Interconnectivity is a whole new frontier. The ability to connect various electrical and electronic devices and be able to communicate with each other and with the world, in general, is the stuff science fiction is made of. But it is now a reality that has captured everyone’s imagination.
This fascination with this new technological marvel has resulted in the explosive popularity of the Internet of Things, or IoT devices, and it’s seeping into all aspects of our lives. According to a report published by Statista, internet-enabled electronic devices are increasing in number every year, with over 8.74 billion IoT devices available in 2020. This is far more than the people living on Earth.
But while IoT devices brought an unprecedented level of convenience and intelligence to all aspects of life, it has also brought new concerns with it. You see, IoT devices are quite vulnerable to various types of cybersecurity threats. And with IoT features and technologies being introduced to more and more types of devices, those security concerns will also increase.
Variety, in an article published in 2019, reported that, on average, a household will have 11 connected devices. That large concentration of devices compounds the security threats that can be encountered through IoT devices.
Cyber-attacks going through connected devices and appliances at home may sound improbable, but it has actually happened. In September 2020, a hacker was able to infect a connected coffee machine with ransomware. This kind of scenario will likely happen more frequently as more IoT devices are deployed – ones that are not secure or do not have the level of security validation needed to protect them from cyber-attacks.
Internet of Things devices may seem like it is an unusual target for a cyber-attack. But the truth is, these devices contain large amounts of information and since they are seen as benign devices their security capabilities are often overlooked. This ignores the fact that these devices are connected to the same network that people use to access the internet using their machines that have far more valuable data.
The popularity of IoT devices has led to manufacturers and other providers rushing various devices to market to try and carve out a piece in a market obsessed with these devices. In this rush, the security capabilities of these devices are often overlooked or seen as a non-important issue.
Because of the nature of these devices, more often than not, IoT equipment uses hard-coded or embedded credentials. What’s worse, owners of devices would not even bother to change the default passwords, which makes it so easy for hackers to infiltrate them.
One type of malware that took advantage of this default password vulnerability is the Mirai malware, which was used to successfully infiltrate various machines—from routers to video cameras. This malware used a database of 61 default usernames and passwords that are often hard-coded into IoT devices. In 2016, the Mirai malware was able to launch a 1Tbps Distributed-Denial-of-Service (DDoS) attack, which took down Amazon Web Services. It was the first large-scale DDoS attack of its kind.
By its very nature, IoT devices are built with one primary goal in mind – ease of use. These devices are meant for users that are not very technologically adept. While devices may be secure at the time it was acquired, it may become more vulnerable over time due to increased sophistication of cybercriminals. But because updates can sometimes be a cumbersome affair (it’s not a straightforward process, or it takes a level of tech familiarity that users may not possess) most devices are not installed with these updates to strengthen their security.
One of the biggest concerns with IoT devices is their ability, or lack thereof, to protect data. While most IoT devices may not have sensitive data stored in them, these devices can be used as the gateway towards access to the confidential and sensitive data that sits within the same network the IoT device is connected to. This kind of attack may be the stuff of Hollywood movies but it does and did happen.
For example, in 2017 a casino was infiltrated by hackers, who were able to access the establishment’s database of customers by being able to access the network by hacking a smart thermostat that was being used in one of the casino’s fish tanks. That attack resulted in the hackers being able to run away with 10GB of valuable customer data.
While the security concerns about IoT devices are valid, it is also not hopeless. Network administrators, IT managers, and, of course, the IoT manufacturers can address various vulnerabilities and help protect the devices and the networks.
One of the best ways to protect an organization’s network and its IT infrastructure is by continuously checking the IT infrastructure for vulnerabilities and weaknesses. Protocols like continuous security validation will constantly check the network for weaknesses and make assessments and optimization where needed. Protocols like these are very effective since it uses the latest knowledgebase of cyber attack tactics and techniques called the MITRE ATT&CK, which ensures that the security validation being conducted always looks out for the latest attack tactics being used in the wild.
Being proactive in protecting the network instead of solving a problem once it comes up is the wiser direction to take and will prove to be more cost-efficient in the future as it prevents any serious downtime that could affect business continuity.
IoT devices are the future and will become more prevalent in the coming years. It will be integrated more into our lives—both at homes and in businesses—as it becomes more intelligent and connected. The security concerns about IoT devices are valid, but it shouldn’t stop users from enjoying the tremendous benefits it brings. By ensuring that security protocols are always in place and that IoT devices are always maintained well with updates, these concerns can be reduced, if not eliminated.