The Internet of Things (IoT) has become quite a buzzword in the last 5 years. Most people understand IoT as smart, WI-FI connected gadgets like smart TVs, Alexa, or smart toasters.
However, from an industrial perspective, the Internet of Things has allowed traditionally ‘dumb’ processes in wastewater treatment or manufacturing to be fitted with smart, connected devices that allow real-time monitoring and intervention from a distance. For industry, this means that less people are needed to run operations but it also brings about hidden security risks.
An IoT security breach in an industrial setting could result in the leaking of important information or intellectual property that is critical to your business. A breach could also result in the compromising of the product you produce or damaging your industrial controls. For example, hackers could simply steal your business secrets (like Apple product blueprints) or they could severely damage an industrial operation (like shutting down water treatment facilities or power plants).
Cyberattacks using IoT have become more widespread in recent years and according to antivirus software provider Kaspersky has more than doubled since the first half of 2021. From January 2021 to June 2021, approximately 1.5 billion security breaches involving IoT devices were reported. This is an increase of 640 million when compared to 2020.
In 2021, Vietnam’s financial infrastructure was attacked with around 97,000 banking and financial accounts compromised. There were also 16 large-scale data leaks that happened during this time. National media outlets cited compromised IoT devices as a major contributing factor.
The risk of a security breach varies depending upon how you use Internet of Things ( IoT) devices in your organisation, but it is a very real threat that should be seriously considered, no matter your level of concern. As an organisation, protecting your business, your staff, and the people that use your products and services should be paramount.
Most Common Internet of Things (IoT) Security Risks
Attack surfaces, threat vectors and vulnerabilities are three widely researched topics when it comes to the Internet of Things (IoT). There are a variety of dangers related to the internet of things that can impact businesses as well as individuals. We will describe 11 of the most common Internet of Things security risks so that you can take steps to protect your business and its stakeholders.
1. Incorrect access control
It is important to have IoT services offered only to people or networks that are trusted by the owner. Unfortunately, this is often not sufficiently enforced by IoT devices.
IoT devices often trust the networks they are connected to, often to an inappropriate level requiring no authentication or authorization. Other devices connected to the network are also trusted without any requirements.
This can pose a problem when such devices are connected to the Internet, as now everyone in the world can potentially access the services that the device is offering.
2. Increased attack surface
Every connection that can be made to the device allows an attacker to potentially discover and exploit vulnerabilities. The more services a device offers, the bigger the attack platform becomes. Offering unnecessary or unneeded services over the Internet can potentially compromise confidentiality, integrity and availability of that information.
3. No or weak encryption
Devices with lax security often communicate in plain text. This means that sensitive information like API tokens or credentials can be obtained through a “Man in the Middle” (MITM) attack. A MITM attack is where an attacker secretly accesses and relays communications, possibly altering this communication, without either party being aware.
Weaknesses in encryption may be present if the encryption is incorrectly configured or incomplete. An example would be a device failing to verify the authenticity of the other party. The cheapest solution is usually not the best, do your research.
4. Weak physical security
Security for IoT devices is not about digital security, physical security also represents a significant risk. Consumer and industrial IoT devices often store sensitive information. Information used as passwords of wireless networks is connected to or event sensitive video or audio information related to the company, home, or user(s).
With physical access to the devices, attackers can open them and bypass security software by reading the contents of the memory components directly.
5. Bad privacy protection
Consumer IoT devices often store sensitive information. For example, any wireless IoT device will store the password of that network. Any IoT device that records video or audio likewise potentially contains information related to a company, home, or user. In case such information is available to an attacker, it would be considered a privacy violation. IoT devices can properly and securely handle private information.
6. Application vulnerabilities
Software contains bugs that make it possible to trigger unintended functionalities. These vulnerabilities can result in security issues. Also, the lack of the ability to securely update the device can introduce vulnerabilities. When looking for an IoT device provider it pays to find a vendor that focuses on continued support and security.
7. Lack of trusted execution environment
Essentially IoT devices are small computers and have the capability to run most types of specific software. This allows attackers to perform the installation of custom made software that is not part of the device’s normal functionality. For example, an attacker could install software that allows him to perform a denial of service attack (DDoS). It is essential to limit the functionality of IoT devices to deter abuse.
8. Vendor security
Security support is needed for IoT devices to maintain a proper security composure. Lack thereof could cause a wide variety of security issues. When vulnerabilities are found regarding an IoT device, it is essential to have the vendor develop mitigation and update the devices in the field as soon as possible. The vendor should have a process in place to adequately handle such issues.
9. Lack of intrusion awareness
Most devices do not have any logging or alerting features to notify users of security issues. Changes in power or bandwidth usage are usually not detected or reported to the user, which is typically a way of identifying a compromise. Those devices with these reporting and alerting functionalities can usually be easily disabled when the device is compromised.
The result? The users of IoT devices are rarely made aware of attacks or compromises of their devices, preventing them from being able to mitigate issues.
10. Weak passwords
Weak passwords selected by the user or vendor, and device hardcoded passwords that can not be changed, also represent a significant security risk. Use unique passwords for your devices, make them at least 12 characters long, use numbers, symbols, and letters (upper and lower case). Adopting a good policy towards what represents a strong password will greatly reduce the chance of the password being guessed or brute-forced.
11. Outdated software
Using outdated, depreciated or insecure software components can allow an Internet of Things (IoT) device to be compromised. This includes the usage of third-party components, libraries, and frameworks used by manufacturers to build IoT devices. This software is difficult to track and is vulnerable to cyberattacks if it is not correctly known or managed.
When choosing your IoT device you should consider more reputable suppliers with a strong focus on security, not just the cheapest option. Cheap products usually mean outdated, vulnerable software.
From an IT security standpoint, it is important to incorporate IoT security into security policies, procedures and guidelines. It is vital to assume that every IoT device needs configuring after initial deployment. Knowing your device is critical. Deploying proper authentication mechanisms and strong password policies is needed, as well as proper update and patch management.
When it comes to the security of your home and organisation, you should do your best to ensure that it is at a sufficient level. You can’t always rely on the IoT device supplier. Since Internet of Things devices are rapidly taking over our world, more awareness and know-how is needed to incorporate IoT security into our daily lives. We hope this article has given you a good idea of the most common security risk associated with IoT devices.