How to Address 6 Security Weak Spots in Your IoT Armor
With the number of IoT devices growing by leaps and bounds annually, organizations face ever-evolving threats to their network security. Here are six holes that you can plug now.
- By Christian Bick
- October 27, 2021
After a record year in 2020, cyberattacks continue to escalate in severity, frequency, and sophistication. It’s a challenge exacerbated by the rapid expansion of the Internet of Things (IoT), an ecosystem that includes everything from cloud-based operations and sensor technology to a plethora of devices. According to Forbes, the number of IoT connections could hit 30 billion by 2025. That’s a vast -- and growing -- attack surface, one that 77 percent of organizations are facing without an incident response plan. Alas, there are no foolproof precautions, but you can increase your cyber resilience and make yourself less of a target.
Securing the Internet of Things
In our rush to adopt new digital technologies, many businesses overlook the necessary security measures that will enable them to benefit from all their data and connectivity while minimizing the risks. Rest assured, opportunities for hackers to penetrate your critical infrastructure exist right across the spectrum, from outdated hardware and VPNs to crypto storage and tracking updates and patches. Let’s take a look at six common points of entry and how to mitigate the risk they pose.
1. Hardware Errors and Vulnerabilities
One huge challenge facing hardware is the inherent vulnerabilities within processors exploited to carry out attacks by injecting malicious code into trusted devices. Spectre is a security vulnerability affecting processors on desktops, laptops, smartphones, and cloud servers. It takes its name from “speculative execution,” which enables processors to predict instructions, prep the resulting path, and fetch commands from memory. By breaking the isolation between applications, Spectre “tricks” programs into leaking sensitive data, including passwords, via a side channel.
Solution:
- Monitor the uncovering of general security vulnerabilities
- Identify critical infrastructure that can be affected by such vulnerabilities, ideally automating this process with the help of an inventor
- Patch critical software with workarounds -- even though this can have performance drawbacks
2. Outdated, Weak, and Compromised Firmware
Between October 2019 and June 2020, the Mozi botnet -- a form of peer-to-peer malware -- eclipsed threats from other variants such as Mirai to account for nearly 90 percent of observed IoT network traffic. The ballooning was the result of the rapid expansion of the IoT landscape and the malware’s adoption of command injection (CMDi) attacks that exploit misconfiguration of IoT devices. Everything from home security cameras and vehicle trackers to industrial control systems can run afoul of “denial of service” attacks, data theft, and spam.
Solution:
- Keep devices’ firmware up to date
- Use a device inventory that provides a protocol for firmware updates
- Educate yourself about firmware exploits
- Test every device against common attacks before putting it into service
3. Locked Master Credentials
Weak, easy-to-guess passwords or old passwords are easy targets for hackers. Still, even if you’re diligent about cyber hygiene, you cannot protect many IoT devices, such as IP cameras, by changing the default credentials, making securing them next to impossible. Because you can’t change the hardcoded credentials, attackers ignore new passwords and gain access to the camera and private videos, and even perform remote command injection attacks on other devices on the local network. Reviewing your identity, authentication, and privileges protocols is essential.
Solution:
- Use truly independent keys for each device
- Allow key rotation
- Separate admin keys from user keys
- Use hardware-backed key stores for critical devices
4. False Data Injection Attack
As IoT expands, false data injection attacks (FDIAs) have become a top issue. An FDIA involves sending stealth signals from a fake sensor to trigger an undesirable action. It might be a water level sensor that prompts the opening of a floodgate or feeding users false data that skews an election result. It could include adjusting information on healthcare records to derail diagnosis and treatment.
IoT technologies such as state estimation are used in smart grids to monitor physical and environmental conditions. By injecting malicious data that compromises meters, for example, an attack can result in inaccurate real-time electricity pricing, even widespread power failures. Whether hackers demand a ransom for withholding sensitive information or opt for the direct disruption of services, fallout from an FDIA can be devastating. The broader challenge goes beyond navigating the attack itself to include weeding out false information that entered via legitimate channels.
Solution:
- Monitor the activity of each device to detect anomalies
- Don’t use automated triggers without redundancy or sanity checks
- Validate incoming data and verify device identities
- Use dedicated and limited APIs for your devices
5. Infiltrating the Internal Network Via a Weak Device
It’s a challenge to review every device, but it only takes one weak link to bring down your entire system. Once infected, that device spoofs the network and looks for other vulnerable infrastructure such as servers or workstations, putting you at risk of a serious data breach as well as denial of service when the network is flooded with traffic until it crashes. When critical IT components trust every peer in an assumed private network, the attacker can gain access to -- or control of -- critical infrastructure such as shared file systems or databases. Robust identity and authentication policies are part of strong IoT security.
Solution:
- Use fine-grained VPNs that disconnect easily compromised devices from critical internal infrastructure through firewalls and network rules
- Don’t trust devices just because they are on your network; always add another level of authentication
6. Takeover of Admin Accounts to Reprogram Devices
Earlier this year, Transnet, a rail, port, and pipeline company in South Africa, experienced a cyberattack that disrupted its IT network, forcing the company to declare a force majeure when it defaulted on its contracts. It meant halting operations at its container terminals -- including Durban, which handles over 60 percent of South Africa’s container traffic. This resulted in massive delivery delays, increased road freight congestion, and disrupted exports.
Solution:
- Protect your cloud infrastructure with fine-grained roles and permissions
- Automate processes and eliminate the need for root access wherever possible
- Use two-factor authentication and provide admins with thorough security training
- Enforce a “four eyes” principle -- meaning at least two people must approve an action or decision -- for potentially disastrous operations
Access the Right Expertise To Get IoT Security Ready
Cybersecurity statistics point to an increasingly hostile landscape. As the IoT ecosystem flourishes, it’s not a matter of if but when you’ll experience some form of attack. It indicates the need for greater cyber hygiene and proactive resilience planning -- and testing. The sheer scale of the challenge is daunting, especially if you lack the necessary IoT security skills, but the right technology partner will help you conduct a comprehensive risk management assessment to pinpoint weaknesses, implement best practices, and draw up a watertight incident response plan to mitigate the damage if the worst happens.