Locking Down the IoT
How to Safeguard Your Connected World
IoT. Internet of Things. You’ve likely heard these terms before. Maybe you’ve come across a blog like this or heard about the IoT on the news. But even if you haven’t, there’s a good chance you use IoT devices on a daily basis.
With the proliferation of internet-based technology, there is no avoiding IoT anymore. But the widespread adoption of IoT devices introduces a host of new cyber-threats. Just take a look at how hackers learned to weaponize Samsung refrigerators, and you’ll start to see the cracks created by IoT vulnerabilities. And while we may not be able to do anything about the market’s obsession with Wi-Fi-based devices, we can at least learn how to use them safely and securely.
Let’s get right into it, starting with the basic question: What is the IoT?
Putting the Things in IoT
Simply put, if it connects to the internet, chances are it’s an IoT device. You may immediately think of computers, phones, or tablets, but IoT encompasses far more. From your TV to your car to your washing machine, IoT devices are popping up everywhere. If you’re using a ‘smart’ device, then there’s a good chance it’s part of the Internet of Things.
That sounds like a lot of things!
You have no idea…
These Things are Everywhere
With the ever-increasing demand for technology, IoT connections are expected to reach 29 billion by 2027. Chances are, you already own a few of these devices. Do you have an Alexa or a smart TV? How about a doorbell camera?
These devices, to be sure, can offer their users unmatched convenience. An app-controlled coffee machine? Yes, please! But when you have a dozen different devices accessing your personal network in a dozen unmonitored ways, previously non-existent security risks start popping up like weeds through concrete.
How Secure are These Things?
You already understand the importance of cybersecurity. The U.S. alone has invested a staggering $15.6 billion in cybersecurity for 2023, and we’re willing to bet that amount is only going up in the coming years. The front line of cybersecurity is a complex battle between hackers and security teams, both sides innovating around the clock. So how do we take something that’s already complicated and make it even more so?
Enter IoT, stage left.
With more and more IoT devices hitting the market, it really is the wild west out here. From network breaches to crypto mining schemes, the list of IoT-based attacks keeps growing. IoT devices introduce a slew of new problems that poke holes in traditional cybersecurity defenses.
Here are just a few examples of these IoT vulnerabilities:
Weak Passwords
Some users may open their new smart speaker application and never change the default password. Does a speaker (or any IoT device) really need as much security as a personal computer or a phone? Yes, it does.
Your IoT device may not seem as vital to protect as your phone, but many IoT devices lack substantial authentication. As we’ll see below, if a hacker cracks a weak password, they can potentially access your personal network. Take a look at these password statistics, and see for yourself how weak passwords already cause enough cybersecurity problems. IoT’s addition to the playing field opens literally millions of new vulnerabilities to an already problematic system.
Shared Network Access
Many IoT devices connect to an end user’s private network. As we previously said, it only takes one breach for a hacker to compromise one of these devices and get their proverbial foot in the door. Once inside a network, a hacker needs only to side-step into your more sensitive data, reminding us why a layered approach to cybersecurity is indispensable.
Inconsistent Security
The IoT is a relatively new and expansive domain, encompassing all manner of devices. As such, it currently lacks consistent industry standards for security. IoT devices commonly lack data encryption, leaving sensitive information open for interception. Many IoT devices also lack patch management, which can lead to undocumented or unaddressed security vulnerabilities left open to exploitation. Without a consistent security standard, protecting IoT devices continues to be a struggle for individuals and businesses alike.
Lack of Visibility
If someone were to ask you how many different devices you have connected to your home internet, how confident would you be in your answer? You may have a general idea, but can you come up with a specific – and accurate – count? Many folks can’t.
The same goes for a lot of businesses. And with the sharp increase in remote work, undocumented hardware can find its way into an unsecured home network where it may become compromised. Alternatively, an already compromised device can enter an otherwise secure office environment. Without an established system, it is nearly impossible to retain an accurate inventory of active devices, leading to some serious security ‘blind spots.’
Okay, IoT can cause plenty of vulnerabilities. But what sort of problems can these vulnerabilities cause?
Let’s look at some known IoT security breaches to get a better sense of just how big of a problem IoT security has become.
Mirai Botnet Attack (2016)
Perhaps one of the most infamous IoT security breaches, the Mirai botnet attack used over one hundred thousand compromised devices to bring down vast swaths of the internet. A botnet is a network of computer devices used to carry out malicious cyberattacks, usually without permission or knowledge of the computers’ owners. The Mirai botnet attack used around 145,000 IoT devices such as Wi-Fi cameras, network routers, home appliances, and more, exceeding 1 Tbps (Terabyte per second) of bandwidth. Considered the largest IoT attack to date, this extensive breach caused major service outages across the internet, with Netflix, Twitter, Reddit, The Guardian, and CNN among those affected.
You can read more about the Mirai botnet attack here.
Verkada Security Camera Hack (2021)
The Verkada security camera firm had over 150,000 cameras compromised in 2021, their private feeds exposed to the public. These cameras included ones in Tesla factories and warehouses, Cloudflare offices, Equinox gyms, hospitals, jails, schools, police stations, and Verkada’s own offices.
You can read more about the Verkada breach here.
Bigpanzi Botnet (2015-2023)
A recently discovered cybercrime group called Bigpanzi has been infecting millions of Android TV boxes with malicious software they named ‘pandoraspear.’ Beijing-based security firm Qianxin Xlabs has reported that this cybercriminal organization controls approximately 170,000 active botnets that have been running an illicit media streaming platform since 2015.
You can read more on the Bigpanzi botnet attack here.
How Do We Protect These Things?
So, how the heck are we supposed to deal with all of these devices accessing our networks? We have a few tips to help limit the risk caused by IoT devices.
Know What’s Connected
Learning what devices are connected to your environment is vital to safe IoT usage. Using device identification and discovery tools will allow for an automatically updated record for these kinds of devices.
Physical Protection
Knowing where your device physically exists is just as important as knowing how many are connected to your network. As mentioned earlier, IoT devices can be taken into unsecured environments where physical security is lacking (e.g., a home office). In these spaces, tampering can occur, which can lead to hardware damage, data loss and more. Limiting direct, physical access to these devices is vital to their security.
Private Networks
Segmenting IoT devices into sub-networks will reduce the risk of malicious actions spreading across your network. If an IoT network becomes compromised, a sub-network will provide you the time to react and prevent further infection. You can learn how to segment your network here.
Limit Unused Features
Those extra features on your device may seem harmless—what’s the big deal if your smart watch wants to activate location tracking? Well, each feature provides hackers with another avenue of entry. Deactivating these unused/unrequired features will limit opportunities for threat actors.
Passwords and MFA
This tip may seem obvious, but you saw the password stats. It’s critical that IoT default passwords are changed and MFA is established during a device’s setup. Proper password etiquette will protect your devices from easily avoidable breaches.
Regular Patching
Learn what IoT devices have existing patch support before their installation. Once installed, keep these devices updated to limit future vulnerabilities. Sometimes, a device may be impossible to patch due to manufacturer limitations; in this situation, you should consult your IT department to determine if the device is worth the risk to your network.
Wi-Fi Encryption
Encryption is an important tool within the layers of cybersecurity, and without it, your private information could be intercepted and compromised. Proper encryption will keep your data indecipherable to any malicious party that may compromise your network. You must establish network encryption to protect your data.
Summing Up
In today’s world, we sure do have a lot of things to keep track of – and a lot of potential vulnerabilities to manage. After reading this article, we wouldn’t blame you for wanting to toss your smart toaster right into the trash. But at the end of the day, IoT is here to stay. Instead of fearing the abundance of devices clambering to connect to your network, strive to understand them. Keep those passwords changing, those networks segregated, and know which devices are connected to your network.
These devices may be smart, but we can be smarter.
If you have any questions or want to learn more about how to protect your network, we’ve got you covered! Schedule your call with The 20 MSP today!