IoT, or the Internet of Things, has made its way into every corner of our lives.
Once upon a time, the idea of an inescapable internet may have seemed like a far-off dream. Today, it’s our reality. Internet connected devices are everywhere—from our fitness trackers to our vehicles and appliances. These devices track our sleep patterns, enable us to set our coffee machines remotely, and find our pets after they have wandered off, among countless other tasks.
But, as much as IoT has changed our personal lives and habits, it has had much further reaching effects on industries such as manufacturing, energy production, agriculture, mining, and construction. Objects in production environments that were once “dumb,” such as thermometers, are now enabled with sensors which collect data and change it into electrical outputs, and actuators, which take data and convert it into energy. The data that is collected, monitored, and analyzed is then leveraged to optimize processes, saving businesses money and time.
In the healthcare field, the developments brought about by IoT are staggering. Connecting medical devices to the internet is proving to be a game changer for conducting procedures such as heart monitoring, asthma monitoring, and diagnosing and treating certain kinds of cancer. There are even sensors that allow doctors to track whether or not patients are taking their medications as prescribed using a smartphone app.
It’s not a long shot to say that soon, everything in our lives will become “smart.”
The Sad State of IoT Security
As beneficial as internet connected devices are, they do create significant security challenges. While you might assume that these devices are protected with the same level of security as the typical network server, this is not the case. IoT devices present some major security concerns, which are outlined below.
They Are Difficult to Encrypt
Typically, IoT devices are basically single-purpose computers built without a lot of memory or processing power that run on weak hardware. This makes encrypting them more difficult, which in turn makes these devices easy prey for many different kinds of attacks. In fact, a recent report found that of 56 million tracked IoT devices, 91.5% of data transmission was unencrypted.
Lack of Experience
Many inexperienced manufacturers are jumping on the IoT bandwagon, and security simply isn’t on their radar. Experts compare this lack of awareness to the early days of PCs, when computer manufacturers were oblivious to the dangers their products would face. Moreover, IoT devices are more challenging to program than traditional software. They require programmers to know more about kernel and OS internals than regular programmers often do.
Lack of Standards
The standards and best practices for IoT devices are currently still under development. Organizations like The National Institute of Standards and Technology (NIST) and The Internet of Things Security Foundation (IoTSF) are working on developing baseline security standards, but these are not yet complete.
Security Isn’t a Market Priority
The reality is that loT devices are designed with the goal of getting to market before the competition does. This means that corners may be cut. Since security isn’t considered a selling point, it’s usually what gets the short shrift.
Major IoT Breaches
By 2025, there will be upwards of 75 billion IoT devices, making the potential for vulnerabilities huge. We don’t need to wait until then to see the damage that IoT devices can cause. Below are a few examples of problems that the vulnerabilities in improperly secured IoT devices have already caused.
In the fall of 2016, a botnet called Mirai used IoT devices to launch numerous DDoS attacks against entities such as KrebsOnSecurity, the French internet host OVH, and the US’s Dyn DNS provider. This notable succession of hacks was significant, as it was the first time IoT devices were used as a means of attack propagation. In the case of Dyn, the attack knocked out a large chunk of the internet on the east coast of the US by exploiting weak security measures in IoT webcams. It then infected the devices with malware which turned them into a part of the botnet.
Hackable Cardiac Devices
As mentioned above, IoT is propelling huge advances in healthcare. Some of these advances, such as the radio-controlled implantable cardiac devices developed by St. Jude Medical, are incredibly invasive. These devices were built with a vulnerability that allows attackers to access and reprogram them. In theory, this could enable an attacker to administer inappropriate levels of pacing, potentially causing patients to die.
Casino Fish Tank Hack
An internet connected fish tank was hacked via its thermostat at an unnamed US casino in 2017. The large aquarium, brimming with exotic fish and saltwater plants contained a vulnerability that allowed attackers to steal data from the casino’s database.
Scenarios like these prove that IoT devices must be built and used with security in mind.
Best Practices for Staying Secure
If both manufacturers and users begin to implement better practices in these technologies’ nascent stages, a great deal of future damage can be avoided. While achieving total security for all IoT devices probably isn’t realistic, the overall scope of damage can be avoided by implementing the right tools and best practices, such as the ones listed below.
Best Practices for Device Manufacturers
Organizations need to become committed to improving security. To do this effectively, there must be a specific person or team in charge of security. They must ensure that security measures are being implemented thoroughly and throughout every stage of the development and product lifecycle. This includes ensuring that there are no bugs before shipping and that users are informed about security updates.
Integrate End-to-End Security
An end-to end approach to security incorporates encryption, cloud security practices, and application/access security measures to fully protect the product and its pathway. It extends security from the device to the cloud and then to the application.
Design with Security in Mind
Rather than allowing security to be a tacked-on afterthought, it should be baked in from the earliest stages of product development. This means implementing continuous testing procedures along with following best practices for programming throughout all stages.
Send Updates to Registered Users Regarding Security Issues
This should be an integral part of any security plan. An alternative to this is to follow the Nest model, which charges their users a $10 monthly fee for upkeep services. These services include all updates.
Best Practices for Enterprises
Use Strong, Unique Passwords
Never use default passwords, and make sure that each strong password uses a mix of upper and lowercase letters, numbers, and special characters.
Keep Your Devices Updated
Manufacturers issue patches for vulnerabilities as they are discovered. However, if you’re not checking for those patches, you can’t update your devices with them. Make sure to check manufacturers’ websites regularly to see if patches have been released. If you find any, update your device ASAP. This is one of the easiest, most proven ways to protect your devices.
Two-factor authentication is another protective layer of security that requires the user to enter a one-time code after entering their password. Not all devices offer 2FA, but if you have one that does, you should be using it.
Run Devices on a Separate, Dedicated Network for IoT Devices
If devices are on their own network and a device on that network is breached, there will be less impact to the rest of your infrastructure.
UPnP is the protocol that enables networked devices to discover other networked devices. While this is important for interoperability, it allows devices to be tracked. On the same note, you can, and should, turn off all default settings or features that you don’t need on all of your devices.
Securing IoT with Logz.io
One valuable resource used for securing IoT is the data coming out of these internet-connected devices. IoT devices create lots of data, such as logs and metrics, that can be monitored and analyzed to not only monitor performance but also preemptively discover and troubleshoot vulnerabilities and other security issues.
Preventing the next big attack means implementing best practices and using the right tool set. Logz.io Security Analytics, for example, enables users to identify potential threats based on what is happening both inside the system and in the world outside the corporate network. Capabilities such as threat detection and correlation rules enable users to monitor IoT devices and identify attack patterns as they are taking place.
IoT is here to stay, and it is incumbent upon device manufacturers, as well as the enterprises using these devices, to understand their roles in keeping devices and users secure.