The term “Internet of Things” (IoT) was first used in 1985. These “things” are tools, programmed for applications, and they transmit data over the internet or other networks. IoT devices include hardware such as sensors, actuators, gadgets, appliances, or machines that can be embedded into mobile devices, industrial equipment, environmental sensors, and medical devices. And as of 2021, there are more than 10 billion active IoT devices.
Yes, 10 billion.
What’s more, that number is projected to surpass 25.4 billion in 2030. The sheer volume of IoT devices is just one reason they're consistently the primary tool used in the biggest distributed denial of service (DDoS) botnet attacks. The Mirai botnet, known not-so-affectionately as "the king of malware," has exploited IoT vulnerabilities for DDoS attacks since 2016. In September of this year Microsoft issued patches and guidance for addressing Mirai efforts to exploit the RCE defect OMIGOD.
The use of IoT devices in DDoS attacks isn't waning. Even though many IoT data processing activities fall under the scope of the General Data Protection Regulation (GDPR), most IoT device manufacturers don't sell products that adhere to the "privacy by design" principle. That means the onus is on you, the user, to learn about IoT vulnerabilities and take IoT security steps that deter hackers and mitigate cyberattacks. Keep in mind that IoT devices such as cameras and virtual assistants don't just house sensitive data; they're a way for bad actors to actually look into your home.
Read on for steps you can take to keep cybercriminals out of your connected devices.
The Open Web Application Security Project (OWASP) consistently lists “weak, guessable, or hard-coded passwords” as the top security risk associated with IoT applications and devices. In June ASMAG reported that 1) five password sets allow online intruders to access 10% of all connected IoT devices, and, 2) fifteen percent of device owners don’t change device default passwords.
Password hygiene may seem like a hassle, but it doesn’t even compare to the headache of having hackers get unauthorized access. Access into one device could allow them to take over others in the system, because IoT devices often share default passwords.
When it comes to password best practices it's recommended that you:
- Avoid IoT devices that don't allow you to change the default password.
- If a device doesn’t let you change a password (e.g., Amazon Alexa, Google Hub), reinforce security at the connection point — usually a router or a phone app — and don’t share the PIN or passcode.
- Change the passwords to any smart devices you already have, and don't use the same password across devices.
In addition to the points listed above, the Cybersecurity & Infrastructure Security Agency (CISA) also recommends that you:
- Use different passwords on different systems and accounts.
- Use the longest password or passphrase permissible by each password system.
- Develop mnemonics to remember complex passwords.
- Consider using a password manager program to keep track of your passwords.
- Do not use passwords that are based on personal information that can be easily accessed or guessed.
- Do not use words that can be found in any dictionary of any language.
According to Security Boulevard: "IoT devices make up 30% of all network-connected endpoints, introducing novel attacks and supply chain vulnerabilities that make many companies primary targets for cybercriminals. To address this increasing threat surface, every organization deploying IoT devices needs to consider the question of firmware updates for their IoT devices."
One of the things people love most about smart devices is convenience, namely that the devices update themselves over wireless connections. When smart phones, smartwatches, medical sensors, fitness trackers — even cars — have firmware updates, users usually just agree to the install and it happens automatically. Anyone who endured manual updates, especially in the days of dial-up internet service, sees this as an improvement to device management. Unfortunately there's a downside to these over-the-air (OTA) updates: 1) they're one of the top security vulnerabilities in an IoT ecosystem, and, 2) failing to update increases the number of attack vectors in operating systems, firmware, and applications.
Without a secure update mechanism in place, how can you keep your devices updated while protecting sensitive information? The Cloud Security Alliance (CSA) Internet of Things (IoT) Working Group recommends:
- Backup IoT devices before updates.
- Support rollbacks if needed, but only reload older images with vendor authorization.
- Schedule IoT updates to avoid network saturation and limit downtime.
- Use vendors who support system admin configuration options for automatic updates.
- Look for a single component to manage microcontroller updates.
- Assess bandwidth constraints and adjust update strategy, differential, or complete image as needed.
- Authenticate and protect updates from end-to-end.
- Secure storage of verification signing keys.
- Develop recovery procedures to use in the event of update failure.
- Put long-term vendor support contracts in place.
IoT devices are built to share information. They're smart devices, but not smart enough to distinguish between data you want to share and personal data you want to protect. Implementing IoT authentication (device identification process) and authorization (permissions) is critical to privacy protection and information security.
Distributed and centralized are the two main types of IoT security protocols. In a distributed model, devices validate authorization with stored certificates and identities. A centralized model uses a centralized server – or trusted third-party app – that distributes and manages the authentication certificates of IoT devices.
Choosing the right authentication and authorization security protocol depends on the communication protocol a network uses for identifying machines and securing data. The three primary IoT authentication and authorization security protocols are:
Distributed One-Way — Best for device-to-device connections that need security, but not continuous monitoring; as the name suggests, only one party authenticates itself to the other.
Distributed Two-Way — Most often used for e-commerce and transmitting sensitive data, this mutual communication method requires two devices to authenticate each other with a digital ID before communicating.
Centralized Three-Way — Eliminates authentication delay by registering devices with a central server that creates a secure handshake, making it the preferred protocol for always-connected or on-demand access devices.
Insecure network services are an issue for both businesses and personal networks. An insecure network is an opportunity for cybercriminals to engage in:
- Piggybacking: Using a subscriber's wireless network without permission or knowledge.
- Wardriving: Searching for WiFi networks, most often from a car, with a laptop or other mobile device.
- Evil Twin Attacks: Seemingly legitimate wifi access point(s) that are created by a hacker to access user communications.
- Wireless Sniffing: Using software and/or hardware to eavesdrop on communication sent over a wireless network.
- Unauthorized Computer Access: Hacking or taking over a device without permission.
Straightforward ways you can shore up your network security are:
- Change your default passwords: Bad actors can locate default passwords online. After changing default passwords, make a point to use updated, complex passwords at regular intervals.
- Restrict access: Limit network access to authorized users by filtering media access control (MAC) addresses.
- Encrypt network data: Encrypted data isn’t decipherable to anyone who manages to access the network you’re using.
- Conceal your service set identifier (SSID): Attackers can find your network via its SSID, so change it to a unique name and don’t share it.
- Use twice the firewall: Double up on firewalls — one on the wireless network (router- or modem-based) and one on wireless devices (host-based) — for extra protection.
- Access point software: Regularly check for software and firmware updates and patches from your wireless access point manufacturer.
- ISP and router wireless security options: Options for securing wireless networks can vary by ISP and router manufacturer. See what yours provides and if there are ways to enhance your existing security.
- Connect with a virtual private network (VPN): VPNs let employees establish secure remote network connections from anywhere, so any data sent is encrypted.
Insecure Ecosystem Interfaces
Passwords, firmware, authentication, and network services are more front of mind when it comes to securing IoT devices. Insecure ecosystem interfaces may not be as obvious.
Interfaces that surround an IoT device, but aren’t a part of it (e.g., web interface, backend API, cloud, mobile), interact with that device. If any of them aren’t secure, the IoT device is vulnerable to attack. OWASP reports that common issues associated with this attack vector are a lack of authentication and authorization, weak encryption, and input and output filtering.
Steps to securing ecosystem interfaces overlap with others in this article, but OWASP specifies the importance of safeguarding the identity of IoT devices with a device identity mechanism. This ensures servers can distinguish a valid endpoint from a rogue one using authentication. Assigning a unique ID to each device within an IoT ecosystem, so it can be tracked throughout the device’s lifetime, is critical to IoT network defense. With an assigned ID the system can validate a device using public key infrastructure (PKI) to link devices with public key certificates from certificate authorities.
Device hardening isn’t a single step or action; it’s a process. The device hardening process reduces vulnerabilities hackers can exploit. Techopedia defines it as:
" … providing various means of protection in a computer system. Protection is provided in various layers and is often referred to as defense in depth. Protecting in layers means to protect at the host level, the application level, the operating system level, the user level, the physical level and all the sublevels in between. Each level requires a unique method of security."
How can the various layers of protection be enhanced for defense in depth? Password management, use of non-default configurations, and updating firmware and patches is a good start. Disabling unnecessary protocols, services, and ports helps, too. Then back up those steps with authentication and authorization and secured protocols for devices and routing — and you’re well on your way.
Data breaches, ransomware attacks, and other security threats are an unfortunate reality. They're not going away any time soon; in fact, they'll likely continue to evolve. The number of IoT devices in use will continue to grow, too, so taking steps to secure IoT devices and proactively address security issues must be front of mind now and in the future for any business that wants to scale.