IoT security risks are real – this is how you mitigate them

Written by Martin Giess, CTO & co-founder at EMnify

IoT hacks are sadly becoming an increasingly regular occurrence as the world becomes more digitized and an ever greater number of devices are being connected to the Internet. The threat of security breaches and intrusions makes IoT security imperative for companies and consumers alike.

Hacks and breaches of and intrusions into smart device networks are becoming increasingly frequent. The recent cyber-attack on the Colonial Pipeline, the American oil pipeline system integral to the energy security of the Southeastern United States, is only the latest occurrence of criminal cyber breaches of Internet of things (IoT) enabled smart infrastructure.

The Colonial Pipeline hack had a devastating impact on commercial activity in several states, with many petrol stations being without fuel for several days. This was a criminal attack by a cyber racket that held the computerized equipment managing the pipeline for ransom. Whether it is done by a criminal organisation, a hostile nation state or an individual with bad intentions: hacks of IoT are a looming threat that will only become more prevalent in the future as more and more devices become smart.

Essentially any Internet-connected device is vulnerable to being hacked and misused. In the age of the Internet of Things, that means that malicious actors could potentially exploit vulnerabilities to billions of connected devices to access confidential data, spread malware or ransomware, assimilate devices into a botnet, shut down utilities and other pieces of infrastructure or even cause tangible harm.

What companies need to understand is that cybersecurity threats are continually evolving and that concomitantly their cyber defenses need to keep up with them. If companies are serious about protecting their organizational assets and their end users – and they should be – they should particularly do the following: 

  • Gain a greater understanding as to how their IoT applications could be vulnerable to hacking attempts
  • Do an in-depth analysis of past IoT security breaches, hacking attempts and failures and incorporate the lessons learned into their security strategy; and
  • Incorporate the solutions and strategies that make their applications more secure into the design and use protocols of new devices

 

Check the security of IoT application against potential hacking attempts

It starts with weak authentication

Perhaps the most common problem in cybersecurity – and the one that can most easily be mitigated by common sense – is the general human tendency toward laziness: people just use passwords that are too simple, like “123”, “ABC” or a combination of alphanumeric characters that are comparatively easy to “guess” or arrive at in a brute force attack. In essence, passwords are the first line of defense against malicious attackers trying to breach your network. But if an employee’s password isn’t strong enough, your devices and network aren’t secure. More worrisome is that in some cases passwords may even be publicly accessible or stored in an application’s source code. As such, the first rule of a proper “cybersecurity hygiene” has to be having strong passwords that brute force attacks cannot just simply guess.

 

A lack of encryption during data transmission can be costly

Ancillary to the above point, another substantial threat to the security of your IoT networks is a lack of encryption used for regular transmissions among devices. Many IoT devices that do not necessarily store sensitive data – such as thermostats – do not encrypt the data they send to other devices. Yet if someone manages to compromise the network, they could thereby still intercept credentials and other important information transmitted to and from that device.

 

Low processing power obstructs timely security updates

Many IoT applications are engineered in such a way that they use data economically, so that costs are reduced and battery life can be extended. However, this makes it difficult to send over-the-air (OTA) updates to these devices to update their security settings. As such, this leaves them vulnerable to hacking.

Other common issues are legacy assets that weren’t originally designed for cloud connectivity, shared network access with a multitude of devices with different security settings using the same network, inconsistent security standards stemming from a hitherto lack of common standards as well as missing firmware updates.

 

An analysis of past security breaches can provide you with valuable insights

While technology has evolved and every year a myriad different attack vectors and zero-day exploits come to light, analysing past security breaches can help you in predicting the behaviour and motivations of malicious actors. The aforementioned cyber attack on the Colonial Pipeline, for example, was about extorting a ransom payment.

Similarly, the 2016 Mirai botnet case became famous – or rather infamous – because the malware managed to assimilate over 145,607 video recorders and IP cameras into this botnet in order to wreak havoc. The botnet was created by a single hacker – a college student – and came about by the aggregation of unsecured IoT devices. In several attacks, the botnet firstly crashed Minecraft servers, but then quickly went on to launching attacks on French web hosting service OVH, as well as the websites of Netflix, Twitter, Reddit, The Guardian, and CNN. Yet more worrisome is that the malware’s code is apparently still out on the Internet and successors of Mirai have been created to do a host of nefarious things like hijacking cryptocurrency mining operations.

Yet more worrisome was the 2017 announcement by the US Food and Drug Administration (FDA)  that more than 465,000 implantable pacemaker devices by manufacturer St. Jude Medical were vulnerable to hacking. While there were no known hacks, and St. Jude Medica was quick to patch the devices’ security flaws, it was a disturbing revelation with potentially fatal implications. If a hacker would have come to control these pacemakers they could have literally killed people by depleting the battery or altering the bearer’s heart rate.

 

Familiarize yourself with the strategies and solutions that secure your applications

So what can companies do to keep their IoT devices secure? Well, companies should take their cues from previous incidents and incorporate the solutions that secure their applications into the design and use protocols of new devices right from the start.

For one thing, companies should make the best use of physical security – fences, doors, shutters –  to keep their devices secure. Another issue, specific to cellular IoT devices, is that a lot of the critical information is stored on the SIM card. In general, form factors for SIMs are removable, which makes this data more vulnerable. However, using an eSIM is the better option as the eSIM is soldered directly onto the circuit board and thus much harder to physically access.

Likewise, it pays for companies to include remote access security into their products that lock SIM functionality to specific devices and gives them the ability to remotely disable connections if there’s a physical security breach.

Similarly, being aware of the risks inherent in public networks, companies should consider building private networks on top of existing security mechanisms to ensure that data never crosses the public Internet.

Furthermore, it is recommended to include abnormality detection and IMEI locks, to encrypt all data transfers, have a network based firewall and limited connectivity profiles for all devices.

 

Securing devices takes effort from both manufacturers and users

Ensuring IoT security requires manufactures and users to make a conscious and constant effort. An important part of IoT security is building up a separate, controllable environment that is not integrated into a customer’s incumbent networks (e.g. Wifi or Ethernet) – i.e. environments that may already have security flaws like weak Wifi passwords or outdated operating systems – as this may in turn compromise the security of the new IoT network. Companies can get around this issue by using a cellular IoT network, because with a cellular network all devices are in a separate network, which can be controlled.

Besides this, managed security services such as a network firewall or a virtual private network (VPN) can be used to protect against malicious data filtering.

Furthermore, using a Secure Access Service Edge (SASE) is an effective way of controlling all data connections to an intranet, a SaaS-cloud and remote workers. With SASE, the software-defined networking keeps a company’s data local – something that ingeniously complements equipment like data access brokers, network firewalls and VPNs.

In summary, it boils down to having standardized managed security services, like firmware updates, firewalls, etc. in place,  that provide comprehensive security and take the pain of securing the devices away from the device manufacturers. Customers are naturally more aware of their security requirements as the device manufactures themselves and so they should implement as many of the industry best practices as possible.The threat of security breaches is ever evolving and companies need to keep up to date.

 

About the author

Martin Giess is CTO and co-founder at EMnify, a leading cloud communication platform provider for IoT. In his role, he oversees the technical execution of EMnify’s product vision. Martin brings 20 years of experience as a technology expert in agile development of innovative telecom services. Before founding EMnify, he held technical VP positions at Syniverse and MACH.