Businesses have embraced numerous Internet of Things (IoT) devices to automate processes, increase productivity, save money, generate important metrics and more. To realize these benefits, traditional physical devices (hardware) have progressed to “hybrid” products that now incorporate software to collect and connectivity to transmit meaningful information. This progression has created the emergence of connectivity in devices that were not originally designed to extend beyond the physical hardware.
IoT’s hybrid nature, however – combining hardware, software and connectivity – will increase the attack surface of the environment in which it runs. As manufacturers and business users of IoT products, organizations would do well to consider what their adoption of and progression to IoT means for their overall risk landscapes, and what to do now to secure their devices.
Manufacturers’ IoT security risk
If a business manufactures any device that may become connected (refrigerators, door locks, cameras, speakers, etc.), the risks are more extensive than they are for consumers.
Intellectual property is part of almost every product. It is often what differentiates the product, and as these devices become connected, competitors may no longer have to take a device apart to figure out how it works; they can connect, steal and reverse-engineer a company’s intellectual property from a single instance of its product if security was not adequately incorporated into the design lifecycle.
For example, Protiviti performed testing on an IoT device that received firmware updates via a mobile app connected over Bluetooth. During this test, Protiviti was able to intercept that Bluetooth traffic, reconstruct the firmware update, and decompile it. This chain of attacks allowed the testers to extract sensitive company intellectual property as well as identify additional attack vectors targeting the device and its corresponding infrastructure.
Malicious actors can exploit the new attack surface introduced via internet connectivity to cause devices to malfunction. For instance, if a company is selling a speaker, hackers might use that speaker’s technology to control the device; to listen or speak into someone’s home. If the product is an insulin pump, bad actors could compromise and even alter dosage and other information.
A device could wind up being operated in a way the manufacturer never intended. At a minimum, the penalty could damage the brand, but it could also be a class action lawsuit or regulatory action.
How IoT manufacturers can manage IoT security risk
Managing IoT risk will depend first on a product’s role. For instance, a climate-control device might regulate temperature and humidity in a clinical environment. Consider the risks associated with access to the device and risks inherent in its intended use and environment.
“The best defense is a good offense.” Manufacturers should proactively build or retrofit devices by making them secure by design, including incorporating DevSecOps processes, threat modeling, continuous code scanning, device-specific penetration testing and software bills of materials (SBOMs) into their product development lifecycle.
- IoT device manufacturers will want to incorporate DevSecOps principles consistently in their development approach. DevSecOps encompasses secure culture, practices and tools to drive transparency, teaming and agility. It automates security tasks and embeds security controls throughout the DevOps workflow.
- Manufacturers can conduct threat modeling to identify and prioritize risks. Threat modeling helps product teams determine threats and countermeasures through a “structured representation of all the information that affects the security of an application.” Threat models usually describe potential threats and the actions that could mitigate them; beyond that, they specify how to validate the threat model itself as well as the means by which the success of countermeasures will be verified.
- Penetration testing simulates attacks against hardware and networks to identify vulnerabilities before bad actors do. These mock attacks challenge both device and network security capabilities and should be specifically executed on the hardware – not just the software.
- The SBOM is an inventory of all the components and versions in use by IoT device software. Maintaining these inventories enables manufacturers to cross-reference their product’s components to vulnerability databases so they can keep up with new vulnerabilities as they emerge.
Business consumers’ IoT security risk
Businesses have come to rely on smart door locks, thermostats, cameras and other IoT devices. These devices provide tremendous benefits to commercial processes and operations, but they come with significant risks.
A well-known story from last year concerned what’s come to be called the Verkada breach, in which hackers gained access to smart cameras in hospitals, governments, psychiatric wards, banks, non-profits, major enterprises, universities, hospitality companies and other organizations. The hackers claimed they’d accessed more than 150,000 cameras. What’s worse, they may have also been able to access Verkada customers’ networks via their penetration of the cameras.
The Verkada story has become a cautionary tale to businesses whose data privacy, network security, compliance status and brand reputation could be damaged if any of their IoT devices are compromised.
How business consumers can manage IoT security risk
Leaders whose organizations make use of IoT devices can start to strengthen their IoT security posture by asking:
- Do we have an inventory of IoT devices in use now?
- Can we monitor traffic or otherwise detect potential threats on these devices?
- If we identify a vulnerability in our IoT devices, what is our plan to update their security?
- Do we have controls to manage security and risks associated with our IoT assets?
- Have we implemented business and technology resiliency plans that encompass IoT risk?
Whether evaluating potential risks concerning IoT already in place, or IoT devices the business might acquire in the future, survey the organization’s IoT inventory to understand:
- The data that IoT devices generate, and how that data is protected.
- The sensitivity of the data IoT devices might contain to harm businesses, customers, employees and other stakeholders.
- How infected or compromised IoT devices could disrupt networks, enterprise applications and business operations.
Beyond gaining insights by researching and documenting characteristics of the organization’s IoT inventory, pragmatic, tactical actions can immediately reduce risk:
- Make sure factory passwords get changed as part of IoT device deployments.
- Review every software patch the manufacturer provides and install it promptly.
- Check whether devices will interoperate with third-party antivirus/malware software to complement security features the manufacturer provides.
However significant these risks might be, IoT will still deliver meaningful advantages, and these are risks that can be managed. At home and in business, IoT devices are making our lives easier through new efficiencies and automation, as well as providing metrics and other data. As hybrid products comprising both hardware and software, IoT devices come with new vulnerabilities and will increase the attack surface of the networks on which they run. Manufacturers and business users of IoT products can secure their networks, applications and operations from these new threats by understanding IoT characteristics and acting promptly on new insights.
To learn more about our IoT and other emerging technology consulting services, contact us.