At its core, the internet of things (IoT) is the concept of connecting devices to the internet and to other connected devices. In practice, the IoT is a massive network of connected things and people, collecting and sharing data about each other and their environment.
The connected things on the network come in all shapes and sizes and could be practically anything. It could be your smart light bulb that turns on automatically when you enter your home. Or it could be your fitness bracelet that tracks your heart rate and the number of calories you burned. And it could also be the self-driving car, which you may be able to purchase in a few years, that can detect objects in its path. These are all considered IoT devices.
But one commonality they all share is that they possess sensors that enable them to collect data that are typically shared with one or more remote servers. Those remote servers perform analytics on that data and then share the resulting information with the originating device and, in many cases, with other applications and servers. Those other servers, like the first, will perform analytics on the information received and, in all likelihood, will send some information back to the device as well as to other applications and servers for further analytics processing and sharing. And the cycle continues until you disconnect or turn off the device.
In a sense, IoT devices constitute a kind of feedback loop of personal, biometric, and environmental information. And the information gleaned from this process can provide insights into anything from how intense your workout was to the number of waiters that should be on-staff on a given evening at a local restaurant.
But while that can seem innocuous and useful, IoT devices come with some significant security risks. In this post, we look at the top five security risks that come with IoT devices and provide ways to mitigate them.
1. Weak default passwords
Many, if not most, IoT devices are insecure for many reasons. One of those reasons is that most of them come with a hard-coded embedded password. This is a boon to hackers looking to break into these devices, as it won’t take them very long to figure out the default password. And even if they didn’t know what it was, most default IoT passwords are readily guessable for usability reasons.
In 2016, malicious actors using the Mirai malware were able to infect 400,000 IoT devices, from routers to video cameras, using a database of common hard-coded default passwords. This created the world’s largest botnet, which subsequently mounted a massive Distributed Denial-of-Service (DDoS) attack. The DDoS attack managed to take down some of the internet’s largest sites: Amazon Web Services, GitHub, Netflix, and Twitter.
Mitigation
Users should immediately change their device’s default password to a long and complex password and not reuse a password they’re using on another account. In order to help with this, it’s recommended to use a password manager that can not only store your complex passwords, but that can also generate them for you.
Manufacturers of IoT devices should force a password change during the setup process. They should also design their products to include secure default settings, including minimum password requirements (i.e., length, upper case and lowercase letters, numbers, and symbols). Further, manufacturers should build two-factor authentication (2FA), biometric authentication, or digital certificates (Public Key Infrastructure) into the devices to ensure secure authentication.
2. Lack of security updates
Most IoT devices are built with simplicity, connectivity, and ease-of-use in mind, not security. And that’s an issue. Perhaps, it was perfectly secure when the device was first made available. But as time goes by and the computing world progresses, vulnerabilities will almost always be discovered – and exploited. And many IoT devices simply never get firmware updates or security patches, even with people using them for years and perhaps decades (think Wi-Fi routers).
In December 2017, the Satori malware managed to infect over 100,000 Wi-Fi routers in just 12 hours. The attackers pulled the attack off by targeting devices that had known security vulnerabilities – old routers fit the bill perfectly. The vulnerabilities had likely been present for years on the routers. But without a security patch being issued by the manufacturer, there was nothing users could do short of disconnecting their router and purchasing a new one.
Mitigation
The scope for action is rather limited here. But I will say that users should change their off-the-shelf WiFi router after a few years. If you feel you have enough technical skills, you could run the pfSense or OPNSense software instead of using a commercial router. pfSense and OPNSense are open source (and free) firewall and router software based on the FreeBSD operating system. With a bit of tech-savviness, you can set it up on an old PC, as long as it has at least two network interfaces. Both pfSense and OPNSense provide regular updates to add new features and patch known vulnerabilities.
Manufacturers should at the very least provide critical security patches for their devices, if not regular firmware updates. They should also disclose any discovered vulnerabilities, even if they are unable or unwilling to patch them. That way, users would at least be aware of their device’s vulnerability instead of plopping along with the illusion of security (which is worse than knowing you’re insecure).
3. Lack of encryption (in transit and at rest)
Some of the biggest threats that come from IoT devices are related to insecure communication and data storage. This issue, coupled with the fact that most IoT devices implement weak security (see points 1 and 2), opens the door to data theft, data modification, and ransomware attacks, in which attackers encrypt an organization’s sensitive data and demands a ransom in exchange for the decryption key.
In 2017, an unnamed casino suffered a data breach that saw attackers steal a database of high rollers (very wealthy casino goers). They broke into the network by compromising a smart thermostat attached to a fish tank in the casino’s lobby. The attackers managed to steal 10GB of sensitive data from the casino.
Mitigation
Home users and organizations should practice network segmentation when using IoT devices. That means creating a dedicated subnet isolated from all other subnets on the network. This way, if a malicious actor breaks into one of your insecure IoT devices, they’re stuck on that subnet and cannot branch out. Consider also blocking internet access on that subnet or at least limiting the domains that can be accessed. That can be achieved using an Access Control List (ACL).
Manufacturers should ensure their products support robust encryption for data in transit (as data is sent and received) and at rest (when data is stored on the device).
4. Privacy concerns
Collecting and sharing data is pretty much an IoT device’s raison d’être – especially wearables, like fitness bracelets and home appliances like smart light bulbs. These devices tend to collect large amounts of intimate data (location, biometric, behavioral) from their users and then phone home (they transmit that data to a remote server).
Of course, taken at face value, this is done to provide the user with the requested information or service. But what happens to the data on the remote server? Each company is different. However, there’s an extremely high chance that the data is kept (perhaps indefinitely), has further analytics performed on it (to augment its value), and is either rented or sold for profit to third parties.
Where does that leave the user? It leaves them with third-party companies (most of which the user has no relationship with), governments, and possibly hacker groups having access to intimate details of their lives for unknown ends. Sure, they got a chart displaying their average blood glucose level over the past seven days in exchange for that, but was it really worth it?
Mitigation
Simply don’t use them. That’s the absolute best way to steer clear of the privacy pitfalls that come with IoT devices. Plus, it’s a low-tech solution anyone can implement.
That won’t be a viable option for many, of course. So if you must use IoT devices, as above, put your IoT devices on a segmented network and either block internet access if you don’t need it or limit the domains to which your IoT devices can connect.
If you have sufficient technical knowledge, you could block internet access to your IoT devices but still allow them local network access. Then, by setting up a VPN server for remote access (either on your router if it supports VPN or on a dedicated Linux machine), you could VPN into your home network from the outside and access your IoT devices locally. That way, it would be just as if you were connected to your WiFi at home, and your IoT devices would be unable to phone home.
Of course, this approach makes more sense for home appliances (light bulbs, air conditioners, etc.) than for fitness bracelets, where you may want to transmit at least some of the data to the first-party server. However, if that’s the case, you’ll need to live with a lower level of privacy.
5. Shadow IT
The rise of IoT devices created a substantial increase in Shadow IT. When members inside an organization use devices, software, or services without their IT department’s knowledge or approval, we’re talking about Shadow IT. Shadow IT has also become much more common with the growing popularity of cloud-based applications.
The risks posed by IoT devices regarding Shadow IT will largely be unintentional. People are unlikely to perform work-related tasks using their fitness bracelets. But what happens when dozens or hundreds of people inside your organization show up for work with internet-enabled fitness bracelets that continually phone home? If these devices are allowed to connect to your corporate network without proper safeguards in place, your attack surface is now much bigger than it was. Not only that, but you now have dozens or hundreds of insecure points of access into your network. Remember the smart thermostat example above?
A study by helpsecurity.com, published in 2020, analyzed over 5 million IoT, IoMT (Internet of Medical Things), and unmanaged connected devices in the healthcare, retail, and manufacturing industries. Researchers uncovered a massive number of vulnerabilities, risks, and poor security practices around a very diverse set of devices.
Here are a few stats from the report:
- 5 to 19% of IoT devices were running unsupported legacy operating systems.
- 51% of network administrators were not aware of the smart devices that are connected to their network.
- 75% of healthcare deployments had VLAN violations, where medical devices were sharing the same VLAN as non-medical devices
- 86% of healthcare deployments included more than ten FDA recalled devices.
- 95% of healthcare networks integrated Amazon Alexa and Echo devices alongside hospital surveillance equipment.
Mitigation
Aside from not repeating the mistakes listed above, organizations should not allow unknown devices to connect to their critical networks. Though not airtight, MAC address filtering can help keep unauthorized devices off protected networks. Organizations that wish to provide a guest network for outsiders should make sure that the guest network is segmented and cannot access any internal networks and resources.
You should also have an explicit policy regarding IoT devices so that your workforce is aware of the risks of IoT devices to the organization. Mindfulness will always be your best ally. Another thing IT departments can do is put an automated asset management tool in place. That way, IT can scan for unauthorized devices (as well as software and services) transiting over your network.
Wrap up
So those are the top five IoT threats. Of course, there are more than five threats related to IoT devices – these are just the most common ones. But I think that there’s one inescapable fact that ties all of these risks together, and that’s the fact that IoT devices tend to be low-grade computing devices that are inherently insecure. While you can take measures to mitigate these risks, it’s a bit like saying you can safely play with fire…
The real solution would have to come from the device manufacturers. Manufacturers of IoT devices should put security at the forefront of their design philosophy, rather than it being an afterthought – if they even think about it at all.
So stay safe. And ditch that fitness bracelet – humans have been successfully working out without them for centuries.
I echo your thoughts, Marc. It is indeed true that as IoT devices grow in popularity, the number of threats that come with these devices is growing along with it. The rise of the Internet of Things (IoT) as a primary data contributor in big data applications has posed new data quality constraints, necessitating the creation of an IoT-inclusive data validation ecosystem. In a big data application, standardized data quality methodologies and frameworks are available for data acquired from a range of sources such as data warehouses, weblogs, social media, and so on. Because IoT data is so different from traditional data, the issues of assuring its quality are likewise distinct, necessitating the use of a specially built IoT data testing layer.