Why security is critical to the success of the Internet of Things.
The Internet of Things (IoT) has enabled organizations to gain greater insight into their operations than ever before. By deploying low-power sensors and smart devices throughout the enterprise, organizations can capture real-time data that enables better decision-making. The benefits are so great that the number of connected IoT devices is expected to increase 18 percent in 2023 to 14.4 billion, and almost double to reach 27 billion by 2025.
The IoT also poses risks, however. Many organizations are deploying IoT devices with the presumption that those devices are secure. Many of these devices weren’t really designed to be connected to the open Internet and have only the most rudimentary security controls.
If IoT devices aren’t secure, attackers can steal or modify data or leverage the weak devices to gain access to the company network. Once inside, an attacker can launch a malware attack or infiltrate sensitive systems, disrupting operations. These risks are particularly pronounced with the Industrial Internet of Things (IIoT), which drives critical industries such as manufacturing, energy and transportation.
Vulnerabilities may be found in seemingly innocuous devices such as thermostats, electronic card readers and other building controls that are connected to the network. Additionally, users often deploy IoT devices without IT’s knowledge, making it difficult to identify threats.
Identifying Risks
The OWASP Internet of Things Project has listed 10 of the most significant vulnerabilities found in IoT devices:
- Insecure web interfaces, insecure cloud interfaces and insecure mobile interfaces do not lock out accounts after X number of failed login attempts, and may reveal account information when the wrong credentials are entered. They may also be vulnerable to cross-site scripting and SQL injection attacks.
- Insufficient authentication/authorization mechanisms may not require strong passwords, and may transmit credentials in clear text when password resets are requested.
- Insecure network services expose ports to the Internet, and leave open unnecessary ports. This makes the devices susceptible to buffer overflow and denial of service (DoS) attacks.
- Lack of transport encryption allows IoT data to be viewed in clear text as it travels across the Internet.
- Privacy concerns are also related to unavailable or misconfigured encryption. Sensitive data is often collected and transmitted by IoT devices and may be exposed if not encrypted. IoT devices generally lack mechanisms for anonymizing data or giving users control over what data is collected.
- Insufficient security configurability limits the user’s ability to alter the device’s security controls such as setting password policies, logging security events and setting up event notifications.
- Insecure software/firmware results when there is no mechanism for installing updates when vulnerabilities are discovered. Software/firmware may also be insecure if user credentials are hard coded.
- Poor physical security allows an attacker to disassemble the device or to access external ports or removable storage media.
Security Strategy
Researchers with HP tested some of the most commonly used IoT devices against the OWASP vulnerability list. Seventy percent contained vulnerabilities, with an average of 25 vulnerabilities per device.
Most of these vulnerabilities must be addressed by device manufacturers — there’s little end-users can do to remediate them. Many IoT device manufacturers are working to improve their security and privacy capabilities, but organizations must assume IoT devices are insecure and take what steps they can to reduce the risk.
The key is to follow basic security best practices. Select devices that have the strongest security controls. Change the default username and password on the device. Use strong passwords. Implement robust encryption for data at rest in storage and in flight across the network.
It’s critical that security controls be implemented in the early stages of an IoT initiative. Given the sheer size, complexity and rapid growth of the IoT, remediating vulnerabilities reactively or retroactively is simply not feasible. In light of that, organizations should develop a comprehensive strategy for IoT security and take steps to identify and remediate any network vulnerabilities.
Many organizations are racing to tap the operational benefits of the IoT, and to gain business insight from the vast amounts of data collected by IoT devices. However, security is critical to the success of any IoT initiative. Until IoT device security becomes more robust, organizations must ensure that the IoT does not leave them vulnerable to attack.
