How to Reduce Risk and Secure Your Internet of Things Devices
Choosing a Smart Solution
That Doesn’t Leave You Vulnerable
What is the Internet of Things?
Chances are, you already own or have used an Internet of Things (IoT) device. You might know them as smart devices, internet-connect devices, or by another name, but these are all part of the Internet of Things. The term came into being long before these devices were ubiquitous in our daily lives. The Internet of Things is a network of physical objects (“things”) that connect over the internet and collect and share data with other devices and systems.
Read more about the danger of IoT data collection on our blog.
IoT devices provide a service to the user, but also provide a glut of information for developers. Developers state that the information collected is a tool for honing services and enhancing user experience, but this information is also worth a lot of money to them for ad targeting and consumer behavior patterns.
The number of IoT devices in the United States continues to grow exponentially. Back in 2016, Symantec reported the existence of 6.4 billion devices, and, while numbers for 2020 are still shaking out, they currently exceed 20 billion.
This number isn’t surprising when you consider just how many types of IoT devices we encounter daily. They may include:
- A refrigerator that takes visual stock of food and alerts the user to buy replacements or places the order on its own
- A smart speaker that records audio, answers questions, and performs tasks on demand
- Smart homes that monitor for fire, carbon monoxide, and break-ins, and can even control when a door can be opened
- Self-driving and internet-assisted vehicles
- A smart TV that connects directly to streaming services and shows advertisements or suggestions based on user patterns
- A payment device that plugs into any mobile device to process credit card payments
- A water bottle that sends a push notification to remind users to drink their suggested daily amount
- Smart thermostats that “learn” from user input, occupancy, and seasonal adjustments
- Bluetooth-enabled healthcare devices, that send data directly to monitoring applications or doctors
- And so much more
In the minds of many users, IoT devices fall into a separate mental category than computers, servers, or mobile phones. The latter devices are subject to rigorous cybersecurity protections that are often ignored or missed completely in their IoT counterparts.
“A lot of people in their homes, a lot of organizations in their offices and other buildings are rushing in and applying these IoT devices to their network. These can include things like monitors, sensors, some of them are everyday products like your kettle.
These are providing benefits to employees and a lot of times they’re saving costs, they’re saving energy, and organizations really want to make efficiencies and make savings like that. But like every product on the internet, if it’s not secured properly it can mean a way in for attackers, and unfortunately, many IoT devices are built with almost no security at all. If the device is discoverable on the internet, and it’s connected to the rest of the network, it’s an easy to use gateway for attackers.”—Danny Palmer, Senior Reporter with ZDNet
What Risks and Problems Can IoT Devices Introduce to a Network?
There is no doubt that IoT devices introduce risks; however, the type and scope of risk can vary hugely between casual use and corporate integration. The scale of potential benefit vs. potential problem will be different for every situation. The important thing is to weigh this scale carefully with all of the information available.
In September 2020, a new scandal hit the IoT world. In order to illustrate just how vulnerable household IoT devices are, Martin Hron of the security company Avast reverse engineered a smart coffee maker to “turn on the burner, dispense water, spin the bean grinder, and display a ransom message, all while beeping repeatedly.” Ars Technica covered this amusing and terrifying experiment.
The takeaway from this story isn’t to expect ransoms from all of your connected devices. In fact, you may never see any direct effects from the most common uses hackers have for IoT devices.
Visible risks, such as leaked security camera footage, strangers viewing your baby monitor, or a criminal taking remote control of your Jeep, provide a tangible scare-factor. And if you can open your smart home’s garage from across the country, so can savvy criminals. But the most common and pervasive attacks involve using your IoT device as part of a much larger botnet.
A botnet consists of internet-connected devices that have been breached and are controlled by a third party through malware. Botnets accomplish cybercrime through sheer numbers, with each device adding power and another threat vector.
In 2006, the Mirai botnet was discovered. This botnet primarily targeted consumer IoT devices such as IP cameras, making it one of the first and most noticeable IoT attacks. The botnet was used primarily for Distributed Denial of Service (DDoS) attacks—essentially overloading a targeted network with traffic and shutting it down to legitimate traffic. Targets of the Mirai botnet included computer security journalist Brian Krebs (krebsonsecurity.com) and the servers for the popular game Minecraft. Mirai successors are still active today.
In addition to DDoS attacks, botnets can be used for stealing data, sending spam, and generally providing increased access to the cybercriminal.
Roughly 98% of all IoT traffic is unencrypted, exposing confidential data on the network. Despite the proven risks, consumers love connectivity and ease-of-use far more than they are concerned about security vulnerabilities.
Since a large number of IoT device users are unable or unwilling to add additional security for themselves, the onus lies with companies, and furthermore, with regulatory agencies to ensure standard protections. Given the freedom to choose to offer consumer protections or continue on the path of unchecked data collection and cheap security options, most companies have shown little to no interest in investing in security improvements. With the United States’ House passing IoT regulation, the experience of purchasing and using IoT devices may soon change.
In the meantime, there are a variety of solutions available for consumers and IT partners alike.
Practical Tips for Purchasing and Setting Up Internet-Connected Devices
The most essential tip for handling IoT devices is to know the full scope of the risk, reward, network systems, and access. This graphic from Trend Micro does an excellent job of pointing these out. Take the time to educate yourself while you are still in the planning phase of IoT implementation.
The Planning Stage
Planning to add an IoT device to a home or work network should include all sorts of knowledge gathering. First, take stock of the devices already on your network. It is very possible that IoT devices you weren’t aware of already gather and send valuable data. For work networks, this is the time to build policies that will ensure that any IoT devices you discover or add are identified and controlled to the degree that you deem necessary, based on your security needs.
This is also the time to research the potential devices themselves. What type of data do they gather and how much? How is that data stored? Is it sent between devices or back to the company? If you have a variety of devices to choose from, research each one and the companies that create them. How long have they been around? How have they handled past breaches? What built-in security features do they offer? Are they up front about data collection or trying to hide it from consumers?
Knowing that each IoT device brought onto your network comes with risk, take care and caution in this step.
The Purchasing Stage
In most cases, the cheapest option isn’t going to be the best or provide much security. In fact, some cheaper electronics pack their systems with bloatware, malware and/or spyware that finances the deep customer discount. If you’re paying the minimum for what seems like a premium product, question where that discount comes from—it’s likely that you’re paying for it in access, advertisement, or data collection.
To an extent, data collection is necessary for IoT devices to perform their tasks. Steer clear of companies that cannot or will not provide up-front information on what is gathered, when, how it is stored and used, and if it is sold.
If you intend to purchase IoT devices for the office or that connect to the same network as corporate information, consult with your IT partner before clicking Buy Now.
The Protection Stage
At this point, you’ve already made your purchase and are ready to take steps to remedy any remaining vulnerabilities.
For casual users of IoT devices, implementing all the security measures you can will leave you better off than doing nothing. Corporate and enterprise IoT devices need to be set-up and monitored by an IT partner or managed services provider. While IoT may offer significant benefits to everyday efficiency, the potential risk and data leakage involved means safety needs to be a focus.
Here are the top actions to consider:
- Patch devices and run updates regularly
- Avoid exposing IoT devices to unsecured internet connections
- Segment internet networks, and keep IoT devices separate from users and private data
- Consider segmenting IoT devices using VLANs
- Turn off any ancillary services not required for core functionality of IoT devices
- Consider turning off reporting and automatic sending of data if possible
- Change factory-set credentials or remove remote access capabilities completely
- Log and monitor all devices on your network
- Physically secure IoT devices against in-person tampering
- Use multi-factor authentication (MFA) to ensure that you are the only one accessing back-end controls
Not all suggestions will apply to all situations or devices. Working with an IT partner will ensure that appropriate actions are taken to maintain your security while utilizing this new technology effectively.
The Proactive Stage
Now that newly-added and legacy IoT devices alike are secured to your specifications and the worst risks have been mitigated, it is time to lay the groundwork for ongoing security best practices. In this stage, monitoring is one of the most powerful tools at your fingertips. Whether you’re keeping an eye on your network and all the devices on it directly through back-end controls or using a monitoring, reporting, and alerting service to track traffic and changes, knowledge is power.
The longer an IoT device is in use, the more important statistics about use become. The history of a device can reveal concerning patterns or show you how essential a particular process is for daily work. The data collected can also help decide when it is time to retire or replace an IoT device. If the device is no longer serving your needs or if it is becoming a bigger risk (perhaps the creating company has gone out of business and no longer sends updates), it is time to say goodbye. Log all retired devices and ensure no vestige of their systems continues to access the network or transmit data once you’ve decided to unplug.The data collected can also provide a major assist when it comes to making your next IoT device purchase. Even more than research, experience will make clear what features you need and what you can do without. Are you in the planning stage of implementing IoT devices onto your network? Are you already using IoT devices and concerned about vulnerabilities?
In the meantime, more time spent on education is never wasted. Here are a few great places to start:
- Trend Micro, “The IoT Attack Surface: Threats and Security Solutions.”
- National Institute of Standards and Technology (NIST), “NIST Releases Draft Security Feature Recommendations for IoT Devices.”
- Palo Alto Networks, “2020 Unit 42 IoT Threat Report.”
- Nozomi Networks, “OT/IoT Security Report.”