The Internet of Things (IoT) is one of the biggest trends in the IT world right now. Covering everything from virtual assistants and environmental sensors to connected cars and smart cities, these technologies are set to impact every aspect of our lives in the coming months and year, both at home and in the workplace.
Figures from Gartner, for example, suggest that by the end of 2020, there’ll be 5.8 billion IoT endpoints in use in the enterprise and automotive sectors - up by more than 21% from 2019. While they’ll impact all parts of the economy, sectors such as utilities, building automation, government, and physical security will be among the biggest users of these tools.
The security threats of IoT
However, this explosion of new devices being connected to businesses' networks will likely bring with them a host of security threats and vulnerabilities. Many of these devices are based on proprietary and emerging technologies and there are still few industry-wide security standards for the IoT, which makes the area a paradise for hackers.
Indeed, research by F-Secure found that in 2019, the number of cyberattacks on IoT devices increased threefold, with more than 2.9 billion incidents recorded. But according to the Ponemon Institute and Shared Assessments, around 80% of enterprises aren't even able to identify all the IoT devices that connect to their network, let alone guard against threats.
Therefore, it's essential IT pros take the time to fully understand their devices to address common issues and protect them from the growing threat landscape.
5 key weaknesses in your IoT devices
IoT devices may open up firms to a wide range of risks, which may be inherent in the devices themselves or as a result of poor management.
1. Failure to apply updates
As is the case with many IT weaknesses, poor patching and update processes can be a big problem for IoT devices. However, they may be more tricky to update than other devices, especially those that are out in the field. What's more, many manufacturers may not keep up the same level of support as for other devices - often only focusing on their latest hardware, leaving older IoT devices more vulnerable as they reach end-of-life much quicker.
2. Weak default passwords
Many IoT device manufacturers still use a small number of fixed default passwords for their devices - and unlike tools like PCs or mobile gadgets, it’s easy for firms to overlook changing these - if they even have the option. The use of a set number of default passwords that may be at risk of leaks is a particular problem for the IoT sector - in fact, the UK government, for instance, is working to ban the use of default, preprogrammed passwords in IoT devices.
3. Lack of encryption
Poor or non-existent encryption when IoT tools are sending data over the network is a major threat to firms, yet many IoT devices don't encrypt data by default. Therefore, it's vital for firms to apply their own protections, such as TLS transport encryption, to ensure any communications made by these devices are safe, even if a hacker is able to intercept the transfer.
4. Remote access
By their very nature, many IoT tools will be spread across the edge of the network, which means users will have to connect to them remotely. Even if firms have changed default passwords, many IoT devices lack strong verification methods such as two-factor authentication and insecure password recovery features, which could make it easy for hackers to gain access remotely.
5. Poor physical security
Even if remote access is secured effectively, this can be undone if it's easy for a criminal to walk up to a device and plug in directly - especially if devices are in the field in easily-accessible locations. To combat this, it's important to ensure any devices are tamper-proof and their surrounding locations are effectively monitored and secured.
5 types of attack hackers can exploit
Failure to adequately secure IoT devices can lead to a wide range of problems, which can range from the mildly annoying to having the potential to shut down an entire business.
Being able to take control of IoT tools and turn them into botnets is one of the most common types of IoT attack, as they’re often easier to access than other devices and can quickly be used for a variety of tasks, from distributing denial of service attacks to spreading malware and stealing confidential data. The Mirai botnet is one of the best-known examples of how dangerous this can be.
Man-in-the-Middle, or MitM, attacks occur when a hacker breaches the communication link between two systems, such as an IoT endpoint and a server. This can allow them to change or steal the data and take control of the actions of the device, such as turning it on or off, and can be hugely disruptive to an organization.
3. Denial of service
Denial of service attacks have long been a problem for businesses, as they can shut down a server by flooding it with data. As well as being used to initiate such attacks, IoT offers a range of new targets for these threats, and while they aren't typically looking to steal data, they can leave businesses unable to effectively function or serve customers, hurting a firm's productivity, revenue and reputation.
4. Identity and data theft
Because they often collect and distribute highly sensitive data, including personally identifiable information, IoT presents an ideal target for fraudsters and other individuals looking to steal personal or financial data. If devices are unsecured, criminals may be able to do everything from track an individual's movements or even listen in on conversations to gain the details they need.
Ransomware has been a much-publicized threat in recent years, but IoT is just as vulnerable - if not more so - than PCs and laptops. If hackers are able to take control of critical devices, the demands they can make could be much more serious than blocking access to data. For example, if they can take over a utilities network or medical devices, threats to cause blackouts or turn off life-saving equipment can demand an immediate response, leaving businesses with no choice but to pay up or risk disaster.
To avoid these risks, IoT must be a key part of your threat management strategy, with key steps that must be taken to protect these devices clearly spelled out and given top priority.