Caleb DavisIt’s no surprise that the Internet of Things (IoT) is undergoing rapid growth, creating a scenario where the tools are in high demand, but as technology outpaces the IoT ecosystem’s expansion, a vast attack surface is being created. What those new to IoT may not realize is that many IoT devices are being hacked within five minutes of being connected to the internet. Why? Because they have very little, if any, built-in security. We know that only two of every five organizations can identify inadequately secured IoT devices. When they do identify those devices, only 14 percent step up to replace them immediately. With more than 50 billion connected devices expected by 2030, it is past time to think about how to secure the future.
When we work with clients who have concerns about IoT device security, we begin by asking five critical questions about their device security ecosystem:
- Is there an inventory of current assets with IoT capabilities being used within the organization?
- Can the organization identify potential threats or monitor suspicious traffic on these devices?
- Is there a plan (and skills needed) in place to update IoT devices if a security vulnerability is identified?
- Are controls in place to manage security and risks that IoT introduces to an organization?
- Has a technology and business resiliency plan been implemented?
Let’s look at what a deeper dive into these questions often reveals.
IoT device top security challenges
It is often claimed that if an attacker has physical access to the system, the device can be considered compromised and therefore excluded from security considerations. I suggest this demonstrates an incomplete understanding of the steps that can be taken now to mitigate security issues at the device level. The historical view of IoT security relies heavily on security by obscurity, which has been proven countless times to be an insufficient control for ensuring devices are not vulnerable.
There are a few security risks to initially consider, ranging from the simple to the complex and include these six top challenges:
- Security is not part of the IoT device design lifecycle
- Inadequate firmware and hardware testing processes
- Applying firmware updates and security patches
- Ability to predict, preempt and manage vulnerabilities
- IoT devices sending unencrypted data to networks
- Authorization and authentication of IoT devices
The nature of IoT devices and current industry development practices tend to have adverse effects on the security posture of the device and the systems with which it communicates. Additionally, IoT devices tend to prioritize cost, speed to market and new technologies, which places device manufacturers, end-users and businesses utilizing IoT at a security disadvantage from the start. These disadvantages are clear when evaluating the OWASP Top 10 IoT vulnerabilities list. This list includes vulnerabilities that in any other security setting would be considered unacceptable, such as: IoT1: Weak, guessable, or hardcoded passwords, IoT4: Lack of secure update mechanism and IoT7: Insecure data transfer and storage, to name a few.
Risks
There are a number of vulnerabilities that every organization must recognize:
- Data protection: IoT devices generate a large amount of data that needs to be protected and secured from cyber criminals’ malicious intents.
- Data privacy: IoT devices can contain sensitive data of the user, which cyber criminals can exploit and cause harm to the consumer.
- Network security: An infected IoT device connected to a company’s network could compromise sensitive information and cause business disruption.
- Consumer trust: Secure IoT devices increase the trust of consumers in the new technology, thus increasing the sales of IoT devices.
An obvious risk when considering a compromised device is the leakage of firmware to a malicious actor, however, this is only part of the equation. A leakage of firmware could lead to a variety of follow up attacks, depending on the nature of the firmware. The firmware might contain hardcoded secrets that would allow an attacker to gain authenticated access to the device backend, reveal detailed information about additional functionality of the device such as a backdoor, and expose sensitive intellectual property and algorithms that could lead to grey market risks.
Data privacy is another risk to IoT devices that could have a drastic impact on the business manufacturing, managing, and/or consuming the devices. The EU General Data Protection Regulation (GDPR) is already requiring a higher level of responsibility for data privacy including IoT devices such as X and more recently the U.S. Executive Order on Improving the Nation’s Cybersecurity (May 2021) has outlined steps to improve security and privacy.
One of the most impactful risks to discuss is the potential for a complete compromise of IoT devices supporting critical infrastructure. Consider the following real-world scenarios:
- A set of devices used for fleet management that if compromised, may result in full control of the fleet vehicles by a malicious actor or group.
- A manufacturing facility relying on IoT sensors for the operation of industrial equipment that if compromised could lead to damaged equipment, loss of revenue, and even physical injury.
- An innocuous medical device connected to a hospital network that could be used as a pivot point to conduct attacks targeting medical equipment used for critical therapy.
These scenarios demonstrate that IoT security is not solely the responsibility of the original equipment manufacturer (OEM). Any business that is considering implementing IoT must understand the risk and take steps to safeguard the ecosystem in which the devices will be deployed.
What to do right now
The first step to mitigating the risks that IoT poses to the business should be to conduct an inventory of the IoT devices that are currently being used or under consideration. This inventory should not only include the types of devices and quantity but also the data being processed, relevant device fingerprinting (hardware revisions and firmware versions), and the network that the device has access to.
Once a device inventory has been conducted, OEMs and even businesses utilizing IoT devices should conduct periodic security reviews of the devices and the systems with which they are communicating. Security reviews should include but not be limited to the: physical device, primary wireless interfaces being used if applicable, firmware source code, APIs, web, mobile, and thick-client applications. Additional steps that should be taken in tandem with periodic security reviews include incorporating security requirements and testing into the build pipeline, as well as implementing or leveraging a secure device management and monitoring solution.
The IoT device landscape is currently vast and growing, despite being plagued with security flaws. It is undeniable that IoT will continue to be a part of business growth and can aid in improving efficiency for legacy processes, therefore each business interested in procuring or producing IoT devices should not only understand the real impact on the business and consumers but also take steps to ensure their ever-expanding IoT world is secure.
To learn more about our IoT consulting services, contact us.
Scott Laliberte
Joel Wuesthoff
Richard Kessler
Amanda Downs
Dave Laskowski
Varun Ravi
