IoT security (internet of things security)

What is IoT security?

IoT security refers to the methods of protection used to secure internet-connected or network-based devices. The term IoT is incredibly broad, and with the technology continuing to evolve, the term has only become broader. From watches to thermostats to video game consoles, nearly every technological device has the ability to interact with the internet, or other devices, in some capacity.

IoT security is the family of techniques, strategies and tools used to protect these devices from becoming compromised. Ironically, it is the connectivity inherent to IoT that makes these devices increasingly vulnerable to cyberattacks.

Because IoT is so broad, IoT security is even broader. This has resulted in a variety of methodologies falling under the umbrella of IoT security. Application program interface (API) security, public key infrastructure (PKI) authentication and network security are just a few of the methods IT leaders can use to combat the growing threat of cybercrime and cyberterrorism rooted in vulnerable IoT devices.

IoT security issues and challenges

The more ways for devices to be able to connect to each other, the more ways threat actors can intercept them. Protocols like HTTP (Hypertext Transfer Protocol) and API are just a few of the channels that IoT devices rely on that hackers can intercept.

The IoT umbrella doesn't strictly include internet-based devices either. Appliances that use Bluetooth technology also count as IoT devices and, therefore, require IoT security. Oversights like this have contributed to the recent spike in IoT-related data breaches.

Below are a few of the IoT security challenges that continue to threaten the financial safety of both individuals and organizations.

1. Remote exposure

Unlike other technologies, IoT devices have a particularly large attack surface due to their internet-supported connectivity. While this accessibility is extremely valuable, it also grants hackers the opportunity to interact with devices remotely. This is why hacking campaigns like phishing are particularly effective. IoT security, like cloud security, has to account for a large number of entry points in order to protect assets.

2. Lack of industry foresight

As firms continue with digital transformations of their business, so, too, have certain industries and their products. Industries such as automotive and healthcare have recently expanded their selection of IoT devices to become more productive and cost-efficient. This digital revolution, however, has also resulted in a greater technological dependence than ever before.

While normally not an issue, a reliance on technology can amplify the consequences of a successful data breach. What makes this concerning is that these industries are now relying on a piece of technology that is inherently more vulnerable: IoT devices. Not only that, but many healthcare and automotive companies were not prepared to invest the amount of money and resources required to secure these devices.

This lack of industry foresight has unnecessarily exposed many organizations and manufacturers to increased cybersecurity threats.

3. Resource constraints

Lack of foresight isn't the only IoT security issue faced by newly digitized industries. Another major concern with the IoT security is the resource constraints of many of these devices.

Not all IoT devices have the computing power to integrate sophisticated firewalls or antivirus software. Some barely have the ability to connect to other devices. IoT devices that have adopted Bluetooth technology, for example, have suffered from a recent wave of data breaches. The automotive industry, once again, has been one of the markets hurt the most.

In 2020, a cybersecurity expert hacked a Tesla Model X in less than 90 seconds by taking advantage of a massive Bluetooth vulnerability. Other cars that rely on FOB (wireless) keys to open and start their cars have experienced attacks for similar reasons. Threat actors have found a way to scan and replicate the interface of these FOB-style keys to steal the associated vehicles without so much as triggering an alarm.

If technologically advanced machinery like a Tesla is vulnerable to an IoT data breach, then so is any other smart device.

How to protect IoT systems and devices

Here are a few of the IoT security measures that enterprises can use to improve their data protection protocols.

1. Introduce IoT security during the design phase

Of the IoT security issues discussed, most can be overcome by better preparation, particularly during the research and development process at the start of any consumer-, enterprise- or industrial-based IoT device development. Enabling security by default is critical, as well as providing the most recent operating systems and using secure hardware.

IoT developers should, however, be mindful of cybersecurity vulnerabilities throughout each stage of development -- not just the design phase. The car key hack, for instance, can be mitigated by placing the FOB in a metal box, or away from one's windows and hallways.

2. PKI and digital certificates

PKI is an excellent way to secure the client-server connections between multiple networked devices. Using a two-key asymmetric cryptosystem, PKI is able to facilitate the encryption and decryption of private messages and interactions using digital certificates. These systems help to protect the clear text information input by users into websites to complete private transactions. E-commerce wouldn't be able to operate without the security of PKI.

3. Network security

Networks provide a huge opportunity for threat actors to remotely control others' IoT devices. Because networks involve both digital and physical components, on-premises IoT security should address both types of access points. Protecting an IoT network includes ensuring port security, disabling port forwarding and never opening ports when not needed; using antimalware, firewalls and intrusion detection systems/intrusion prevention systems; blocking unauthorized IP (Internet Protocol) addresses; and ensuring systems are patched and up to date.

4. API security

APIs are the backbone of most sophisticated websites. They allow travel agencies, for example, to aggregate flight information from multiple airlines into one location. Unfortunately, hackers can compromise these channels of communication, making API security necessary for protecting the integrity of data being sent from IoT devices to back-end systems and ensuring only authorized devices, developers and apps communicate with APIs. T-Mobile's 2018 data breach is a perfect example of the consequences of poor API security. Due to a "leaky API," the mobile giant exposed the personal data of more than 2 million customers, including billing ZIP codes, phone numbers and account numbers, among other data.

Additional IoT security methods

Other ways to implement IoT security include:

• Network access control. NAC can help identify and inventory IoT devices connecting to a network. This will provide a baseline for tracking and monitoring devices.
• Segmentation. IoT devices that need to connect directly to the internet should be segmented into their own networks and have restricted access to the enterprise network. Network segments should be monitoring for anomalous activity, where action can be taken, should an issue be detected.
• Security gateways. Acting as an intermediary between IoT devices and the network, security gateways have more processing power, memory and capabilities than the IoT devices themselves, which provides them the ability to implement features such as firewalls to ensure hackers cannot access the IoT devices they connect.
• Patch management/continuous software updates. It is critical to provide the means of updating devices and software either over network connections or through automation. Having a coordinated disclosure of vulnerabilities is also important for updating devices as soon as possible. Consider end-of-life strategies as well.
• Training. IoT and operational system security are new to many existing security teams. It is critical for security staff to keep up to date with new or unknown systems, learn new architectures and programming languages and be ready for new security challenges. C-level and cybersecurity teams should receive regular cybersecurity training to keep up with modern threats and security measures.
• Integrating teams. Along with training, integrating disparate and regularly siloed teams can be useful. For example, having programing developers work with security specialists can help ensure the proper controls are added to devices during the development phase.
• Consumer education. Consumers must be made aware of the dangers of IoT systems and provided steps to stay secure, such as updating default credentials and applying software updates. Consumers can also play a role in requiring device manufacturers to create secure devices and refusing to use those that don't meet high-security standards.

Which industries are most vulnerable to IoT security threats?

IoT security hacks can happen in anywhere and in any industry, from a smart home to a manufacturing plant to a connected car. The severity of impact depends greatly on the individual system, the data collected and/or the information it contains.

For example, an attack disabling the brakes of a connected car or the hack of a connected health device such as an insulin pump to administer too much medication to a patient can be life-threatening. Likewise, an attack on a refrigeration system housing medicine that is monitored by an IoT system can ruin the viability of a medicine if temperatures fluctuate. Similarly, an attack on critical infrastructure -- an oil well, energy grid or water supply -- can be disastrous.

Other attacks, however, cannot be underestimated. For example, an attack against smart door locks could potentially allow a burglar to enter a home. Or, in other other security breaches, an attacker could pass malware through a connected system to scrape personally identifiable information, wreaking havoc for those affected.

Notable IoT security breaches and IoT hacks

Security experts have long warned of the potential risk of large numbers of unsecured devices connected to the internet since the IoT concept first originated in the late 1990s. A number of attacks subsequently have made headlines, from refrigerators and TVs being used to send spam to hackers infiltrating baby monitors and talking to children. It is important to note that many of the IoT hacks don't target the devices themselves, but rather use IoT devices as an entry point into the larger network.

In 2010, for example, researchers revealed that the Stuxnet virus was used to physically damage Iranian centrifuges, with attacks starting in 2006 but the primary attack occurring in 2009. Often considered one of the earliest examples of an IoT attack, Stuxnet targeted supervisory control and data acquisition (SCADA) systems in industrial control systems (ICS), using malware to infect instructions sent by programmable logic controllers (PLCs).

Attacks on industrial networks have only continued, with malware such as CrashOverride/Industroyer, Triton and VPNFilter targeting vulnerable operational technology (OT) and industrial IoT (IIoT) systems.

In December 2013, a researcher at enterprise security firm Proofpoint Inc. discovered the first IoT botnet. According to the researcher, more than 25% of the botnet was made up of devices other than computers, including smart TVs, baby monitors and household appliances.

In 2015, security researchers Charlie Miller and Chris Valasek executed a wireless hack on a Jeep, changing the radio station on the car's media center, turning its windshield wipers and air conditioner on, and stopping the accelerator from working. They said they could also kill the engine, engage the brakes and disable the brakes altogether. Miller and Valasek were able to infiltrate the car's network through Chrysler's in-vehicle connectivity system, Uconnect.

Mirai, one of the largest IoT botnets to date, first attacked journalist Brian Krebs' website and French web host OVH in September 2016; the attacks clocked in at 630 gigabits per second (Gbps) and 1.1 terabits per second (Tbps), respectively. The following month, domain name system (DNS) service provider Dyn's network was targeted, making a number of websites, including Amazon, Netflix, Twitter and The New York Times, unavailable for hours. The attacks infiltrated the network through consumer IoT devices, including IP cameras and routers.

A number of Mirai variants have since emerged, including Hajime, Hide 'N Seek, Masuta, PureMasuta, Wicked botnet and Okiru, among others.

In a January 2017 notice, the Food and Drug Administration warned the embedded systems in radio frequency-enabled St. Jude Medical implantable cardiac devices, including pacemakers, defibrillators and resynchronization devices, could be vulnerable to security intrusions and attacks.

In July 2020, Trend Micro discovered an IoT Mirai botnet downloader that was adaptable to new malware variants, which would help deliver malicious payloads to exposed Big-IP boxes. The samples found were also observed to exploit recently disclosed or unpatched vulnerabilities in common IoT devices and software.

In March 2021, security camera startup Verkada had 150,000 of its live-camera feeds hacked by a group of Swiss hackers. These cameras monitored activity inside schools, prisons, hospitals and private company facilities, such as Tesla.

IoT security standards and legislation

Many IoT security frameworks exist, but there is no single industry-accepted standard to date. However, simply adopting an IoT security framework can help; they provide tools and checklists to help companies creating and deploying IoT devices. Such frameworks have been released by GSM Association, the IoT Security Foundation, the Industrial Internet Consortium and others.

In September 2015, the Federal Bureau of Investigation released a public service announcement, FBI Alert Number I-091015-PSA, which warned about the potential vulnerabilities of IoT devices and offered consumer protection and defense recommendations.

In August 2017, Congress introduced the IoT Cybersecurity Improvement Act, which would require any IoT device sold to the U.S. government to not use default passwords, not have known vulnerabilities and to offer a mechanism to patch the devices. While aimed at those manufacturers creating devices being sold to the government, it set a baseline for security measures all manufacturers should adopt.

Also in August 2017, the Developing Innovation and Growing the Internet of Things (DIGIT) Act passed the Senate, but it is still awaiting House approval. This bill would require the Department of Commerce to convene a working group and create a report on IoT, including security and privacy.

While not IoT-specific, the General Data Protection Regulation (GDPR), released in May 2018, unifies data privacy laws across the European Union. These protections extend to IoT devices and their networks and IoT device makers should take them into account.

In June 2018, Congress introduced the State of Modern Application, Research and Trends of IoT Act, or SMART IoT Act, to propose the Department of Commerce to conduct a study of the IoT industry and provide recommendations for the secure growth of IoT devices.

In September 2018, California state legislature approved SB-327 Information privacy: connected devices, a law that introduced security requirements for IoT devices sold in the country.

In February 2019, the European Telecommunications Standards Institute released the first globally applicable standard for consumer IoT security -- a side that had previously not been addressed on such a scale.

In December 2020, the U.S. president at the time signed the Internet of Things Cybersecurity Improvement Act of 2020, directing the National Institute of Standards and Technology to create minimum cybersecurity standards for those IoTs controlled or owned by the United States government.

IoT attacks and security varies

IoT security methods vary depending on your specific IoT application and your place in the IoT ecosystem. For example, IoT manufacturers -- from product makers to semiconductor companies -- should concentrate on building security in from the start, making hardware tamperproof, building secure hardware, ensuring secure upgrades, providing firmware updates/patches and performing dynamic testing.

A solution developer's focus should be on secure software development and secure integration. For those deploying IoT systems, hardware security and authentication are critical measures. Likewise, for operators, keeping systems up to date, mitigating malware, auditing, protecting infrastructure and safeguarding credentials are key. With any IoT deployment, it is critical to weigh the cost of security against the risks prior to implementation, however.