Despite the attention placed on improving IoT device security, it still remains a weak link. Most of these devices do not have basic security capabilities, and when they do there’s often a configuration problem that renders it vulnerable. The sheer number of IoT devices provides many opportunities for hackers to commit security breaches.
There are now more devices than there are people on the planet, and this number is expected to reach more than 20 billion by 2020 according to Gartner. The wide range of IoT applications run from sensors placed in cornfields to connected cars and even connected sports equipment. This breadth of usage provides hackers with many opportunities to poke around, find security holes and then control the devices and/or steal important data.
To prevent IoT-related threats, firms engaging with such devices should squarely focus on security for the remainder of 2018.
Improving ransomware protections
The WannaCry attack that started in May 2017 is an example of how quickly ransomware can spread. It took advantage of users that did not deploy a Microsoft patch, and was able to spread to more than 230,000 computers and cause hundreds of millions (if not billions) of dollars in damages.
The ransomware threat for IoT devices is growing, as hackers are met with improved security of PCs and networks and they want to find alternative “easy marks.” A group of white hat hackers showed two years ago how they took over a smart thermostat from hundreds of miles away as a demonstration of how hackers could hold such devices ransom. The implications for such attacks are staggering, with the potential for hackers to commandeer IoT-connected machinery, connected cars and other systems. For example, Johnson & Johnson warned in 2016 that one of its insulin pumps was susceptible to hackers, who could conceivably control the pumps and deliver an unauthorized injection.
The aim for many of these hacking attempts will be to control (and ransom) the actual devices, and many firms will be tempted to pay because their businesses rely so heavily on the uninterrupted performance of those very devices. Consider an industrial setting where locking all IoT devices could mean interruption to the power grid, or cessation of all work on a production line. And even if the hacker’s end game is not to control the thermostat, these IoT devices are still all connected to the home Wi-Fi and act as an easy entry point to the network.
Making the case for encryption
Security professionals should also implement encryption protocols for data when it moves between IoT devices, while it’s static, and transitions to back-end systems. Using cryptographic algorithms for IoT data helps firms ensure data integrity and mitigates risk as a target for hackers. The industry challenge for 2018 is how companies will develop encryption protocols and processes that work best for the massive range of IoT devices. For sectors such as healthcare that are being transformed by IoT, encryption is mandatory. Such devices are transmitting very personal and identifiable data about patients, and in some cases the data is exposed in transit.
IoT devices are susceptible to botnet attacks, such as Mirai and JenX, which target routers, digital cameras and other devices that are connected to the internet. These botnets pull together bandwidth, which can then be used for distributed denial-of-service and other forms of attacks.
There are several recommended security improvements for IoT, including the need for a system of regular software updates. Unlike PCs or networks, many IoT devices do not receive any updates, so they’re left in the same security state as they were when they left the manufacturer. The problem is that hackers are always trying to exploit devices through new methods and programs. Without updates, the devices themselves are vulnerable because they aren’t programmed to deflect the very latest hacking attempts. Device manufacturers should ensure their IoT components are set up with regular updating (and users must perform the updates) in order to deter exploit attempts.
Additional IoT cybersecurity initiatives include two-factor authentication between machines, so IoT implementations can have an extra layer of protection with second factor, but without the need for manual human entry. There’s also the need for improved management of multiple user access for single devices through biometrics and advanced digital certificates. Data analytics and machine learning can play a role by analyzing information about IoT security issues and helping to develop the best future protections based on past events. Such analytics can also be used to spot threats in action by detecting anomalies and then automating preventative measures.
As the number of IoT devices continues to rise, and these devices alter how people work and play, there’s a corresponding need for protection. The industry as a whole needs to shift to improving security on the front end by refining security protocols and developing standards. And there needs to be complete security through the device’s entire lifecycle. Companies must focus their attention on all cybersecurity threats for the rest of 2018, with an emphasis on developing plans for IoT security.
All IoT Agenda network contributors are responsible for the content and accuracy of their posts. Opinions are of the writers and do not necessarily convey the thoughts of IoT Agenda.