IoT has progressively made its way into the day-to-day lives of both individuals and businesses. From cars to coffee makers to smart factories, the devices that surround us are becoming increasingly connected. The benefits of bringing IoT into our homes and offices are numerous. We have increased efficiency, improved communication, and greater productivity, to cite but a few — but it comes with its fair share of risks. Here is how IoT can put your data at risk.
A recent report revealed that over 90% of data transactions on IoT devices are unencrypted. Furthermore, there is increasing concern about the role IoT could play in giving corporations excessive access to individuals’ personal data. Identifiable information and data is all the more worrisome when you take into account that the number of IoT devices is set to exceed 50 billion within the next two years.
With this in mind, what are the main threats IoT poses to you and your customers’ data, and what steps can you take to protect it?
Why IoT devices can pose a security problem
One term we hear a lot when talking about cybersecurity is “attack surface” — the number of potential ways an attacker can gain access to a device or network in order to harvest data or disrupt performance. A key risk with IoT is the sheer number of endpoints, meaning the number of devices connected to the Internet that can offer attackers a point of entry and expose your network to risk.
This aspect is a particular threat to business, as while the chance of a single device’s being breached is relatively small, that risk increases exponentially when a network comprises a large number of them. Two years ago, hackers gained access to a casino database in a way that wouldn’t seem out of place in a James Bond movie: through the businesses’ high-tech fish tank, enabling them to exfiltrate 10 gigabytes of data.
The smart devices that are often found in personal homes are also vulnerable to hacking and excessive data gathering. Connected appliances, surveillance cameras and smart toys all offer potential entry points to hackers, while smart TVs were recently found to be leaking data, such as locations and IP addresses, to corporations such as Google, Facebook, and Netflix even when the owner didn’t actually have a Netflix account. All the more worryingly, data was being shared even when the devices were idle.
The biggest IoT threats
The risks that businesses and individuals expose themselves to by neglecting to properly secure their networks include:
The data processed by IoT devices is potentially extremely sensitive. With office- and home-security systems increasingly mediated by IoT (doorbells and surveillance cameras being just a couple of examples), criminal attacks can pose a serious problem.
The huge volume of data habitually collected by IoT devices was exposed this year when a database owned by the Chinese firm Orvibo, which offers a smart home-appliance platform, was found to have no password protection despite containing logs relating to 2 million worldwide users, including individuals and hotel chains. The data included insufficiently protected user passwords, reset codes, precise locations, and even a recorded conversation.
Botnets are another way for cybercriminals to wreak havoc using IoT devices. Botnets consist, as their name suggests, of networks of bots running on Internet-connected devices. They are primarily known for their role in DDoS (Distributed Denial of Service) attacks, in which a stream of network requests is sent to a network that a malicious entity wishes to bring down.
Examples include the infamous 2016 DDoS attack on the DNS provider Dyn, which effectively took down major sites such as Twitter, Tumblr, Netflix, Amazon, and Spotify, among others. More recently, a major entertainment industry player was the victim of a large-scale DDoS attack associated with over 400,000 IoT devices.
Hacking and sabotage
Hacking an IoT device potentially enables cybercriminals to pilot it. This can lead to more or less critical situations according to the type of device (though hacking your robo-vac could potentially provide access to sensitive information, attackers are unlikely to remotely clean your apartment for you — and if they do, you might like it).
It’s a different story, however, when hackers gain control of manufacturing systems or autonomous vehicles.
Who is the most vulnerable?
It’s important to be aware that any business or household that doesn’t take the right steps to protect its data is exposed to a potential attack. As mentioned above, manufacturing is a particularly vulnerable sector. More and more factories are using IoT not only to boost productivity but also to power core operations, meaning that a single attack has the potential to bring production to a halt.
In December 2015, the first known cyberattack on a power grid took place in Ukraine. Such events are warnings that individuals and businesses can and should take note of, and protect their systems. Criminals managed to compromise the IT systems of three energy providers and successfully disrupt the electricity supply to users.
A few years earlier, an Iranian uranium-enrichment plant was compromised by the Stuxnet virus and its centrifuges were permanently damaged. This attack was notable at the time in that its aim was not just to disrupt computer systems or steal information — but the criminals also wanted to inflict physical damage on equipment.
Companies that handle and record sensitive customer information need to be particularly wary of the threat posed by IoT breaches. Even small businesses tend to own a certain number of potential endpoint threats, such as cameras, printers, webcams, and microphones, that offer entry points to cybercriminals.
And it’s not just businesses that are potentially at risk. HBO’s Silicon Valley played the idea of a hackable smart fridge for laughs, but insecure home IoT devices pose a very real security threat. A recent Avast/Stanford University study revealed that 66% of North American households now possess at least one IoT device, and that a significant number of those devices use obsolete protocols such as Telnet or FTP.
Maintaining IoT security
As enthusiasm for IoT devices grows, so does the speed with which companies put them out there. With all this in mind, what can be done to secure endpoints and guarantee the safety of your devices — and your network in general?
- First things first: Manufacturers need to step up their game.
- Efforts need to be made to ensure that consumer IoT appliances are secure out of the box.
- Any required updates should be easy to implement by the average user.
- Clear but detailed privacy policies are necessary to inform users about exactly what data manufacturers have access to.
- Easy-to-understand protocols, enabling users to make informed decisions about what they share and with whom, are a must.
Steps that individuals and businesses can take to ensure security include:
A compromised router will leave your entire network open to attack. Routers need to be protected by a strong password, regular updates, and a firewall.
Is the mention of passwords coming as a surprise to anyone? Please — change your passwords. Please. Passwords should not even have to be mentioned. It should go without saying that weak passwords — or those wily default passwords the appliance came with — are vulnerable to attacks. Change them.
IoT devices should be able to receive updates, and therefore patches. The patches should come from manufacturers, as they discover vulnerabilities. It’s important to ensure that your appliances are up to date at all times.
Monitoring is especially important for businesses running a network of connected devices.
All IoT should be identified and inventoried, and network traffic to and from the devices analyzed in order for anomalous behavior to be spotted quickly. The due diligence of monitoring is a huge task and likely not going to garner a lot of support. But you can monitor your own devices, watch for updates — and take care of yourself and your devices.
In a nutshell? While the benefits of IoT more than live up to the hype, it’s important to keep its potential risks in mind and take steps to ensure that it doesn’t make your home or business vulnerable to attack.