How to Reduce Risk and Secure Your Internet of Things Devices
Choosing a Smart Solution That Doesn’t Leave You Vulnerable
What is the Internet of Things?
Chances are, you already own or have used an Internet of Things (IoT) device. You might know them as smart devices, internet-connect devices, or by another name, but these are all part of the Internet of Things. The term came into being long before these devices were ubiquitous in our daily lives. The Internet of Things is a network of physical objects (“things”) that connect over the internet and collect and share data with other devices and systems.
IoT devices provide a service to the user, but also provide a glut of information for developers. Developers state that the information collected is a tool for honing services and enhancing user experience, but this information is also worth a lot of money to them for ad targeting and consumer behavior patterns.
The number of IoT devices in the United States continues to grow exponentially. Back in 2016, Symantec reported the existence of 6.4 billion devices, and, while numbers for 2020 are still shaking out, they currently exceed 20 billion.
This number isn’t surprising when you consider just how many types of IoT devices we encounter daily. They may include:
- A refrigerator that takes visual stock of food and alerts the user to buy replacements or places the order on its own
- A smart speaker that records audio, answers questions, and performs tasks on demand
- Smart homes that monitor for fire, carbon monoxide, and break-ins, and can even control when a door can be opened
- Self-driving and internet-assisted vehicles
- A smart TV that connects directly to streaming services and shows advertisements or suggestions based on user patterns
- A payment device that plugs into any mobile device to process credit card payments
- A water bottle that sends a push notification to remind users to drink their suggested daily amount
- Smart thermostats that “learn” from user input, occupancy, and seasonal adjustments
- Bluetooth-enabled healthcare devices, that send data directly to monitoring applications or doctors
- And so much more
In the minds of many users, IoT devices fall into a separate mental category than computers, servers, or mobile phones. The latter devices are subject to rigorous cybersecurity protections that are often ignored or missed completely in their IoT counterparts.
“A lot of people in their homes, a lot of organizations in their offices and other buildings are rushing in and applying these IoT devices to their network. These can include things like monitors, sensors, some of them are everyday products like your kettle.
These are providing benefits to employees and a lot of times they’re saving costs, they’re saving energy, and organizations really want to make efficiencies and make savings like that. But like every product on the internet, if it’s not secured properly it can mean a way in for attackers, and unfortunately, many IoT devices are built with almost no security at all. If the device is discoverable on the internet, and it’s connected to the rest of the network, it’s an easy to use gateway for attackers.”—Danny Palmer, Senior Reporter with ZDNet
What Risks and Problems Can IoT Devices Introduce to a Network?
There is no doubt that IoT devices introduce risks; however, the type and scope of risk can vary hugely between casual use and corporate integration. The scale of potential benefit vs. potential problem will be different for every situation. The important thing is to weigh this scale carefully with all of the information available.
In September 2020, a new scandal hit the IoT world. In order to illustrate just how vulnerable household IoT devices are, Martin Hron of the security company Avast reverse engineered a smart coffee maker to “turn on the burner, dispense water, spin the bean grinder, and display a ransom message, all while beeping repeatedly.” Ars Technica covered this amusing and terrifying experiment.
The takeaway from this story isn’t to expect ransoms from all of your connected devices. In fact, you may never see any direct effects from the most common uses hackers have for IoT devices.
Visible risks, such as leaked security camera footage, strangers viewing your baby monitor, or a criminal taking remote control of your Jeep, provide a tangible scare-factor. And if you can open your smart home’s garage from across the country, so can savvy criminals. But the most common and pervasive attacks involve using your IoT device as part of a much larger botnet.
A botnet consists of internet-connected devices that have been breached and are controlled by a third party through malware. Botnets accomplish cybercrime through sheer numbers, with each device adding power and another threat vector.
In 2006, the Mirai botnet was discovered. This botnet primarily targeted consumer IoT devices such as IP cameras, making it one of the first and most noticeable IoT attacks. The botnet was used primarily for Distributed Denial of Service (DDoS) attacks—essentially overloading a targeted network with traffic and shutting it down to legitimate traffic. Targets of the Mirai botnet included computer security journalist Brian Krebs (krebsonsecurity.com) and the servers for the popular game Minecraft. Mirai successors are still active today.
In addition to DDoS attacks, botnets can be used for stealing data, sending spam, and generally providing increased access to the cybercriminal.
Roughly 98% of all IoT traffic is unencrypted, exposing confidential data on the network. Despite the proven risks, consumers love connectivity and ease-of-use far more than they are concerned about security vulnerabilities.
Since a large number of IoT device users are unable or unwilling to add additional security for themselves, the onus lies with companies, and furthermore, with regulatory agencies to ensure standard protections. Given the freedom to choose to offer consumer protections or continue on the path of unchecked data collection and cheap security options, most companies have shown little to no interest in investing in security improvements. With the United States’ House passing IoT regulation, the experience of purchasing and using IoT devices may soon change.
In the meantime, there are a variety of solutions available for consumers and IT partners alike.
Practical Tips for Purchasing and Setting Up Internet-Connected Devices
The Planning Stage
The Purchasing Stage
The Protection Stage
- Patch devices and run updates regularly
- Avoid exposing IoT devices to unsecured internet connections
- Segment internet networks, and keep IoT devices separate from users and private data
- Consider segmenting IoT devices using VLANs
- Turn off any ancillary services not required for core functionality of IoT devices
- Consider turning off reporting and automatic sending of data if possible
- Change factory-set credentials or remove remote access capabilities completely
- Log and monitor all devices on your network
- Physically secure IoT devices against in-person tampering
- Use multi-factor authentication (MFA) to ensure that you are the only one accessing back-end controls
In 2017, Mark Anderson wrote for Clutch.co about the potential impact of IoT devices on small businesses. The benefits available as well as the risks are all still in play today.
The Proactive Stage
- Trend Micro, “The IoT Attack Surface: Threats and Security Solutions.”
- National Institute of Standards and Technology (NIST), “NIST Releases Draft Security Feature Recommendations for IoT Devices.”
- Palo Alto Networks, “2020 Unit 42 IoT Threat Report.”
- Nozomi Networks, “OT/IoT Security Report.”