IoT devices keep the world connected. But as the technology becomes "smarter," it's important to remember that these devices bring with them a unique set of security concerns.
What is IoT?
The term Internet of Things came about in 1999 and was used to describe devices that resembled the eyes and ears of a computer. The idea was that the computer had sensors that offered it the ability to see, hear, touch and interpret its environment. IoT allows us to connect technology to the virtual world. And this technology now comes in the form of physical objects, which we can connect to each other and the internet. These devices collect and share data with other devices, applications, and systems that allow the devices, in turn, to “talk back to us."
Many IoT devices use machine learning and data collection methods to analyze their surroundings and learn without any need for programming. Today, users don’t even have to interact with certain smart devices beyond the initial configuration. There are numerous devices that are used to simply notify or alert users for everyday tasks. For example, you can purchase smart pillboxes that can remind you to take your medication — and not only that, it also uses sensors to count how many pills are left in the bottle, calculate when you will need another prescription, and will even order it from the pharmacy.
How Can IoT Devices Be Connected?
It's up to the user to decide how they want to connect the devices, and there may be reasons for and against certain solutions. The most common methods of connecting these devices today are WiFi, Bluetooth, GSM’s RFID readers, and FTP.
IoT devices have the ability to sense their surroundings and interact with each other. It seems pretty straightforward to the regular end-user, but IoT connectivity is quite complex.
Each device needs some sort of external connection. Once the connection has been established, the data can be processed and passed on. Many different components are needed to ensure this runs smoothly and the desired end result is achieved. The devices can be either general or sensory devices and are all connected to the cloud via a gateway that passes on all the collected information. All this data is then stored and processed in the cloud.
This is all impressive in that it combine things such as processors and back-end servers to utilize all the data that IoT devices have collected. All this data is used to improve how IoT devices react and interact. IoT devices are a huge part of our everyday lives, be it through smartwatches, smart cars, smart retail, doorbells, thermostats, or even healthcare devices — the list goes on. IoT devices make life much easier for those that use them–so much so that experts claim that by 2025 there will be around 80 billion IoT devices, globally. Why do something yourself when you have the ability to do it through a smart device?
For example, a smart device can be used to turn on your coffee machine in the morning while you hit the snooze button. You wake up 10 minutes later with a fresh cup of coffee waiting for you. Or if you’re coming home from a hard day’s work and want the house to be nice and warm when you arrive, simply turn your smart thermostat on from the mobile app. Now with all this demand for more and more IoT devices, there are some security concerns. As with normal networked devices, IoT devices don’t come without their own vulnerabilities, which result in some security concerns.
Weak passwords.Many IoT devices are configured with default passwords, which can provide easy access to an attacker. It’s not difficult to crack a default password, a simple google search of the device's default credentials will normally show this. An example of this being exploited on a large scale is the Mirai Botnet. The Mirai malware scans the internet for vulnerable devices and tries to access them using the default credentials. If successful, the malware infects the device and turns it into a bot that can be used for DDoS attacks alongside the 400,000 other infected devices. To protect against this, users should always change the default credentials and use multi-factor authentication when possible.
Irregular patching. Who is enforcing regular updates and patches to the devices? Unlike managed IT devices, IoT devices do not normally receive regular patches. Many of these devices need to update manually and some never get updated from when they were first purchased. This means they become more exposed over time as more vulnerabilities arise. Users should ensure that all of their devices are updated regularly and patched whenever needed. As for manufacturers, they need to ensure that their devices are built secure by design and are regularly updated and patched when new vulnerabilities arise.
Data protection. This may be one of the main concerns with IoT devices due to insecure communications and how data is being stored. If any of the vulnerabilities discussed in the previous steps were to be exploited, then the devices could potentially be used to access confidential data. In 2017, an attacker was able to access a Las Vegas casino's network through a Wi-Fi-connected thermostat in a fish tank at the casino. The attackers were able to exfiltrate data from the casino’s “high-roller” database which contained personal information of the casino’s biggest spenders along with other private information. Breaches like this can compromise an organization's business activities and can create data privacy issues.
IoT devices require unique considerations when it comes to security. Many organizations forget that IoT devices can offer threat actors access to their networks.
Looking to keep your team ahead of the threat of IoT vulnerabilities? RangeForce offers modules on IoT mapping and vulnerability detection. Want to see our hands-on training in action? Request a demohere.
Join the RangeForce Community Edition to train in an on-demand cyber range.
Meet RangeForce at RSA and Infosecurity Conferences