Devices connected to the Internet of Things (IoT) add substantial value to businesses and industries such as manufacturing, transportation, and utilities among others according to a recent Tech Pro Research Survey. By automating tasks and making functionality easily accessible to the average user, many devices, like Internet-enabled security cameras and medical devices, have the potential to greatly improve safety and security.
However, with pressure to keep costs down and a “get to market first” approach, many manufacturers and developer teams do not invest the time and effort to include security measures into the design and deployment of these IoT devices. Because of many manufacturer’s oversights in this area, the layering of security measures is lacking, leaving the consumer at risk and the manufacturer open to liability due to the increase in threats to these devices. In the McAfee Labs Threat Report December 2018, researchers found that IoT device malware increased 203% over the past year. A dramatic increase, as hackers continue to take advantage of lax IoT security.
According to a recent report by Techaisle, there are three times as many U.S. midmarket firms as there are small businesses who are currently adopting IoT solutions with the trend expected to continue for the next 2-3 years. Three of the top 10 IoT segments are Smart Cities, Connected Industry, and Connected Buildings. Many products are being developed quickly and are focused on features and functionality with security tacked on as an afterthought. Two of the major issues that stand out with IoT security are authentication credential management and lack of software updates.
The Mirai botnet is one of the best-known botnets in existence, and it was enabled by the poor credential management of IoT devices. The Mirai software infects new devices by trying to log in with a list of common usernames and passwords used. Lists of these accounts and passwords are freely available on the Internet. Some passwords are hardcoded into the IoT device by the manufacturer, making it impossible for the user to change them. Even if they are not hard-coded, many users don’t think about changing passwords for their lightbulb.
Another common issue with IoT security is the poor patch management system. Like other systems, IoT devices have vulnerabilities that need updates or to be fixed. However, patches are not as frequently provided and are often difficult to deploy. Again, the lack of user awareness works against software updates IoT devices as most people don’t think of their doorbell as a fully functional computer that, if hacked, could feed fake images or eavesdrop on video and audio during a broadcast according to a report at Dojo by BullGuard.
IoT or “smart” devices have been designed and deployed for a variety of purposes. Many users feel the benefit of having control of their device far outweighs the relative security risk of the feature. However, with the steady increase in attacks vectors increasing over the years, consumers and organizations are becoming more aware of the risk involved and are beginning to both understand the implications as well as shift their buying process when considering purchasing IoT products.
A loss or degraded level of functionality of IoT devices is one of the simplest impacts of IoT hacking. Many hacked IoT devices are included in botnets, like Mirai, that are used for performing Distributed Denial of Service (DDoS) attacks.
Participation in a DDoS attack uses computational and networking resources as the IoT device send malicious packets to the target device. This degrades the capabilities of the IoT device and the network that it is connected to.
Devices are often fully functional Linux computers with Internet access where an attacker-controlled IoT device can be a significant threat to an organization’s network.
If the network where IoT devices are connected is not isolated from the rest of the network, access to the device allows an attacker internal access to the network. This access can be used for reconnaissance, vulnerability scanning, and expanding access to other devices since the compromised device is inside the firewall. Many organization’s defenses are perimeter-focused and would likely miss most or all these attacks.
With the rise of ransomware and the growing reliance on smart devices, the possibility of ransomed IoT devices has become a very real possibility. A compromised IoT device can have an even greater impact on an individual or organization. A ransomed pacemaker or Internet-connected power distribution device could threaten life and safety, making restoration of operations a priority. Under these circumstances, paying a ransom may be an organization’s only option for regaining access to lost data.
Many IoT devices are deployed to collect potentially sensitive information. For example, Internet-connected cameras and smart medical devices are designed to collect video and Protected Health Information (PHI) data and transmit it to cloud servers for processing.
While these IoT devices are designed to protect data at rest and in transit, the situation becomes more complicated when an attacker has access to the device. Someone with control of the device could read this data off the device’s memory and possibly modify or fabricate it.
While the current level of security built into IoT devices is extremely low, there are steps that owners of IoT devices can take to improve their security. This can be important to both the security of their network and ensuring that their security settings are compliant with the relevant regulations such as GDPR, PCI-DSS, and HIPAA.
Some precautionary steps for security include regularly checking for and installing updates on IoT devices, segmenting the network to isolate untrusted IoT devices from other systems, and changing default usernames and passwords on IoT devices. If your organization has deployed or is planning to deploy IoT devices in your network, reach out to Avertium for a consultation on how you can update your security plan to account for this new threat surface.
Additional resources: