How secure are IoT devices? Considering just how many of them are out there, you might expect security to be at a high level. Users are not informed enough on the topic of IoT safety and security, however, and IoT product manufacturers aren’t putting enough emphasis on this aspect of their business. Devices aren’t as secure as they should be.
That’s why the field of IoT security will boom over the next few years. Billions of devices are being interconnected across the globe, and most of them are vulnerable to a large list of IoT security concerns.
With a projected 50 billion devices on the Internet of Things by 2020, the security of the data they share is a large and growing concern. IoT security risks are a big deal.
We’ve cleared up What is the IoT? We’ve estimated How many IoT devices are there? We’ve researched IoT growth and market size. The time has come to discuss the biggest concern of all regarding IoT technology.
Main IoT Security Concerns
Here are some of the main concerns that keep IoT security engineers awake at night:
Experts agree that insecure devices pose a threat to the IoT. Bringing just one insecure device into your home or work environment can jeopardize the safety of your family or lead to a significant business loss. Someone could gain access to your home security system or your bank account because you thought it would be cool to start your morning coffee brewing by pressing a couple of buttons on your smartphone. If your new coffee machine isn’t secure, your home network could be compromised.
Distributed denial of service attacks can run an online business into the ground. It has never been easier for a competitor (or a bored kid with too much time on her hands) to gain access to your network and prevent customers from accessing the services your business provides. Securing your devices is the first step in preventing these attacks. You should also develop a Plan B in case you lose access to the key components of your business despite hardening your security profile with Plan A.
A network is only a secure as the weakest link, and for many homes and businesses, that weak link is the smartphone. Using a secure password on your phone is increasingly important. Apps should be downloaded only from official stores – and even then, caution is required. Pay attention to the permissions that a new app requires. If anything seems suspicious, don’t install it.
Lack of Updates
As time passes, hackers get more sophisticated and more software vulnerabilities are discovered. Internet of Things safety and security erodes over time. That’s why it is essential to install manufacturer updates regularly – preferably automatically. Vendors who are alerted to security vulnerabilities patch them in updates, so your devices should always be running the latest version of their operating software.
Sometimes the flow of updates stops. If a product doesn’t sell in large numbers, the vendor may not find it worthwhile to assign technicians to security updates. The manufacturer could be acquired or go out of business. If your IoT network relies upon devices that are no longer being updated, consider replacing the devices with newer ones that will pose less of a security risk.
Raw Data Storage
Developers would rather save the data they gather in raw form than take the time and trouble to encrypt it. When this lack of care is combined with a lack of scruples, users can find their data being sold to advertisers and others. But that is a minor concern. You certainly don’t want your network to store sensitive health, political, or financial information in unencrypted form.
When the data collected by the IoT devices is stored or transmitted with concern for security, breaches become likely – and potentially devastating. With petabytes upon petabytes of data gathered from our security systems, phones, Fitbits, and other devices, hackers have never had a higher incentive to steal data and sell it for a profit. Data breaches are significant IoT security problems.
IoT Security Protocols
IoT protection protocols haven’t kept pace with the explosive growth of the installed base and the number of hackers who are targeting IoT devices. IoT security issues are among the industry’s top priorities, and several promising technologies are under development. Significant progress has already been made, and some of today’s protocols could serve as solid foundations for upgrades that meet emerging needs.
Five major safety protocols currently work together to keep IoT data security intact:
This security protocol is considered solid, a model to be emulated by security specialists. It is used primarily in wireless networks of industrial sensors. WirelessHART requires all the devices that want to join a network to be verified with a secret Join key as well as a Network ID.
6LowPAN addresses Internet of Things security concerns by dealing with confidentiality, authentication, data protection, and data integrity. The protocol is designed to allow access only to authorized users. This ensures that data enters the network only from trusted sources and that the data remains unchanged during transmission.
3. IEEE 802.15.4
Defined in 2003, IEEE 802.15.4 protects communication among IoT devices. In practice, it provides a single shared key for all of the parties involved. This means that if device or workstation is compromised by an attack, the attacker can easily gain access to the entire network, according to an Internet of Things security report published by Washington University in St. Louis.
Internet Protocol Security, or IPSec, supports two security services. The first is called Authentication Header. It allows authentication of the sender of data. The second is named Encapsulating Security Payload, or ESP. It supports both authentication of the sender and encryption of data.
5. Embedded Security
Embedded security is what the manufacturers of IoT devices should be developing: security measures built into devices from the get-go. Critics say today’s embedded security protocols are based on cryptographic algorithms that improve the speed of basic security functions but don’t actually provide protection against most types of attacks.
How Many IoT Devices Have Been Hacked?
The pace of hacks has matched the IoT’s rapid growth. In 2018, some regions recorded large increases in attempted security breaches. For example, Japan had an increase of 45% compared to 2017, with an average of 2,752 intrusions per sensor per day.
The effects of IoT cyber security threats can be devastating. In this section, we’ll provide examples that answer the question “what is IoT attack?” and illustrate just how dangerous such attacks can be. These are examples of why these attacks are significant Internet of Things security issues.
The Stuxnet virus first emerged in 2010. As soon as it was discovered, it was clear that a group of extremely talented programmers had been working on it for a long time. The virus was used to attack and physically damage Iranian nuclear facilities and their centrifuges. In addition to Iran, other countries, including Indonesia, India, and the US, were affected by this virus.
In late 2013, data integrity was compromised on a large scale by IoT botnet malware. A researcher noticed that around 750,000 spam messages were sent using bot accounts, with a quarter of them originating from devices other than computers, including TVs, refrigerators, and other household appliances. Blocking the attack proved to be almost impossible, as no more than 10 emails were sent from any one IP address.
The Uconnect incident
In 2015, security researchers Charlie Miller and Chris Valasek made a dramatic demonstration of the vulnerability in IoT systems. Using a Chrysler media system called Uconnect, they were able to gain access to a vehicle and change the radio station. They found they could also turn on the air conditioning and control the windshield wipers. They demonstrated that they could prevent the car from taking the driver’s accelerator commands. The researchers said they could also shut down the engine and engage or disable the brakes.
The Mirai botnet attack of 2016 shut down Amazon, Netflix, Twitter, and The New York Times for hours. It is believed that the attackers gained access to the networks through unsecured IP cameras and routers.
The FDA warning
In 2017 the U.S. Food and Drug Administration warned that some pacemakers, defibrillators, and similar devices aimed at cardiac health could be exposed to attacks and intrusions via their wireless connections.
Insecure IoT devices
Some IoT devices are more tempting targets than others. Here is a list of some of the most vulnerable devices:
Hackers can easily gain access to cameras with live video feeds and, through them, entire networks. Once hackers have found the IP address of a livestream camera, fast computers make it possible to conduct a brute-force attack to ascertain the password and access the entire network.
Wireless printers are rarely secured, and there are millions of them in use. Internet of Things security fact sheets commonly list the example of a troll sending white supremacist literature to thousands of printers around the world a few years ago.
These days, even our cars are connected to the Internet. Hackers can gain full control over crucial elements such as steering, brakes, and engine. Hacking can cause serious damage or even loss of life.
Laptops have been a common target for hackers since they were introduced. Bloatware was been a common vector for transmission and infection with malware. Current security issues with laptops can be minimized by making sure that your new laptop has no such programs installed.
Even our TVs can be hacked and used against us, as they collect data on our watching habits constantly for advertisement purposes. They are most commonly attacked by trolls who display inappropriate content or annoy users by performing random actions such as turning the television on and off or raising and lowering the volume. They are tempting targets for data pirates too, however.
Internet of Things security threats sometimes put us and our loved ones in danger. Researchers have found that some popular smart locks can easily be hacked using a simple Bluetooth connection. Doing your research prior to obtaining a new lock is a must.
Data from your garage doors gives intruders information such as when you typically leave your home. That lets them know when it’s safe to strike.
Smart lights have become common in energy-conscious households. They represent one of the most significant IoT security challenges. Like smart locks, lights can be affected from up to 100 yards away using simple radio signals. This vulnerability is most often exploited for pranks, but it’s easy to imagine circumstances under which control of a home or business lighting system could be part of a larger, more dangerous attack.
Even vacuum cleaners are not safe from modern-day burglars. Hackers can use automatic vacuums to obtain data on your home layout, which helps them find valuables easier during the burglary.
Routers serve as the communications hub for all of the Internet devices we use in our homes, so you can see why they’re considered one of the largest IoT security concerns.
Protecting Home-Connected Devices
One of the most important steps you can take to protect a home or small-business network is to beef up the security around your router. Here are a few things you might try:
Change Your Router’s Default Name
The first thing you should do once you buy a new router or get one from your Internet provider is to access its settings and change the default name. The default name is most commonly the router’s make and model, which is exactly what those looking to gain access to it are looking for. Practical Internet of Things security basics call for you to make the name unique and unrelated to data routing.
Change the Router’s Default Username and Password
Every router manufacturer establishes a default username and password to let users log in to the router’s settings. These are most commonly the same for every router provided by the company. Changing them will ensure that those trying to get in are discouraged from doing so.
Reset Your Router Occasionally
No less a data-protection authority than the FBI recommends occasionally resetting your router. Hackers who are collecting data commonly rely on VPN filters and malware that depend on the routers’ continuous work.
Create a New Account for Guests
It’s not rude to deny outsiders full access to your network. Guest accounts with limited permissions can help ensure that your devices are secure even if your guest’s laptop is compromised. Create a separate Wi-Fi network just for visitors and avoid common IoT problems.
Update Your Software Regularly
Updates are an important safety feature. Make sure you update your Internet-connected devices, including the router, as soon as you receive the notification that an update is available. Better yet, set your devices to download and install updates automatically.
The Industries Most Vulnerable to IoT Attacks
No business that relies upon IoT technology is safe from attacks. However, some industries are more tempting targets and are more vulnerable to serious IoT cybersecurity threats:
The effects of a breach in IoT security could have in the auto industry cannot be overstated. In the case of a serious breach, thousands of cars could be accessed remotely, leading to injuries and deaths all over the world.
Life-threatening attacks can occur in the medical industry, as well. Just a few clicks could deactivate a patient’s remotely monitored pacemaker or insulin pump.
Poorly managed security for IoT devices that monitor medicine storage could jeopardize the well-being of countless people who depend on those drugs. Imagine if someone got access to refrigeration controls for temperature-sensitive meds.
Other important aspects of our lives, such as water and electricity utilities, can be affected by IoT breaches, as these industries use internet technology to monitor and control vital systems. It is not an overstatement to say that each of us could find our lives in danger with just a few clicks from a determined bad guy.
Industrial IoT System Protection Measures
Still wondering why security is important in IoT? As we’ve seen, it’s of critical importance. To guard against the next generation of attackers, manufacturers and business users must begin employing advanced protection measures. Here are some security measures that experts such as IoT Agenda suggest:
Security as a Design Feature
Security should be considered a baseline requirement for any device under development, not a measure to be implemented once the main work has been completed. That’s true whether the device is targeting home or commercial users. Hardware and software security measures should be architected during the design phase and implemented on a pervasive basis in order to reduce IoT security concerns.
Public Key Infrastructure and Digital Certificates
Public key infrastructures and digital identity certificates are proven safety protocols for networked systems. They should be routinely implemented in IoT devices.
APIs that let IoT devices contribute data or processing to third-party applications must be hardened to ensure that outside systems don’t gain access to sensitive back-end data.
Internet of Things security and privacy issues will be simpler to address when identity management is more widely and uniformly implemented. Giving each device its own identifier is the key to ensuring that data is shared appropriately.
Most of these measures are implemented in computer code, but it would be a mistake to overlook physical security issues. Hardware should resist tampering and should report evidence of unauthorized access in IoT ecosystems.
Businesses that use IoT technology in their day-to-day operation need to pay attention to the following things:
- Port forwarding should be disabled, especially when the ports are not in use.
- Always use reliable anti-malware applications, firewalls, and software that detects and prevents unauthorized access.
- Unauthorized IP addresses should always be blocked.
- System software should be updated immediately when updates become available.
Keeping the staff educated and up-to-date is as critical as installing software updates. This is especially true for companies that deploy newer systems that the security teams are not familiar with.
Integrating programming and security personnel during the product development process has proved to provide a more secure final product.
Finally, a major point in every IoT manufacturer’s business should be addressing users and ensuring they are aware of IoT security concerns related to improper use, system vulnerabilities, the importance of updates, and more.
The Internet of Things is here to stay. It can improve our lives and make businesses run more efficiently, but they come with substantial security risks too. In the years to come, we must all take those risks to heart and take measures to minimize them.