IoT security is the practice of securing a category of internet-connected devices known as the Internet of Things (IoT) from unauthorized access and misuse by malicious actors.
IoT security includes:
The use of IoT devices has exploded in recent years. According to research by Statista and IoT Analytics, the number of connected IoT devices worldwide in 2021 was 11.3 billion and 12.2 billion respectively, up from 3.6 billion in 2015. The term IoT covers a broad spectrum of devices, from smart home devices such as thermostats, security cameras, and light bulbs to IoTs designed for specific industries. If it can connect to the internet and/or interact with other devices, you can bet it is an IoT device.
In the case of business, overall enterprise Internet of Things (IoT) spending grew 22.4% in 2021 to $158 billion based on research by IoT Analytics. IoT applications have improved efficiency, boosted productivity, and realized new possibilities. According to IoT statistics from DataProt, "83% of organizations have improved their efficiency by introducing IoT technology". Certain industries benefit from special-purpose IoT devices. For example, the healthcare industry uses a range of smart medical devices known as the Internet of Medical Things (IoMT) while the manufacturing industry has their own Industrial Internet of Things (IIoT).
However, businesses need to recognize that the benefits reaped from IoT comes with a serious caveat – weak security. Just like PCs, laptops, and servers, giving IoT devices the license to connect to the internet inevitably opens them up to cyber-attacks. This is exacerbated by a set of challenges unique to IoT security, as will be discussed below. And with the rate of enterprise IoT spending expected to continue its double-digit growth over the coming years, the attack surface of organizations will only continue to expand.
As with attacks on conventional network infrastructure, hackers exploit different kinds of vulnerabilities to hack IoT devices. IoT devices are unique in this regard because security is generally not at the heart of the IoT development process but a mere after-thought. IoT developers are much more concerned with functionality, time to market, and production costs. This means that many IoT devices are released with flaws, some of which are known to developers. These include weak authentication and access controls, built-in backdoors for remote debugging, and software coding errors. Hackers have the means to scan and exploit these vulnerabilities to gain control of an IoT device.
Another unique challenge to securing IoT devices is their lack of computing power, that is, the lack of memory, weak processors, and simple operating systems. This means that most IoT devices cannot support endpoint security software such as antivirus or more advanced EDR solutions. There is no way for devices to scan and detect malware and alert users in the event of an attack.
In order to secure devices, they first have to be known. The problem with IoT devices is that they can sometimes seem like small and insignificant purchases that IT departments are not informed of their existence. These unaccounted devices, known as shadow IT, pose a hidden risk to an organization. In the event of an IoT breach, it becomes extremely difficult to locate the device and pinpoint the origin of the attack for timely remediation.
The unique security challenges make IoT devices attractive targets for bad actors. As a result, IoT devices pose significant security risks to organizations. A growing number of high-profile security incidents involving IoT devices have been exposed in recent years.
In the grand scheme of a cyber-attack, IoT devices are the attack vectors through which hackers gain initial access to an organization’s network. Once inside, attackers move laterally through the network in search for high value data to maximize the reward of the attack. Alternatively, attackers compromise as many hosts as possible to widen the scope of a ransomware attack so as to demand a bigger ransom.
IoT devices that have visual and audio capabilities such as security cameras can be hacked to spy on a victim organization. If left undiscovered, hackers are free to conduct long-term espionage on the organization, tuning in to live audio and action feeds that may expose company secrets and intellectual property. In March 2021, security systems start-up Verkada was breached. As reported by Bloomberg, the breach gave the Swiss-based hackers access to over 150,000 internet-connected security cameras of Verdaka customers. These include major companies like Tesla, Nissan, Equinox, and Cloudflare as well as hospitals, schools, and jails.
An empty classroom caught by one of the cameras compromised in the Verkada breach.
(Courtesy of Tillie Kottmann via The Washington Post)
medical device company Abbott (formerly St. Jude Medical) on fears of hacking risks, as reported by The Guardian. It only takes a bad actor with sinister intentions to control the dosage of injections or alter the heartbeat to cause unimaginable consequences.
A distributed denial of service (DDoS) attack occurs when an attacker takes down a web service by flooding its server with internet traffic. A DDoS attack is achieved using a botnet, an internet-connected group of malware-infected devices, which the attacker remotely controls to make a huge number of simultaneous requests to the target server. Traditionally, PCs were used to launch DDoS attacks. However, in 2016, the world witnessed the largest DDoS attack conducted by an IoT botnet dubbed Mirai. According to the Center of Internet Security (CIS), the Mirai botnet assembled an army of 145,000 devices, including smart cameras and home routers from primarily South America and Asia, that peaked at an unprecedented 1Tbps. Victims of the attack include French technology company OVH and security and investigation website Krebs on Security.
To reverse engineer something simply means to examine how something works. In the case of IoT devices, this could be a physical device itself or the device’s software or firmware. Hackers can purchase a targeted device, take it apart, and extract its firmware. They can also download the firmware from the manufacturer’s website to look for weaknesses. These include hardcoded passwords or backdoors that the manufacturer built in to facilitate remote debugging. Hackers can then exploit these to gain unauthorized access to the device.
Given the grave security risks of IoT devices, there are various IoT security best practices and tools that help organizations mitigate these risks. But as you will see, these come with their own respective limitations.
More IoT device manufacturers are beginning to ship devices with unique initial passwords in place of common default passwords. This is a step in the right direction. However, unique passwords only help to make illegal access more difficult. There are various ways hackers can steal device passwords. For example, attackers can craft a phishing email purporting to be the device vendor to trick a user into clicking on a link that redirects them to a fake login web portal for the device and steal their access credentials.
Software and firmware updates help patch over discovered vulnerabilities. However, unknown vulnerabilities, known as zero-days, can remain undiscovered for a long time. This is especially the case if the device developer does not conduct regular vulnerability discovery of their products and release regular updates. In fact, vulnerabilities are often exposed only after they have been exploited in an attack, meaning that you could be a victim before a patch is made available.
Network firewalls do a good job at blocking malicious traffic from reaching IoT devices and the network in general. However, skilled attackers have the means to conceal malicious code in internet traffic to bypass firewall detection. Legacy firewalls using signature-based detection are powerless against such sophisticated attacks, and even some next-generation firewalls lack the intelligence to detect them.
As mentioned above, the majority of IoT devices cannot support native endpoint protection due to resource constraints. Therefore, there is no way for devices to scan and detect malware and alert users in the event of an attack.
Network segmentation involves isolating IoT devices from the core business networks. This helps to prevent attackers from moving laterally to core business networks in the event of an IoT breach and keep damage to a minimum. However, some IoT devices are themselves critical. This is especially the case for IoT devices in healthcare and manufacturing scenarios, where the sabotage of a device would cause major impact irrespective of whether the attack extends to the other network.
Given the limitations of IoT security protections, one thing is abundantly clear – it is almost impossible to prevent IoT devices from being breached. In this light, IoT security should combine threat prevention with continuous threat monitoring and detection.
Network detection and response (NDR) solutions like NovaCommand achieves this by analyzing real-time network traffic to detect anomalous behavior. The idea is that attackers’ malicious operations differ from those of normal network traffic. For example, an IoT device may be using a different communication protocol from usual, communicating with a different server from usual, or simply showing elevated activity at irregular hours. By continuously monitoring for fine deviations from regular network activity, NDR uncovers hidden threats before more serious damage is inflicted on high value assets.
NDR trumps other security solutions and mechanisms due to its ability to analyze network-wide traffic. Traffic analysis using NDR is advantageous to IoT security in the following ways:
As previously mentioned, shadow IT is a big security issue in IoT security and hinders effective threat detection and remediation. Using meta data extracted from network traffic, NDR can identify IoT devices based on the type of communication protocol, MAC address, IP address, port number, etc. NDR can help locate unaccounted IoT devices on the network and build a complete IoT asset inventory. In this case, NDR can create customized baselines models of network activity for these IoT devices for more targeted anomaly detection.
Given that attackers tend to move laterally after an IoT breach, the malicious operations of attacker may only be detected at a later stage, e.g., when the attacker reaches a workstation. At this point, it may be difficult to trace the attack back to the original source of intrusion. The beauty of NDR is that it is able to correlate traffic across the entire network and reconstruct a trail of the malicious activity. This enables security to pinpoint the original flaw that led to the attack and close the hole to prevent further breaches.