Computers are faster, smaller and more affordable than ever before. More interestingly, they are being integrated into many consumer products, making everything from our beds to wristwatches smarter, Internet of Things-ready and capable of doing automated tasks. These “smart” devices are proliferating faster than you might expect, with smartwatches becoming one of the largest groups of connected devices, according to data from my company.
However, I’ve seen firsthand through my company’s AI cybersecurity platform that many IoT devices are not sufficiently protected against cyberattacks. Some devices lack even the most basic security measures. As a result, IoT-based cyberattacks are becoming more frequent. For example, variations of the Mirai botnet have infected countless consumer IoT devices since 2016.
This is disturbing, knowing that IoT devices are becoming more and more popular. This makes a large part of the domestic population at risk of having their home network security compromised if steps are not taken to secure their IoT devices.
Vulnerable connected devices are also a threat to businesses, especially considering bring-your-own-device campaigns and hybrid work arrangements where employees use their own devices to access corporate networks.
Today, dozens of IoT device categories are vying for their place under the sun, and while some devices that have a history of security issues might not be gaining a lot of popularity, I’ve seen wearables emerge as one of the most popular IoT devices and believe they could become a target for malicious actors.
Overall cybersecurity depends on IoT security.
The Mirai botnet attack had a significant impact on internet usability back in 2016 and showed why vulnerable IoT devices can be a threat to key infrastructure. It should have been a wakeup call for IoT manufacturers and the wider public. Unfortunately, I’ve found that some manufacturers continue making devices with severe security issues, such as open ports or hard-coded root passwords.
These vulnerabilities are also a threat to consumer home networks, as compromised IoT devices have been shown to provide access to other devices on local networks. Such IoT attacks can result in the loss of valuable data from network data storage devices and could also lead to the penetration of corporate environments down the line.
IoT device manufacturers can work to avoid a few key security issues.
From my perspective, the largest issue in IoT security is that many consumer IoT devices are manufactured without some basic security considerations. There are too few incentives and not enough pressure from consumers to create devices that are secure by design.
Just some of the security challenges IoT device manufactures can work to reduce are:
• Easy-to-guess, default, weak or hard-coded passwords.
• Lack of secure update mechanisms.
• Abandoned devices that are unsupported halfway through their expected lifetime.
• Unpatched operating software.
• Insecure data storage and transfer.
• No multi-factor authentication for cloud services.
• Open ports.
Every day, new IoT devices appear on the market with these and other vulnerabilities. While some might claim there are no common standards for IoT security, the things mentioned above are extremely basic security flaws that have no place in online-capable devices of the 21st century. Some manufacturers have started to rely on cloud solutions to avoid most of these security issues, but I believe last year’s Google outage showed that cloud solutions might not be the only solution in terms of IoT reliability.
There are a few security issues consumers and organizations should be aware of as well.
Everyone should have some knowledge of the threats and issues that come with IoT devices. The following are some potential security issues consumers and organizations should be aware of.
1. Participation in botnet attacks: Armies of remotely controlled devices (bots) can stay dormant for a long time unless you examine your device traffic, which does need some technical knowledge. When compromised devices are not quarantined, large groups of them can launch a botnet attack and send massive amounts of traffic to take down a target. These attacks can be large and focused on critical infrastructure, or they can be small-scale attacks on individuals.
Malicious actors might also use more sophisticated techniques, such as mirrored attacks, where a compromised device can send a single request to notify the botnet of its presence and would then be targeted by the whole botnet. Based on my experience in cybersecurity, these sorts of attacks are likely to become more common as industrial IoT expands with 5G deployments.
2. Ransomware in IoT: Ransomware is quickly becoming an extremely popular and lucrative form of malware. It is constantly evolving and is already used to target IoT devices. About 65% of the surveillance cameras in Washington, D.C., were affected by ransomware in 2017, for example, which left the police with no capability to record for two days, according to the Washington Post. In addition, health care gadgets, wearables, smart devices, smart homes and ecosystems have also become prone to risk and attacks.
3. Lack of user awareness and knowledge: Some device manufacturers are improving their device support and updates and even patching devices that have reached the end of life. I recommend basing purchase decisions on these factors. I also recommend always changing the default login credentials of all devices and using complex passwords, as well as taking advantage of advanced cybersecurity solutions that protect your whole network, including potentially vulnerable IoT devices.
Attacks on consumer IoT devices do not need to be very sophisticated, but they can still do a lot of damage to someone’s home and business. The only way to deal with these issues is to have a combination of better manufacturing practices and consumer awareness. As the growth of the IoT device market continues, the security issues coming from this space cannot be ignored by brands or consumers any longer.