuing with the default password seems intuitive and easy. However, it can spell doom for IoT security, devices, and the network.
- Passwords must be strong and comprise a combination of numbers, letters, and special characters, however difficult they are to remember. And then again, the users don’t need to remember all the passwords; they can be noted in an easily accessible place.
Update connected devices regularly without backdoors to secure IoT devices
Hackers use passive attacks to explore devices and networks to analyze traffic and enumerate vulnerabilities. The data gathered through passive attacks can then be used for the active attack where a user or the network is compromised.
The only solution to avoiding passive attacks is to close all back doors and run continuous updates. However, many users decide not to update their devices when prompted. The way around this could be to ensure updates by configuring routers or apps when the device is in the most minor use. All stakeholders must be educated that regular device updates are essential to maintain IoT security so they do not feel disruptions.
The importance of proper education on IoT device management
Making the end-users of the IoT ecosystem aware of security issues is an essential cog in the wheel of IoT security. They must be educated about the problems caused by using default passwords for convenience or counterfeit devices to save a couple of bucks.
As you can surmise from the story we began with, end-users and their devices are the weakest links in the IoT network. Attackers know this and try to hack the Internet of Things network and the devices connected to it via them.
These are some ways in which end users can ensure better IoT security:
- Use stong and tough 16-Digit passwords and keep them in a notebook rather than using a password manager. Passwords must be changed regularly, maybe even once a month.
- Disabling plug-and-play features can improve the security of IoT devices because universal plug-and-play protocols assume that all requests for access come from a trusted source. As we all know, which is an ideal but not the correct scenario?
- IoT networks must be exclusive to the users within the house and inaccessible to outsiders.
- Devices need to be updated regularly; hence, they should not mind facing a small downtime if required to introduce security updates.
Securing communication channels
All the devices in an IoT ecosystem communicate with each other and with cloud apps or services. It is essential to ensure that these communications are completely secure. The ideal scenario would be to encrypt all messages before sending them over the network and using robust TLS protocols.
Encrypting all the messages may not be possible because not all devices are equipped to do so. For sending encrypted messages, devices must have a minimum level of processing capabilities, which drives their costs. This challenge can be circumvented by putting constrained devices on a different network, whose messages can be encrypted by a router before being sent over the external network. Putting them on separate networks also makes them less vulnerable to passive attacks.
Firewalls can also secure communication channels, ensuring the physical security of routers and gateways, turning off OS features not in use, randomly generating OTP for identification and authorization of devices, etc. You will be surprised to know that many in-house security incidents occur simply because the device is easy to access physically.
Ensuring network security compliance
Data storage must always comply with the legal and regulatory frameworks in force where the business is operating or its customers reside. However, this can be resource-intensive in terms of cost, time, and personnel requirements, which leads many organizations to be lax about it. But this wreaks havoc on the overall IoT security. Here are some suggestions for ensuring data privacy:
The first line of defense against a data breach is redacting or anonymizing sensitive data before it is stored or transmitted. Data that is not required must be disposed of immediately so that it cannot be accessed by anyone in any circumstances. Data integrity can be enforced by integrating IoT systems with Blockchain technologies.
Detecting and managing vulnerabilities
The proverb “Prevention is better than cure” applies fully to IoT security because the cost of network security breaches is very high. And despite all efforts at security, right from the design phase, breaches are inevitable. So, it makes sense to be proactive about detecting the vulnerabilities of the IoT system and managing them until a security patch can plug the gap. Some of these steps include:
- Monitoring activity logs and network communications for deviations
- Performing ethical hacking and penetration testing
- Using continuous security intelligence analytics to identify security incidents as soon as possible
- Automating security incident response to minimize loss
- Maintaining device registers to enable the isolation of compromised devices and network segments
- Deploying IoT devices and rules ensures vulnerability management automation
Why is IoT security important?
The rise of security incidents has much to do with using default or weak passwords, insecure devices, ports, and applications, and failure to uncover timely vulnerabilities. To minimize these security threats, one needs proper education on the importance of IoT security, continuous updates and change of passwords, and strong security compliance.
How TechAhead ensures IoT security
For the IoT experts at TechAhead, security is not an afterthought or last-minute addition to the solution architecture. We take a security-by-design approach to IoT development. We understand that neglecting IoT security to decrease costs in the short term may lead to security breaches that prove expensive in the long run.