Skip to main content

IoT security risks are real – this is how you mitigate them

IoT
(Image credit: Image source: Shutterstock/everything possible)

Hacks and breaches of and intrusions into smart device networks are becoming increasingly frequent. The recent cyberattack on the Colonial Pipeline, the American oil pipeline system integral to the energy security of the Southeastern United States, is only the latest occurrence of criminal cyber breaches of Internet of things (IoT) enabled smart infrastructure. 

The Colonial Pipeline hack had a devastating impact on commercial activity in several states, with many petrol stations being without fuel for several days. This was a criminal attack by a cyber racket that held the computerized equipment managing the pipeline for ransom. Whether it is done by a criminal organization, a hostile nation-state or an individual with bad intentions: hacks of IoT are a looming threat that will only become more prevalent in the future as more and more devices become smart. 

Essentially any Internet-connected device is vulnerable to being hacked and misused. In the age of the Internet of Things, that means that malicious actors could potentially exploit vulnerabilities to billions of connected devices to access confidential data, spread malware or ransomware, assimilate devices into a botnet, shut down utilities and other pieces of infrastructure or even cause tangible harm.

What companies need to understand is that cybersecurity threats are continually evolving and that concomitantly their cyber defenses need to keep up with them. If companies are serious about protecting their organizational assets and their end-users – and they should be – they should particularly do the following:

  • Gain a greater understanding as to how their IoT applications could be vulnerable to hacking attempts 
  • Do an in-depth analysis of  past IoT security breaches, hacking attempts and failures and incorporate the lessons learned into their security strategy; and 
  • Incorporate the solutions and strategies that make their applications more secure into the design and use protocols of new devices

Check the security of IoT application against potential hacking attempts

It starts with weak authentication

Perhaps the most common problem in cybersecurity – and the one that can most easily be mitigated by common sense – is the general human tendency toward laziness: people just use passwords that are too simple, like “123”, “ABC” or a combination of alphanumeric characters that are comparatively easy to “guess” or arrive at in a brute force attack. In essence, passwords are the first line of defense against malicious attackers trying to breach your network. But if an employee’s password isn’t strong enough, your devices and network aren't secure. More worrisome is that in some cases passwords may even be publicly accessible or stored in an application’s source code. As such, the first rule of proper “cybersecurity hygiene” has to be having strong passwords that brute force attacks cannot just simply guess.

A lack of encryption during data transmission can be costly

Ancillary to the above point, another substantial threat to the security of your IoT networks is a lack of encryption used for regular transmissions among devices. Many IoT devices that do not necessarily store sensitive data – such as thermostats – do not encrypt the data they send to other devices. Yet if someone manages to compromise the network, they could thereby still intercept credentials and other important information transmitted to and from that device. 

Low processing power obstructs timely security updates

Many IoT applications are engineered in such a way that they use data economically, so that costs are reduced and battery life can be extended. However, this makes it difficult to send over-the-air (OTA) updates to these devices to update their security settings. As such, this leaves them vulnerable to hacking. 

Other common issues are legacy assets that weren’t originally designed for cloud connectivity, shared network access with a multitude of devices with different security settings using the same network, inconsistent security standards stemming from a hitherto lack of common standards as well as missing firmware updates.

An analysis of past security breaches can provide you with valuable insights 

While technology has evolved and every year a myriad different attack vectors and zero-day exploits come to light, analyzing past security breaches can help you in predicting the behavior and motivations of malicious actors. The aforementioned cyber attack on the Colonial Pipeline, for example, was about extorting a ransom payment.

Similarly, the 2016 Mirai botnet case became famous – or rather infamous – because the malware managed to assimilate over 145,607 video recorders and IP cameras into this botnet in order to wreak havoc. The botnet was created by a single hacker – a college student – and came about by the aggregation of unsecured IoT devices. In several attacks, the botnet firstly crashed Minecraft servers, but then quickly went on to launch attacks on French web hosting service OVH, as well as the websites of Netflix, Twitter, Reddit, The Guardian, and CNN. Yet more worrisome is that the malware’s code is apparently still out on the Internet and successors of Mirai have been created to do a host of nefarious things like hijacking cryptocurrency mining operations. 

Yet more worrisome was the 2017 announcement by the US Food and Drug Administration (FDA)  that more than 465,000 implantable pacemaker devices by manufacturer St. Jude Medical were vulnerable to hacking. While there were no known hacks, and St. Jude Medica was quick to patch the devices’ security flaws, it was a disturbing revelation with potentially fatal implications. If a hacker would have come to control these pacemakers they could have literally killed people by depleting the battery or altering the bearer’s heart rate.

Familiarize yourself with the strategies and solutions that secure your applications 

So what can companies do to keep their IoT devices secure? Well, companies should take their cues from previous incidents and incorporate the solutions that secure their applications into the design and use protocols of new devices right from the start. 

For one thing, companies should make the best use of physical security – fences, doors, shutters –  to keep their devices secure. Another issue, specific to cellular IoT devices, is that a lot of the critical information is stored on the SIM card. In general, form factors for SIMs are removable, which makes this data more vulnerable. However, using an eSIM is the better option as the eSIM is soldered directly onto the circuit board and thus much harder to physically access.

Martin Giess, CTO & co-founder, EMnify

Martin Giess is CTO and co-founder at EMnify, a leading cloud communication platform provider for IoT. In his role, he oversees the technical execution of EMnify’s product vision.