Six IoT Security Threats to Watch
By Peter Kowalke
Internet-of-Things technology still has a long way to go before it is secure. Last year, Congress introduced the IoT Cybersecurity Improvement Act. The stated goal of the Act was to leverage federal government procurement power to encourage increased cybersecurity for Internet-of-Things devices, specifically to help promote an increased level of education around cybersecurity and encourage manufacturers to build in “security-by-design” to better improve IoT systems overall.
Good start, but we’re not there yet.
“While this Act is a step in the right direction, IoT security still poses a major risk for businesses,” says Nico Fischbach, global chief technology officer for cybersecurity firm, Forcepoint. “As the way we work and the devices that we use continue to shift, hackers will also be looking to capitalize on these new technologies.” A 2019 report found that 81 percent of organizations surveyed had faced an IoT cyberattack recently, for instance. IoT is a target, and businesses must understand how to stay protected.
With that in mind, here are six IoT threats to watch.
1. Inadequate Protection at the Network’s Edge
IoT devices collect data, and businesses can thrive on the analysis of this data. The challenge is securing these data stores if analysis is being performed locally at the network’s edge instead of at centralized cloud processing sites. Currently, the edge of a company’s network is often not as robustly secured as centralized data centers. “It makes better economic sense and improves efficiency to process the data at the edge, an edge that can be static or mobile. However, security professionals need to ensure that the edges of their network are just as protected as the central sites, whether IoT data is stored in local, hybrid or cloud solutions,” says Fischbach.
Since the old security model doesn’t hold for IoT and the new data-processing demands, the network’s edge is a security threat.
2. Unpatched IoT Device Software
IoT devices have bugs and software vulnerabilities like all other software. But unlike most other software, the code that powers IoT devices often is hard to access and inadequate systems are in place for updating it when vulnerabilities are discovered. “Most of the time, firmware in IoT devices is difficult to update so vulnerabilities go unpatched for the lifetime of the device,” says Mounir Hahad, head of threat labs at Juniper Networks. “This makes them an ideal vector to compromise a network.” Inadequate patch management is one of the biggest security threats for businesses related to IoT, because the situation around discovering and updating IoT device software is generally a mess. Yet, leaving software unpatched is a gaping security hole.
3. Unrestricted Access to Corporate Networks
Because the security danger around IoT devices generally is significant, a third potential threat is giving IoT devices too much network access. If a device gets compromised, it could open the door for other compromised systems when not limited by default. “The minimum bar for defending against IoT threats is network segmentation,” stresses Hahad. “No IoT device should have access to networks it does not need to access.” Further, IoT devices generally have no business being on the Internet. Connected devices should access the corporate network, not be exposed to attack by being generally connected to the whole world.
“Very few if any IoT devices should be accessible from the internet to reduce exposure,” he says.
4. Incomplete Device Cataloguing
Unknown devices on a corporate network challenge security, because it is hard to know expected behavior and how best to protect the network if devices are connected but not fully known. Since there are so many IoT devices in play for the typical large company, keeping track of everything can be a challenge that introduces security holes. “IoT devices are becoming more and more prominent in enterprise networks, and they are adding an extra level of difficulty for admins to properly secure their networks,” says Brian Bartholomew, principal security researcher for the global research and analysis team at cybersecurity firm, Kaspersky North America.
“This proves difficult for a number of reasons,” he says, “but mostly because simply generating an inventory of IoT devices on a large enterprise network is near impossible. In order to combat the general threat, admins must get a handle on what devices are on their network first.”
5. Siphoned Data
Much of the traffic coming from IoT devices is not adequately encrypted. Some estimates even suggest that 98 percent of all IoT transmission goes unencrypted. While this might be an overly pessimistic estimate, the potential for man-in-the-middle attacks still is large for IoT devices, attacks where hackers can listen in on IoT traffic and siphon it off or even manipulate the data so companies are getting inaccurate reports from their IoT fleet. IoT is a serious threat for data compromise, especially since some devices record sensitive and personally identifying information. The scope for damage is huge.
“Because their egress is sometimes not monitored, it makes them an ideal jumping-off point for exfiltration of data,” notes Hahad. So check to make sure all IoT data is encrypted both during transmission and when stored on IoT devices.
6. Cloud Vulnerabilities that Expand Data Breach
IoT devices often are used for industrial applications. An industrial IoT cluster might comprise a network of devices from small sensors to major industrial equipment, for instance, helping make processes more efficient. But as these devices get increasingly intertwined, security becomes an even bigger issue. “This can be especially lucrative for hackers, since by attacking one device or its back-end, they can access many,” says Fischbach at Forcepoint. “It is something businesses and critical infrastructure operators should ensure they are not forgetting about.” Specifically, businesses should look at vulnerabilities in public or shared cloud architectures.
“Organizations should ensure that the underlying components of the cloud infrastructure they consume offers strong enough isolation for multi-tenant architecture/applications to avoid shared technology vulnerabilities,” he notes. The Internet-of-Things does a lot for business. But it also opens new vulnerabilities. Businesses should be weary and pay attention to these risks.