Threats to IoT Devices
IoT devices face various threats. Firmware (software on all IoT devices that operates hardware) can be exploited, and even if vulnerabilities are known, patches may not be available or applied.
Attackers can also break into a network using default usernames and passwords that clients have not changed or cannot change. This vulnerability was exploited by the Mirai malware, which used 61 common default credentials to launch devastating denial of service attacks.
Devices can also be vulnerable to in-path attacks, in which an attacker is positioned between an IoT device and a server – for example, between a security camera and its cloud server – and intercepts communications between them. The risk of data exposure in these scenarios is high, as many devices do not encrypt communications by default.
Because IoT devices connect to the Internet, attackers can exploit known vulnerabilities and take control of devices as a first step to carrying out attacks that allow them to move laterally across a corporate network, steal data, plant malware or access sensitive information.
DISCOVER: Learn about the latest trends and tactics used by cybercriminals.
IoT devices can be risky for two reasons: they are easy to exploit, and once exploited, they can wreak serious havoc.
Many devices are not designed with security as a priority: they may have poor internal controls, ship with hard-to-change default passwords, be unable to encrypt data, or have known vulnerabilities for which the manufacturer does not did not release a patch in a timely manner.
Once an IoT device is exploited, the damage that cyberattackers can cause can be severe. Compromised IoT devices that provide physical access, such as card reader systems, could allow unwanted visitors to enter a facility without an audit trail. IoT-based HVAC systems without proper security could allow cyberattackers to take control of a building’s temperature and humidity remotely, damaging inventory or disrupting work.
READ MORE: Learn how small businesses can fund their ransomware protection.
What steps can IT managers take?
Ultimately, organizations must strive to secure every device or node in an IoT network. Following these steps below should help IT managers improve their IoT security.
IT teams must ensure that devices are sufficiently authenticated (with a genuine TLS certificate, for example) so that requests to applications, services and protocols come from authorized devices.
- Know what you have: Many IT professionals ignore all IoT devices on their networks. A 2020 Infoblox study found that over a 12-month period, 80% discovered unknown IoT devices on their networks. IoT device management platforms can provide teams with visibility into all of their inventory and potential security issues. A device management system can identify and profile all devices and monitor them regularly.
- Choose the right devices: Organizations should only acquire IoT devices designed with effective security features, and only from manufacturers who release security updates in a timely manner. California and Oregon laws require devices sold in those states to be equipped with reasonable security features, such as one-time passwords, regular security updates, and vulnerability disclosures. Organizations should avoid devices without an external interface or with non-modifiable credentials, and they should disable any unnecessary features such as microphones and ports.
- Secure access to your device: Cybercriminals access devices in uncontrolled environments, or through stolen credentials, to download malware, access unencrypted data, or incorporate devices into botnets. IT professionals should change default credentials when installing an IoT device and should avoid reusing the same credentials on multiple similar devices.
- Secure data: Encryption helps protect data at rest and in transit, even if it were to be accessed or stolen by an unauthorized entity. Encryption is essential to prevent eavesdropping, which is particularly prevalent in industrial espionage.
- patch, patch, patch: When a manufacturer releases a security update for a discovered vulnerability, IT teams should immediately update devices in the field. Waiting even a few days can mean hackers can exploit the vulnerability.
The convenience and functionality of IoT networks is a game-changer for the industry. But it’s worth taking the time to make sure IoT networks haven’t also opened the door to cybercriminals. There are several additional actions organizations can take to protect IoT workloads and data, including network segmentation, network traffic monitoring and analysis. But following these five steps will give you a head start on managing the most common risks.