Cybercriminals are always looking for ways to breach corporate networks and steal data, and Internet of Things (IoT) devices present them with a vast array of opportunities to do so. That’s because many IoT devices can be easily compromised. When these devices are connected to corporate networks they offer a potential way in.
As a chilling example, in 2017 hackers were able to access a casino’s database of its biggest spending customers after gaining access to its computer network through a vulnerability in a thermostat attached to a fish tank.
Even when hackers can’t jump straight from IoT devices to other corporate assets, IoT devices can be a huge cybersecurity threat. Many IoT devices collect and forward large amounts of data, and by intercepting this data cybercriminals may be able to garner information that they can exploit to successfully breach the network.
One reason that IoT devices are such tempting targets is that, quite simply, there are so many of them. Today there are an estimated 14 billion such devices, according to Statistica, and this is projected to explode to about 31 billion in the next four years. Some of these devices will have been secured appropriately, but many will not. And, thanks to the rapidly increasing numbers, many organizations will struggle to manage them all securely.
Also read: SD-WAN is Important for an IoT and AI Future
Default Password Risk
One emerging security weakness is that many devices have hardcoded passwords as well as factory default usernames and passwords that are never changed. Last year, a hacker published a list of more than half a million servers, routers and IoT devices which were exposing their telnet port, along with their default logon credentials.
Aside from offering the possibility for criminals to steal data or pivot to corporate systems, IoT devices compromised in this way may be incorporated into botnets. This type of security weakness can be avoided if manufacturers use a one-time password that has to be modified when the device is initially set up, or through the use of two-factor authentication.
Lack of Security Updates
Most manufacturers make efforts to ensure that their devices are secure when they are made and sold. However, as with any type of computer infrastructure, vulnerabilities in IoT devices are bound to emerge. That means that IoT devices get less secure as they age, and research by Unit 42 in 2020 found that 57% of IoT devices were already vulnerable to medium or high severity cyberattacks.
The obvious solution is for manufacturers of IoT devices to release regular firmware security updates. The problem, however, is how to ensure that these updates are installed in a timely fashion if they are not centrally managed. Manual installation creates a huge management headache for administrators, while automated updating at unexpected times could cause operational problems.
The good news is that California and Oregon’s IoT cybersecurity laws, which came into effect at the start of 2020, require that manufacturers of IoT devices incorporate “reasonable security features” such as unique passwords and regular security updates. Other states are likely to follow suit in the future.
One further problem when it comes to security patching is the growing phenomenon of “shadow IoT” — internet-connected devices that an organization’s IT departments have not authorized and are unaware of, and which may never be updated.
Also read: Best UTM Software of 2021
After compromising IoT devices, cybercriminals will often examine the data traffic that they gain access to. Clearly this is of no value if the data is encrypted, but the evidence suggests that this is rarely the case. Palo Alto Networks’ Unit 42 report found that a staggering 98% of all IoT device traffic is unencrypted, potentially leaving highly confidential information exposed.
This statistic should be treated with some caution, however, as a relatively small number of devices could be generating a very high proportion of the total IoT traffic, and much of this could be fairly mundane data rather than confidential information.
Nonetheless, it is clear that almost all IoT traffic is unencrypted, and it will be a major challenge for IT departments to rectify this situation in the short to medium term.
Lack of IoT Management
Perhaps the biggest emerging IOT cybersecurity threat comes down to the lack of adequate management of IoT devices.
A survey carried out by ZK Research in 2020 found that up to 15% of all IoT devices are shadow IoT devices, and up to 20% of all devices run unsupported legacy operating systems such as Windows 7. Many of these devices connect back to corporate IT systems, presenting a clear cybersecurity risk. However, without visibility into these devices or the ability to update unsupported operating systems, there is little that network administrators can do about them.
One option is to isolate (known) IoT devices and their back-end systems on VLANs, which are separate from other corporate systems. A better option may be to connect IoT devices to IoT data hubs and management systems hosted in the cloud by providers like IBM, Google, Microsoft, and AWS.
Looking to the Future
If the projections are correct and 15 billion new IoT devices are commissioned over the next four years, then this will present a potential bonanza for cybercriminals unless a great deal of work is done.
IT departments will have to ensure that IoT management systems are implemented more widely, shadow IoT devices are detected, and processes covering basic security measures such as changing default passwords, installing security patches and encrypting data-in-motion are put into place.Read next: Best Practices for Securing Edge Networks