Home
IoT

5 Reasons Why IoT Security Matters in Lockdown

Peter Kowalke Peter Kowalke Tech Writer
June 4, 2020


Undoubtedly, 2020 will prove to be a tough year for CISOs. Amid these challenging times, the most disturbing news about cyberattacks involved healthcare-related breaches that resulted in 39.92 millionOpens a new window breached healthcare records. As the penetration of IoT devices continues to grow — across manufacturing, healthcare and retail, IoT security cannot be an afterthought.

NTT Data predicts by 2025, the number of connected devices worldwide will hit 80 billion. Last year, IoT adoption by the enterprise grew by 21.5 percent, according to Gartner researchOpens a new window , totally 4.8 billion connected devices. That’s a lot of new devices on corporate networks that could serve as an entry point for a security breach.

But it gets worse. The security of IoT devices has gotten worse the past two years, according to Unit 42Opens a new window , the threat intelligence team at Palo Alto Networks. An unbelievable 98% of all IoT device traffic is unencrypted, according to Unit 42, with roughly 57% of IoT devices vulnerable to medium- or high-severity attack.

“With many devices being so easy to control, we predict there will be a rise in hackers attaching them as a part of a botnet to create DDoS attacks,” says Bill Conner, CEO of network security firm, SonicWallOpens a new window . “Combining infected computers with connected devices gives hackers the ability to increase the strength and size of DDoS and other bot-centric attacks, making these attacks on IoT devices even more deadly.”

Now that you’re paying attention, let’s talk about five of the ways that a company’s IoT devices might pose a security risk. These are holes to watch—and ideally plug before it is too late.

Threat #1: Not Knowing What’s Connected to the Network

With nearly 5 billion devices connected to corporate networks, it is easy to lose track of individual devices. They often come online in batches, or even without the awareness of the security team, and that makes them easy to get missed.

Losing track of devices on the network or not properly monitoring these devices and strictly identifying them breaks zero trust networking principlesOpens a new window , and it also presents a compelling target for cybercriminals looking for an opening. Devices in the shadows are often the best place to strike.

“The first step of securing IoT devices involves taking an accurate inventory, understanding the communication flows for these devices and identifying any vulnerabilities associated with these sensors,” says Saumitra Das, chief technology officer for AI-assisted network threat detection platform, Blue HexagonOpens a new window .

Threat #2: Hard to Patch Vulnerabilities

All software has the potential for bugs and backdoors that were never considered by the code’s creators. This is the reality even for the most robustly developed software, let alone software created to power the hardware that is the basis of an IoT device business.

So vulnerabilities will emerge and need patching.

The problem is that IoT devices often have weaker software update mechanisms and less patch management oversight. Taking IoT devices offline can sometimes be prohibitive, too. So a second security threat is unpatched IoT software vulnerabilities.

“IoT devices are usually such a key part of an enterprise’s day-to-day operations, they cannot be taken down even if there is a vulnerability associated with them,” notes Das. “Therefore, enforcement may entail segmenting and actively monitoring these devices until they can be patched.”

Threat #3: Hard-Coded Passwords

Many businesses today don’t understand the security threats that IoT products have that cannot be mitigated even if the IT department is constantly changing passwords to increase safety.

“Currently one of the biggest threats, which is also one of the oldest and least sophisticated types of attack, is brute-force password attacks,” says Conner at SonicWall.

That’s because many IoT devices still have hidden hard-coded accounts, he notes, and once hacked they are accessible to anyone.

“Patching this doesn’t fix these issues, and it actually results in highly vulnerable devices,” he says. “This allows hackers to create exploits against these vulnerabilities, which individuals must be very aware of. By using very commonly known exploits such as pass the hash attacks, unauthenticated access, encrypted keys, etc., hackers can easily access the devices and gain access to the network’s sensitive data.”

Threat #4: Man-in-the-Middle Attacks

Back to that 98 percent of IoT network traffic that is unencrypted.

Since so much IoT traffic is going unencrypted, perhaps the result of the extra processing burden at the edge of the network, there’s a rather large window for cybercriminals listening in on or manipulating IoT data via a man-in-the-middle attack.

“In a MITM attack, an attacker breaches and intercepts the communications systems between IoT devices or between IoT devices and their control systems,” explains Das at Blue Hexagon. “Attackers can then passively listen in on the connection or they can send malicious or illegitimate messages back to the IoT devices.”

If these are lighting sensors, the damage might be relatively small. But if the intercepted IoT traffic involves devices that perform critical functions, a man-in-the-middle attack could be devastating or even deadly.

Threat #5: Direct Access and Control of IoT Devices

Finally, if there’s one thing the world has learned from the science-fiction series, Battlestar GalacticaOpens a new window , it is the mayhem that can be caused by connected devices that fall into the wrong hands.

In the TV series, aliens hijacked human civilization and completely deactivated it right before an attack. More plausible for corporate America, hackers can use insecure IoT devices for espionage and data theft.

“Confidential information such as personal details, credit card information, email addresses are sometimes stored in these devices,” notes Das. “Additionally, attackers can attack these IoT devices to acquire confidential information in real-time such as triggering a smart camera in an organization to begin recording footage of activities, or triggering IP phones in a conference room to record conversations.”

You don’t have to be Amazon’s Jeff Bezos or use WhatsAppOpens a new window to potentially have hackers listening in on company business. IoT devices might be all an attacker needs.

Security leaders will need to understand IoT devices on their network and improve IoT device configuration management and double down on IoT log correlation. So pay attention to your company’s IoT devices, and get them secured. The party’s fun right now, but security incidents are just around the corner for businesses that don’t take IoT threats seriously.

Peter Kowalke
Peter Kowalke

Tech Writer

Peter is a journalist and editor who has been covering business, technology and lifestyle trends for more than 20 years. When not writing, he runs Kowalke Relationship Coaching. You can contact him at PeterKowalke.com.
Take me to Community
Do you still have questions? Head over to the Spiceworks Community to find answers.

Recommended Reads

Digitally Delicious: How Technology is Changing the Way We Eat
Innovation

Digitally Delicious: How Technology is Changing the Way We Eat

Filling the Gap: How Cobots Are Revolutionizing Hospitality Through Collaborative Automation
IoT

Filling the Gap: How Cobots Are Revolutionizing Hospitality Through Collaborative Automation

Integrating Telehealth Innovations in Primary Care
Innovation

Integrating Telehealth Innovations in Primary Care

Smart Manufacturing: Flexibility Is King and 5G Is Its Enabler
Networking

Smart Manufacturing: Flexibility Is King and 5G Is Its Enabler

AI Putting a Charge into EV Charging Stations
Artificial Intelligence

AI Putting a Charge into EV Charging Stations

Safeguarding Consumer Data in a Rapidly Evolving Connected Car Industry
IoT

Safeguarding Consumer Data in a Rapidly Evolving Connected Car Industry