The IoT is powerful and useful technology. However, the nature of IoT requires a massive volume of devices (known as “end points” in IT and cybersecurity). Additionally, an IoT network runs on several different network protocols.
This combination of device volume and network complexity make IoT security incredibly challenging. But, with a good understanding of IoT security issues and the associated IoT security solutions, an IoT system can be adequately secured.
Are IoT Devices Secure?
IoT devices can be secure. However, the major IoT security issue is that IoT device security is often not configured and updated properly. Additionally, manufacturers occasionally discontinue support for devices with long service lives, which leaves those devices vulnerable to IoT attacks.
These issues tend to be less pervasive in enterprise use cases, where IT departments ensure IoT devices are properly set up and updated. In contrast, consumer IoT devices are often left unsecured, because consumers don’t realize that their connected devices need to be secured.
Ultimately, IoT systems bring some complex security challenges. Security and privacy in IoT requires a vigilant approach, because there are a lot of connections to manage and secure. But, with the right IoT device security standards, IoT devices can be properly secured.
IoT Security Statistics
The idea that IoT security is a huge issue might seem overblown. After all, who doesn’t change the default password on a new connected device? And don’t most computers and devices apply updates automatically, these days?
Those are logical questions. But a quick look at the IoT security statistics reveals that important steps are being skipped more often than they’re being taken.
- Less than 20% of IoT security risk professionals know all or most of the IoT devices their organization uses.
- 76% of IoT risk professionals believe their organization’s IoT security posture leaves them vulnerable to cyber attacks.
- 56% of organizations don’t keep an inventory of their active IoT devices.
- 64% of organizations don’t keep an inventory of their IoT applications.
- Routers are involved in 76% of IoT attacks.
- IoT malware attacks increased by 30% in 2020.
A quick look at the data reveals that the problem of IoT security is more serious than it might seem, based on the fact that IoT security issues are largely procedural. However, the main issue is that legacy cybersecurity approaches aren’t robust enough to handle the complexity of IoT security.
Understanding IoT Security Issues
The IoT devices themselves are the core of almost all IoT security issues. IoT devices create an incredibly broad attack surface, with a wide array of potential attack vectors. Therefore, IoT device management is the key to developing effective IoT device solutions.
These are the most pressing IoT security issues that every organization must understand:
Weak Organic IoT Device Security
Unfortunately, IoT device manufacturers often fail to design devices with IoT security in mind. Usually, end user convenience takes precedence. Therefore, many IoT devices are shipped with massive security flaws.
This is a huge problem. If an IoT device itself has built-in security vulnerabilities, it will be nearly impossible to secure any network the device is connected to. In most cases, only the manufacturer knows enough about a flawed device to correct the issue.
Before you deploy any IoT device, make sure that the device is capable of being configured for proper IoT security. It’s worth giving up some convenience and performance to get an IoT device that can be properly secured.
Failing to Apply IoT Device Security Updates
Most IT systems have some procedure for automatically pushing patches and updates to the connected computers and networking hardware. However, this procedure often skips over IoT devices.
IoT device manufacturers are frequently slower to release patches and updates than the companies that produce operating systems and other major software. So there are just no updates or patches to push to the IoT devices when the IT team is applying updates.
If your IT team uses an automated system to apply updates, the system often won’t detect all of the IoT devices that need to be checked. It’s common for IoT devices to remain unpatched and running out of date software for weeks or months.
In organizations that are unaware of exactly what IoT devices they use and how many of those devices are active, some devices never get software or firmware upgrades.
In short, make sure you’re keeping track of your IoT devices and keeping them up to date.
Inability to Physically Secure Devices
IoT devices are often positioned outside of the owner’s residence or business facility, where people could potentially gain access to them.
Although most IoT devices are accessed and breached through their network connection, it’s possible to breach devices using a physical connection. IoT devices with USB ports or some other physical input connection can be breached and infected using a portable flash drive.
Cybersecurity is primarily a digital endeavor. However, there’s a physical component to cybersecurity, especially in IoT, where devices might need to operate in the public space.
It’s best to place remote devices where they are difficult to access. And, if it’s possible, secure IoT devices to prevent access to any of the physical input ports.
Potential for Coordinated IoT Attacks (Botnets)
If a single IoT device gets breached or infected, it’s usually not a huge deal. It’s relatively easy to identify suspicious behavior and isolate a lone IoT device. But a major problem emerges when many IoT devices are breached.
When there are multiple infected devices operating on a network, it becomes more difficult to spot suspicious network activity. Usually, infected devices are identified because they behave differently than the other devices on the network. If several devices on a network are infected, the suspicious activity begins to look normal, since all the devices are behaving badly.
Also, the more breached devices there are, the more damage they can do. Most IoT devices have very little processing power on their own. But a whole lot of infected IoT devices can cause big problems.
Lastly, devices can infect each other with malicious software. So the number of infected devices on a network can increase exponentially and cause a cyber attack to spiral out of control very quickly.
Insufficient End User Education
Although the IoT devices come with plenty of their own security considerations, end users tend to be the weakest point in any IoT security system.
IoT devices are small, easy to transport, and 30% of consumers said they “cannot live without smart devices.” That means that a lot of people—most people, if you count smartphones— have their own IoT devices that they carry with them.
The problem here is that most people have very weak security on their IoT devices, or they don’t secure them at all. This means that there are tons of unsecured IoT devices all over the place. And, since most people are unaware of the security risks, they’ll often connect their devices to unknown networks.
That makes it very hard to control which devices connect to what network. That’s why it’s important to create segmented networks, with strict security controls that keep unauthorized IoT devices from connecting.
IoT Cybersecurity Attacks
There are several different types of IoT security attacks. From a high level, IoT security attacks have two stages: breaching an IoT device and using the device’s connectivity to execute a cyberattack.
There are multiple ways to breach an IoT device and even more types of cyber attacks that can be carried out from a breached device. Focusing on the first step of breaching an IoT device, these are the different types of IoT security attacks:
- Physical AttacksThis is where a bad actor physically accesses a device and uses the device’s data ports to upload malicious software to the device. This could give that person control of the device. Or the software may simply distribute malicious code to other devices on the network.
- Encryption AttacksIf an IoT device sends unencrypted data, anyone who intercepts that data can read it. This gives cybercriminals information about how your network is configured and what security protocols you have in place. Bad actors can use this network information to breach the IoT device itself, or gain access to the network.
- Firmware HijackingThere are two types of firmware hijacking. They both rely on out-of-date firmware.Often, firmware will be updated because the old firmware had some sort of security flaw. Cybercriminals often look for devices with out-of-date firmware so they can breach an IoT device through a known security hole that’s been closed on newer firmware versions.The other method is more sophisticated: a cybercriminal will deliver malicious software in the form of a firmware update. If your IoT devices are not configured to only accept updates from trusted sources, they can be infected by malicious code posing as a firmware update.
- Password AttacksOften, users never change the default password on a new IoT device. Default passwords are predictable and widely known. So cybercriminals often just log in to an IoT device using a default password.Otherwise, IoT devices can be breached using a brute force password attack, where the bad actor uses software to automatically try thousands or millions of potential passwords. That’s why most systems have a limit on how many incorrect passwords you can try.
Once a device has been breached, it can be used as the foundation to execute all sorts of cyberattacks: ransomware, DDoS attacks, building botnets, eavesdropping, and man-in-the-middle attacks.
The fact that breached IoT devices can be used in virtually any type of cyberattack really highlights the need for IoT security.
How to Secure IoT Devices
IoT devices can be secured with good IoT device management, network administration, and the help of IoT security solutions. The most common source of IoT device breaches is unsecured devices. So the best way to secure IoT devices is to develop thorough, automated IoT management procedures.
Here’s how to secure your IoT devices:
- Change the default name and password on all routers.The default names and passwords on routers are easy to identify and guess. Changing the default password is obvious. But it’s also wise to change the name of your network, so it’s not so easy to identify which network is yours.The typical recommendation is to use a password that’s a random selection of characters, numbers, and characters. But using a passphrase is actually more secure. And it’s easier to remember.Also, come up with a naming scheme for your routers that doesn’t include identifying information like your address.
- Use strong encryption for wireless networks.The best practice is to use WPA, WPA2, or a similarly strong encryption for authentication and wireless network encryption.
- Create a guest network. The more secure your need your network to be, the more you must control which devices are allowed to connect to that network. Controlling device access on a publicly discoverable network is challenging.So it’s best to create a guest network that employees, customers, or visitors can use for casual internet access. Then have a separate, undiscoverable network for your sensitive devices that you need to keep isolated from the anarchy of public network access.
- Create a standardized procedure for auditing and updating IoT devices. As we’ve already emphasized, the biggest challenge with IoT devices is keeping the devices themselves updated. While you can’t control how regularly the manufacturer provides updates for the onboard software and firmware, you can control how well you monitor your devices and check for updates.Create a standardized, repeatable procedure for setting up new IoT devices, tracking all your active IoT devices, and updating your IoT devices whenever a new update is released from the manufacturer.
- Use two-factor authentication for top-level network access. It should require more than just a password to get access to administrator controls and make meaningful changes to your network or devices connected to that network. It’s best if you protect your administrator privileges with two-factor authentication.Digital two-factor authentication (a password and an SMS authentication code, for example) is good. However, two-factor authentication that has both a digital and a physical component is best. Two-factor authentication with a digital and physical certificate is a password and something like a keycard, keyfob, or some sort of dongle.This sort of two-factor authentication makes it very difficult for a criminal to execute a cyber attack, even if they manage to breach your IoT devices.
IoT Device Security Standards
There are IoT device security standards which have been outlined by the National Institute of Standards and Technology (NIST) and the European Technology Standards Institute (ETSI).
The NIST and the ETSI collaborated to produce their respective IoT standards. So IoT device security standards are the same in most places.
There’s extensive documentation on IoT device security standards. But this is a quick summary of the IoT device standards:
- Manufacturers must ship devices with a unique default password. No more generic default passwords.
- Manufacturers must provide a means for reporting security vulnerabilities, and act on reported vulnerabilities in a timely manner.
- IoT device manufacturers must release regular software updates.
- Sensitive network security parameters must be securely stored, if an IoT device requires storage of those security parameters.
- IoT devices must use appropriate encryption for all communication with other devices.
- Any unused user interfaces or logical interfaces must be disabled.
- IoT devices should detect unauthorized changes to the onboard software or hardware and report unauthorized changes.
- Personal data transmitted by an IoT device must be encrypted.
- IoT devices must be resistant to data network and power outages, especially devices that are relevant to personal safety.
- IoT devices must provide a way for network administrators to examine network traffic for patterns of device failure or unauthorized network access.
- End users must be able to delete their user data easily.
- Devices must be easy to install and maintain.
- Data received by an IoT device must be validated before the device attempts to use that data.
Most manufacturers have adopted these standards. However, it’s important to understand that these standards are not laws. And not all manufacturers follow them. So it’s still important to have your own procedures and policies for managing your IoT devices.
Why IoT Security is Important
Unsecured IoT devices can expose networks and other connected devices to attackers. IoT devices offer a wide attack surface and an ample supply of security vulnerabilities. So cybercriminals often target IoT devices in cyber attacks, which is why IoT security is important.
However, the need for IoT security doesn’t end at the devices themselves or even on your local network. It’s also important that your external networks are also secure. If your IoT connectivity provider’s network is compromised, cyber criminals can access your IoT devices through your provider’s network.
Most IoT devices are attacked within five minutes of being connected to the internet. So it’s incredibly important to work with an IoT connectivity provider that has an incredibly secure network to protect your IoT devices from cyber attacks from the open internet.
Telnyx provides IoT connectivity through a private IP network that keeps your IoT data off the public internet and encrypts all data from end to end. The Telnyx network ensures that your IoT security plan is never compromised by factors beyond your control.
Find out more about how Telnyx keeps your IoT devices connected and secure.
Share on Social