IoT Security Threats & How to Mitigate Them

published
June 12, 2024
TABLE OF CONTENTS

IoT security is the process of securing internet-connected devices to ensure they do not introduce threats to corporate networks. Attackers use various methods and tricks to compromise these devices remotely.

In the age of smart offices, we have IoT devices that control lighting, heating, air conditioning, and even meeting room bookings. These IoT devices gather tons of valuable information that can be stolen or corrupted if attackers manage to breach their security defenses. 

IoT security risks for corporate networks

Weak authentication mechanisms

It’s not uncommon to find devices that still use default usernames and passwords. When these default settings are not changed, it creates a major vulnerability in your IoT security posture. 

Another IoT security vulnerability is the lack of multi-factor authentication (MFA) options. MFA adds an extra layer of security beyond just a password. However, many IoT devices don’t support it. 

For instance, consider a smart thermostat managing the climate control in your office building. If someone gains access through a weak password, they could potentially exploit the device to gain further network access.

Furthermore, some IoT devices use outdated authentication protocols. The convenience of auto-login features can also be a double-edged sword. While they make life easier, they can be exploited by malicious actors. Once someone has physical access to a device, auto-login can give them direct entry to the network. 

Using default passwords seems convenient. But the Mirai botnet case teaches us that this is a risky practice. This botnet managed to infect around 300,000 devices. 

Mirai exploited weak security on IoT devices like cameras and DVRs. It turned these devices into a massive botnet that could launch a 1 Tbps (terabit per second) DDoS attack. This attack took down large chunks of the internet, including services like Twitter, Netflix, and Airbnb.

Thankfully, some governments are taking proactive action. The UK's new legislation, the Product Security and Telecommunications Infrastructure Act 2022, for example, has banned weak or easily guessable default passwords on IoT devices. Non-compliant companies risk hefty fines or their products being recalled.

Insecure data storage on IoT devices

Insecure data storage on IoT devices is a giant red flag in our corporate networks. Imagine you have smart thermostats installed all over your office building. 

These nifty gadgets collect temperature data, usage patterns, and even occupancy information. Now, think about where that info is stored. If it’s kept on the device itself without encryption, it's basically like leaving your front door wide open.

Another example is smart locks. They store access logs, user codes, and entry times, right on the device or in the cloud. If the data isn’t securely stored, anyone with the right skills can access sensitive information. That’s a major vulnerability. It’s not just about a break-in; it could lead to tracking employees' movements or worse.

Healthcare devices offer another stark example. Many hospitals use connected devices to monitor patients. These IoT devices often store critical patient data. If this data isn’t encrypted, it can result in severe privacy breaches. Imagine someone intercepting heart rate monitors or insulin pump data. It’s not just inconvenient; it’s life-threatening.

Even our corporate printers are a risk. They often store recent print jobs in memory. If that data isn’t wiped or encrypted, confidential documents could be at risk. We could accidentally expose sensitive contracts, employee records, or financial reports.

We can’t forget about consumer-grade IoT devices that sneak into our work environments. Think about the smart assistants sitting on desks. They store audio snippets and personal preferences. If that data isn’t securely stored, you might be leaking confidential meeting details or sensitive conversations.

Insecure data storage isn’t just about worrying where the data sits. It’s also about how it’s transmitted. If data moves between devices and servers without encryption, it’s vulnerable to interception. Attackers can lift that unencrypted data right out of the airwaves.

You need to be vigilant about how data is stored on our IoT devices. Encryption isn’t optional; it’s a necessity. Never underestimate the need for regular security audits and firmware updates. It’s crucial to protect your corporate networks from the inside out.

Botnets and DDoS attacks

Botnets and DDoS attacks are the stuff of nightmares for anyone managing corporate IoT infrastructure. Picture this: you've got dozens, maybe hundreds, of IoT devices humming along nicely in your network. Then, out of nowhere, these devices become foot soldiers in a cybercriminal's army.

A botnet is essentially a network of infected devices controlled by an attacker. These devices can be anything connected to the internet—smart cameras, temperature sensors, and even smart light bulbs. Once infected, they are enlisted into a botnet, which can then be used to launch Distributed Denial of Service (DDoS) attacks.

DDoS attacks are designed to overwhelm a target by flooding it with traffic. Imagine hundreds of thousands of devices sending requests to your corporate server at the same time. The server can't handle it and crashes, disrupting business operations. It's like getting an unexpected mob of shoppers storming into a small store all at once.

More recently, we've seen attacks like the Reaper botnet, which not only infected devices but was also capable of self-updating. Reaper spreads by exploiting known security vulnerabilities in routers and IP cameras. Once a device is infected, it scans for other vulnerable devices to recruit, creating a self-sustaining cycle of growth and threat expansion.

In a corporate environment, the consequences can be even more severe. Imagine your security cameras turning against you, or worse, the HVAC system crashing because it's part of a botnet. The disruption isn't just inconvenient; it can paralyze operations, lead to data breaches, and cause massive financial loss.

What's especially frustrating is that many IoT devices come with default usernames and passwords that are rarely changed. Hackers exploit these weak points to gain access. And because these devices often lack robust security features, once they're compromised, they can be nearly impossible to secure without replacing them entirely.

Ransomware attacks on critical IoT devices

When it comes to ransomware, critical IoT devices are like sitting ducks. A hypothetical example that can play out in any corporate setup is of a hacker who infiltrates the HVAC system of an office building, encrypting the controls and demanding a ransom to unlock it.

An actual ransomware case involving an IoT device is the 2019 attack on a manufacturing plant in Norway. Hackers hit them through an IoT sensor and brought production to a grinding halt. The company’s operations were paralyzed. They had no choice but to pay up or lose millions.

Medical devices are another major target. Imagine a ransomware attack on smart infusion pumps in a hospital. It's not just costly in terms of money but potentially life-threatening. Hackers are aware of this, and they exploit it. 

In November 2023, a ransomware gang targeted a hospital chain’s connected devices, including patient monitors. They encrypted the data and demanded an exorbitant ransom. The hospital had to divert emergency cases to other facilities, causing chaos.

In 2021, a tech company’s entire smart lighting system was compromised. Every office light, controlled by IoT, turned into a ransom note. Employees were left working in the dark. The attacker demanded Bitcoin in return for control over the lights.

In another case, in a mid-sized firm in Texas, attackers took over internet-connected printers. They printed out ransom demands on every single machine, halting all printing activities until the company paid up. It was a low-tech but highly effective way to bring the office to its knees.

These examples highlight a grim reality. Any connected device is a potential entry point for ransomware. They don't discriminate based on the device type; if it’s connected, it’s vulnerable. The only way to combat these threats is to stay one step ahead—securing every device, system, and network connection.

Tampering with office IoT devices

The interconnectedness of IoT devices means that tampering with one can have a cascading effect. It can lead to failure of critical equipment and safety risks for employees.

Imagine someone messing with smart thermostats to jack up the heating, or worse, shutting down temperature controls in a data center. It's not just about discomfort; it can lead to overheating servers and costly downtime.

Tampering isn't just about physical access either. Many of these devices are wirelessly connected and can be hacked remotely. Think about how easy it might be to exploit a poorly secured smart printer. 

Someone with the right skills could intercept confidential documents, tamper with print jobs, or even plant malware on the network. Once they're in, they can move laterally across other systems.

Consider smart locks—a vital part of modern office security. If someone gets unauthorized access, they could unlock doors at will, leaving sensitive areas exposed. 

Even the sensors and cameras we rely on for security monitoring aren't immune. A hacker could disable motion sensors or feed fake data to surveillance cameras, creating blind spots for physical entry. These tampered devices won't raise alarms when they should, providing a perfect cover for unauthorized activities.

Side-channel attacks on corporate IoT hardware

You'd think the biggest worries with IoT security would be things like weak passwords and unpatched software. While those are serious issues, side-channel attacks are a sneaky kind of beast. They're like digital pickpockets, exploiting unsuspecting weaknesses in a way that traditional security measures often miss.

Take, for instance, electromagnetic (EM) emissions. These are the tiny signals devices give off. Even if everything seems locked down, a hacker with the right equipment can measure these emissions to figure out what your device is processing. 

Power analysis is another crafty tactic used by hackers. Every electronic device uses power, and the way it uses power can reveal secrets. By monitoring the power consumption of an IoT device, attackers can deduce what it's doing. 

Picture a smart lock in your office. When it encrypts data, its power usage patterns change in a way that can be correlated with specific operations. A sophisticated attacker could capture these subtle fluctuations, unveiling the encryption key without ever touching the device.

Then there are timing attacks. These are all about how long it takes for a device to execute operations. If certain operations take longer, an attacker can infer what the device is processing. 

For example, if a corporate IoT device takes a bit longer to validate a correct password than an incorrect one, a hacker can use this timing information to guess passwords more effectively. 

Don't be fooled by the simplicity of acoustic cryptanalysis either. This is where attackers use the sounds emitted by devices to gain insights. Even the hum of your office printer could potentially leak information about the data it's processing. 

Imagine someone using a high-sensitivity microphone to capture the noise and analyze it to extract confidential print jobs. It sounds like something out of a spy movie, but it's very real.

These attacks can feel pretty abstract, but they're very tangible threats. They exploit the innate characteristics of hardware that software updates can't easily fix. And in a corporate network filled with various IoT devices—each potentially a weak link—the risk is multiplied. So, while it might seem like overkill to worry about the sound or power usage of your devices, in the world of IoT security, it's crucial.

Frameworks and Standards to Boost IoT Security

OWASP (Open Web Application Security Project) IoT Top 10

OWASP IoT Top 10 highlights the top 10 vulnerabilities that can compromise the security of IoT devices and ecosystems. You should avoid these when building, deploying, or managing IoT systems:

  • Weak, guessable, or hard-coded passwords,
  • Insecure network services
  • Insecure ecosystem interfaces
  • Lack of secure update mechanism
  • Use of insecure or outdated components
  • Insufficient privacy protection
  • Insecure data transfer and storage
  • Lack of device management
  • Insecure default settings
  • Lack of physical hardening

This list was developed from an analysis of real-world IoT security incidents. It also offers mitigation strategies you can use to avoid falling victim to IoT security breaches. These include the use of strong passwords, disabling unnecessary services that could be targeted by hackers, encrypting system components, updating security policies on your IoT devices, and physically securing your devices.

NIST Cybersecurity Framework

The NIST Cybersecurity Framework (CSF) is an invaluable resource for enhancing IoT security in corporate networks. The framework is built around five core functions: Identify, Protect, Detect, Respond, and Recover. 

Each function covers essential aspects of cybersecurity, making it easier to develop a robust strategy. For example, in the "Identify" function, you can assess potential risks by cataloging all IoT devices connected to your corporate network. This step is crucial because you can't protect what you don't know exists.

The "Protect" function emphasizes implementing measures to safeguard your IoT devices. This includes configuring strong authentication protocols and ensuring that all firmware is kept up-to-date.

"Detect" is about spotting anomalies and potential threats as early as possible. You can set up continuous monitoring tools to watch for suspicious activities. For instance, you can use Intrusion Detection Systems (IDS) to keep an eye out for unusual data flows from your IoT sensors.

The "Respond" function outlines how to manage a security breach if it occurs while the "Recover" function focuses on how to safely and efficiently restore normal operations after an incident. This must include updating your IoT devices' security policies to prevent future occurrences.

ISO/IEC 27001 and IoT security

ISO/IEC 27001 is a framework that helps organizations secure information systematically. It can provide a solid foundation for IoT security. However, using ISO/IEC 27001 for IoT security means adapting its framework to suit the varied, numerous, and often simplistic nature of IoT devices.

For example, one critical aspect of ISO/IEC 27001 is risk assessment. In the IoT world, the variety and number of "things" mean this isn’t straightforward. 

Think about all the devices in a corporate network. We’re talking about everything from smart thermostats to industrial sensors. Each of these devices can be an entry point for cyber threats. Therefore, you need rigorous and continuous risk assessment tailored to these devices.

ISO/IEC 27001 outlines a set of control measures, but IoT requires some specific ones. For instance, device authentication is crucial. Imagine an internet-connected camera system used in your office. Without robust authentication, anyone could potentially access these cameras. Using device-specific authentication methods ensures that only authorized devices can communicate within the network.

Updating IoT devices is another challenge. ISO/IEC 27001 emphasizes the need for maintaining up-to-date software. But, many IoT devices in a corporate network are not designed to be easily updatable. 

You might have smart light bulbs or old industrial controllers that don’t support over-the-air updates. It requires a strategy to manage these devices, perhaps involving more frequent manual checks or limiting their network access.

Monitoring and logging are also critical in IoT security. ISO/IEC 27001 advocates for extensive logging to detect potential security incidents. In an IoT environment, this means capturing logs from every "thing." 

Take a smart HVAC system in your building. It should log all access attempts and any changes in settings. Collecting these logs centrally and analyzing them helps in spotting unusual patterns.

Human factors play a different role in IoT. Users might not be tech-savvy enough to configure these devices securely. Think of a scenario where employees bring their own IoT devices, like fitness trackers or personal assistants, that connect to the corporate network. 

Policies from ISO/IEC 27001 about user training and awareness need to be extended. It’s vital to educate employees on the risks and proper use of their devices.

Supplier relationships are mentioned in ISO/IEC 27001, too. With IoT, this becomes even more critical. If a supplier provides an IoT device for your network, you must ensure their security practices match your expectations. 

Suppose you’re deploying connected coffee machines in the office. Ensuring that the supplier follows stringent security practices can prevent vulnerabilities from entering your network.

ETSI EN 303 645

ETSI EN 303 645 is a network security standard set by the European Telecommunications Standards Institute (ETSI) that basically lays down the law for IoT device manufacturers. It’s like a rulebook that ensures devices hitting the market are secure from the get-go. 

One of the key requirements in ETSI EN 303 645 is the need for unique passwords. Gone are the days when default passwords like "admin" and "password" could be used. This rule alone can prevent a ton of common attacks. 

Imagine deploying a fleet of IoT sensors across your warehouses. If they all had the same default password, a hacker only needs to crack one device to access them all. But with unique passwords, that risk drops dramatically.

Another cool thing about the standard is its emphasis on software updates. It requires IoT devices to have a reliable method for updating their software securely. This is huge. We’ve all heard stories of vulnerabilities being found in software, sometimes years after the product’s release. 

With secure update mechanisms, manufacturers can patch these vulnerabilities, keeping our networks safer. For example, your connected security cameras should be able to receive and install updates without you having to replace the entire system.

ETSI EN 303 645 also insists on data protection measures. It’s not just about guarding against unauthorized access; it’s also about ensuring data integrity. 

Say you have smart HVAC systems in your office buildings that adjust temperatures based on occupancy data. If someone tampers with that data, it could lead to energy wastage or even affect the comfort of your employees. The standard mandates that data be encrypted both in transit and at rest, making unauthorized access and tampering much more difficult.

Another aspect of ETSI EN 303 645 that enhance IoT security is the requirement for vulnerability disclosure policies. According to the standard, manufacturers should have clear procedures for reporting and addressing vulnerabilities.

ETSI EN 303 645 also encourages manufacturers to clearly communicate how long a device will receive security updates. This is crucial for planning. If you know a device will be supported for five years, you can align your upgrade cycles and budget accordingly. 

ETSI EN 303 645 covers a lot more, but these are some highlights that can make a difference in securing your corporate network. It sets a solid foundation, ensuring that the IoT devices you integrate aren’t just smart but also secure.

More posts

GET STARTED

A WireGuard® VPN that connects machines securely, wherever they are.
Star us on GitHub
By clicking “Accept”, you agree to the storing of cookies on your device to enhance site navigation, analyze site usage, and assist in our marketing efforts. View our Privacy Policy for more information.