IoT Security Issues, Threats, and Defenses
The internet of things (IoT) has grown so broad that the development of its security had to quickly keep up. This article discusses the basics of IoT security in order to help frame what it is, why it is necessary, and how it can be achieved.
What are IoT devices?
We begin by defining the “things” in the internet of things, because the diversity in IoT devices makes the IoT’s scope so broad and its security challenging. The main characteristics of an IoT device is that they are able to connect to the internet and interact with its environment through the collection and exchange of data. Devices commonly have limited computing capacity and only a few specific functions. Because devices are so diverse, there are countless ways IoT can be used and applied to different environments.
For regular users, smart homes demonstrate just how accessible IoT devices are. Users can update their home’s security system (through smart locks, IP cameras, and motion sensors) or improve their entertainment system (through a smart TV, smart speakers, and connected game consoles) by simply buying such devices. IoT devices are also often portable and can be connected to any network. A typical example is how users bring their devices from their homes to the office (e.g. smart watches and e-readers).
While diversity can give users countless devices to choose from, it is one of the reasons behind the fragmentation of the IoT and carries many of its security concerns. The lack of industry foresight and standardization has given rise to compatibility issues that also complicate the matter of security. The portability of devices presents a greater possibility of threats poisoning more than one network. Compounding to these concerns are other factors that IoT security must address.
What are the security issues in the IoT?
While IoT devices play a huge role in the discussion of IoT security, placing all the focus on this aspect of the IoT does not provide a full picture of why security is necessary and what it entails. There are many factors that make IoT security critical today.
Threats and risks
IoT security is critical largely because of the expanded attack surface of threats that have already been plaguing networks. Adding to these threats are insecure practices among users and organizations who may not have the resources or the knowledge to best protect their IoT ecosystems.
These security issues include the following:
- Vulnerabilities. Vulnerabilities are a large problem that constantly plague users and organizations. One of the main reasons IoT devices are vulnerable is because they lack the computational capacity for built-in security. Another reason that vulnerabilities can be so pervasive is the limited budget for developing and testing secure firmware, which is influenced by the price point of devices and their very short development cycle. Vulnerable standard components also affect millions of devices, as demonstrated by Ripple20 and URGENT/11. Aside from the devices themselves, vulnerabilities in web applications and related software for IoT devices can lead to compromised systems. Malware operators are on the lookout for such opportunities and are knowledgeable even about older vulnerabilities.
- Malware. Despite the limited computing capacity of most IoT devices, they can still be infected by malware. This is something cybercriminals have used to great effect in the past few years. IoT botnet malware are among the most frequently seen variants, as they are both versatile and profitable for cybercriminals. The most notable attack was in 2016, when Mirai took down major websites and services using an army of ordinary IoT devices. Other malware families include cryptocurrency mining malware and ransomware.
- Escalated cyberattacks. Infected devices are often used for distributed-denial-of-service (DDoS) attacks. Hijacked devices can also be used as an attack base to infect more machines and mask malicious activity, or as an entry point for lateral movement in a corporate network. While organizations may seem like the more profitable targets, smart homes also see a surprising number of unforeseen cyberattacks.
- Information theft and unknown exposure. As with anything dealing with the internet, connected devices increase the chances of exposure online. Important technical and even personal information can be unknowingly stored and targeted in these devices.
- Device mismanagement and misconfiguration. Security oversights, poor password hygiene, and overall device mismanagement can assist in the success of these threats. Users may also simply lack the knowledge and the capability to implement proper security measures, wherein service providers and manufacturers may need to help their customers achieve better protection.
The lack of industry foresight gave little time to develop strategies and defenses against familiar threats in growing IoT ecosystems. Anticipating emerging issues is one of the reasons research on IoT security must be done continuously. Here are some of the emerging issues that need to be monitored:
- Complex environments. In 2020, most U.S. households had access to an average of 10 connected devices. This research paper defined complex IoT environments as an interconnected web of at least 10 IoT devices. Such an environment is nearly impossible for people to oversee and control because of its elaborate web of interconnected functions. An overlooked misconfiguration in such a scenario can have dire consequences and even put the physical household security at risk.
- Prevalence of remote work arrangements. The Covid-19 pandemic has usurped many expectations for the year 2020. It brought about large-scale work-from-home (WFH) arrangements for organizations around the globe and pushed heavier reliance on home networks. IoT devices also proved useful for many users’ WHF setups. These changes have highlighted the need to reexamine IoT security practices.
- 5G connectivity. The transition to 5G comes with much anticipation and expectations. It is a development that will also enable other technologies to evolve. At present, much of the research on 5G remains largely focused on how it will affect enterprises and how they can implement it securely.
The possible consequences of IoT attacks
Aside from the threats themselves, their consequences in the context of the IoT can be much more damaging to deal with. The IoT has the unique capability of affecting both virtual and physical systems. Cyberattacks on IoT ecosystems could have far more unpredictable effects because they translate more easily into physical consequences. This is most prominent in the field of industrial internet of things (IIoT), where past cyberattacks had already demonstrated cascading consequences. In the healthcare industry, IoT devices are already being utilized to remotely monitor patients’ vital signs and has proven very helpful during the pandemic. Attacks on such devices can expose sensitive patient information or even endanger their health and safety. In the smart home, exposed devices could allow cybercriminals to monitor the household, compromise security devices like smart locks, and turn devices against their owners, as was the case when a baby monitor and a smart thermostat were hacked in separate attacks.
How to secure the IoT
There is no instant fix that can answer the security issues and threats laid out in this article. Specific strategies and tools may be necessary for properly securing more specialized systems and aspects of the IoT. However, users can apply a few best practices to reduce risks and prevent threats:
- Assign an administrator of things. Having a person act as an administrator of IoT devices and the network can help minimize security oversights and exposures. They will be in charge of ensuring IoT device security, even at home. The role is critical especially during this time of WFH setups, where IT experts have limited control in securing home networks that now have a stronger influence on work networks.
- Regularly check for patches and updates. Vulnerabilities are a major and constant issue in the field of the IoT. This is because vulnerabilities can come from any layer of IoT devices. Even older vulnerabilities are still being used by cybercriminals in order to infect devices, demonstrating just how long unpatched devices can stay online.
- Use strong and unique passwords for all accounts. Strong passwords help prevent many cyberattacks. Password managers can help users create unique and strong passwords that users can store in the app or software itself.
- Prioritize Wi-Fi security. Some of the ways users can do this include enabling the router firewall, disabling WPS and enabling the WPA2 security protocol, and using a strong password for Wi-Fi access. Ensuring secure router settings is also a big part of this step.
- Monitor baseline network and device behavior. Cyberattacks can be difficult to detect. Knowing the baseline behavior (speed, typical bandwidth, etc.) of devices and the network can help users watch for deviations that hint at malware infections.
- Apply network segmentation. Users can minimize the risk of IoT-related attacks by creating an independent network for IoT devices and another for guest connections. Network segmentation also helps prevent the spread of attacks, and isolate possibly problematic devices that cannot be immediately taken offline.
- Secure the network and use it to strengthen security. IoT devices can place networks at risk, but networks can also serve as levelled ground through which users can implement security measures that cover all connected devices.
- Secure IoT-cloud convergence and apply cloud-based solutions. The IoT and the cloud are becoming increasingly integrated. It is important to look at the security implications of each technology to the other. Cloud-based solutions can also be considered to deliver added security and processing capabilities to IoT edge devices.
- Consider security solutions and tools. A large hurdle that users face in trying to secure their IoT ecosystems is the limited capacity in which they can implement these steps. Some device settings might have restricted access and are difficult to configure. In such cases users can supplement their efforts by considering security solutions that provide multi-layered protection and endpoint encryption.
- Take into consideration the different protocols used by IoT devices. To communicate, IoT devices use not only internet protocols, but also a huge set of different networking protocols, from the well-known Bluetooth and Near Field Communication (aka NFC), to the lesser-known nRF24, nRFxx, 443MHz, LoRA, LoRaWAN and optical, infrared communication. Administrators must understand the whole set of protocols used in their IoT systems in order to reduce risks and prevent threats.
- Secure the heavy use of GPS. Some IoT devices and applications use GPS heavily, which carries potential security concerns. Organizations, in particular, need to be wary of cases where GPS signals can be jammed or even faked, especially if they use positioning systems for manufacturing, monitoring, and other functions. If these positioning systems are crucial to a company, means of monitoring the GPS signal should then also exist in the company. Another option would be for the company to use other positioning systems as well, such as Real-Time Kinematic (RTK) or Differential GNSS (DGNSS or DGPS).
Aside from employing these security practices, users should also be aware of new developments in the technology. IoT security has been given heavier consideration in recent times. Research is continually being done on how to secure specific industries, monitor IoT-related threats, and prepare for upcoming gamechangers such as 5G. Users must understand that the IoT is an active and developing field, therefore its security will always have to transform and adapt to its changes.
With additional insights from Vit Sembera and Jakub Urbanec.
Like it? Add this infographic to your site:
1. Click on the box below. 2. Press Ctrl+A to select all. 3. Press Ctrl+C to copy. 4. Paste the code into your page (Ctrl+V).
Image will appear the same size as you see above.
- Ransomware Spotlight: TargetCompany
- Email Threat Landscape Report: Cybercriminal Tactics, Techniques That Organizations Need to Know
- Preventing an Imminent Ransomware Attack With Early Detection and Investigation
- Inside the Halls of a Cybercrime Business
- Securing Cloud-Native Environments with Zero Trust: Real-World Attack Cases