What is IoT Security

Jenn Henry Horowitz

December 1, 2020

IoT

IoT security is vital and costly.

With some analysts predicting that the economic impact of the Internet of Things or IoT could be between $3.9 to $11.1 trillion worldwide by 2025, device manufacturers, infrastructure, and service providers are in a mad rush to get in on that market. However, profitable IoT and secure IoT aren’t necessarily the same thing — at least, for the moment.

In the IoT hardware manufacturing area, in particular, haste to bring products to market has been overriding the consideration of security for IoT devices. And on the user side, the quickness to embrace the convenience and functionality offered by the IoT is breeding a kind of willful ignorance when it comes to Internet of Things security — on the part of enterprises and individual consumers alike.

Unless IoT device security becomes a priority at all levels of the ecosystem, this situation will only worsen in the future. The more variations of IoT devices that are in development or being deployed, the more complex IoT security challenges will become.

In this article, we’ll be considering the issue of cyber security in IoT, looking at some of the solutions currently available, and putting the spotlight on some of the top organizations in the IoT cybersecurity arena.

IoT Security Issues

As we have already observed, IoT is still a relatively new and immature technology, with challenges that need to be overcome both by manufacturers and users. IoT security problems are exacerbated by a lack of knowledge on the user side and a certain complacency that IoT vendors and service providers know what they’re doing and protect the consumer. However, on the part of device manufacturers, IoT suffers from issues of inconsistent production standards, poor maintenance and update cultures, and an intrinsic failure to make IoT security a part of the design and manufacturing process.

As a consequence of this, there are several persistent obstacles to securing IoT.

Poor Security Design on The Part of IoT Manufacturers

The failure to make security an integral element in the product design process results in a number of risks, including:

  • Hard-coded default device passwords are weak and easy to guess.
  • Hardware faults that pose security vulnerabilities.
  • No secure update mechanism.
  • Embedded operating systems and software that are out of date and difficult to patch.
  • Unsecured data transfer and storage.

The fact that there’s currently no universally applicable set of IoT security standards makes matters worse.

Lack of User Knowledge and Awareness

Ignorance and lack of awareness of IoT functionality put users at risk of social engineering and phishing attacks, which can induce unwary humans to take actions that threaten their IoT devices and infrastructure.

An example of this was the 2010 Stuxnet attack against a nuclear facility in Iran. The ultimate agent of damage to the facility was the IoT industrial programmable logic controllers (PLCs) that corrupted 1,000 centrifuges and caused the plant to explode. The malicious code that caused the corruption was introduced by a plant worker who plugged a USB flash drive into one of the site’s internal computers.

Poor Device Update Management

A secure IoT very much depends on an ecosystem of secure devices and software. Updates are critical for maintaining security on IoT devices — and these updates are especially important in protecting software and firmware when new security vulnerabilities come to light. Sadly, IoT device update mechanisms have yet to improve to meet this challenge.

Another issue concerns the update process itself, during which a short period of downtime typically occurs as a device sends its backup data to the cloud. Within this brief window, hackers could potentially steal sensitive information if the connection is unencrypted and the update files are unprotected.

Rogue and Counterfeit IoT Devices

One of the major IoT security challenges is closing the network perimeter and managing all of the devices within a single user’s network. It’s often the case that, without authorization, users are installing rogue and counterfeit IoT devices on secured networks. These units either supersede the original hardware or integrate into the network to collect confidential information, breaking the network perimeter.

Video cameras, thermostats, and other types of devices can effectively become rogue access points, enabling hackers to steal communication data without the network owner’s knowledge. The proliferation of home IoT networks is amplifying this problem.

Co-opting of IoT Devices for Botnet Attacks

An “army” of IoT devices infected with malware and directed to send thousands of data requests per second to a given target constitutes a botnet. And since many IoT devices are highly vulnerable to malware attacks, this is relatively easy for hackers.

The Mirai botnet attack of 2016 for example, enabled the perpetrators to stage multiple Distributed Denial of Service (DDoS) attacks using hundreds of thousands of infected IP cameras, Network Attached Storage (NAS) devices, and home routers, to bring down the DNS (Domain Name System) services for platforms like GitHub, Twitter, Reddit, Netflix, and Airbnb.

Similar botnets can pose a security threat to electrical grids, manufacturing plants, transportation systems, and water treatment facilities.

Using IoT Bots in Cryptocurrency Mining

A recent variation on the IoT botnet is using infected armies of devices to provide the processing power needed to mine cryptocurrency. The open-source cryptocurrency Monero was one of the first cryptocurrencies to be mined using infected IoT devices, including video cameras.

This type of attack has the potential to flood and disrupt the entire cryptocurrency market with a single incident.

Ransomware and Hijacking of IoT Devices

Ransomware blocks access to sensitive files and data using encryption, effectively rendering a device useless to its owner. Ransomware distributors may demand payment in exchange for the access codes needed to break that encryption (which they may or may not release, even if payment is made) — or they may simply be malicious saboteurs, leaving victims in the lurch.

Cases of IoT devices being infected with ransomware are rare, but the idea is gaining traction in the cybercriminal world. Wearables, healthcare gadgets, smart homes, and other smart systems could be at risk.

Spying and Sensitive Data Theft

Vulnerable IoT devices may fall prey to malware or software vulnerabilities, enabling hackers to gain access to their information streams. These could include camera surveillance data, personal health and fitness information, or corporate secrets at the enterprise and Industrial IoT levels. Some countries are starting to ban specific IoT devices with security problems for this very reason.

IoT devices that send data to the cloud without any encryption can also give cyber criminals access, who may alter the information. In the case of a hacked medical IoT device, for example, this could have life-threatening consequences.

Lack of Physical Protection for IoT Devices

Particularly in situations where IoT devices must be left unattended at a location for long periods, there’s a need to secure them from external threats physically. While this falls within the user’s level of responsibility to a large extent, secure IoT device design must begin with the manufacturer. However, building secure sensors and transmitters into low-cost devices can be a challenging task for manufacturers.

IoT Security Companies

To tackle these IoT security issues, vendors are creating a variety of offerings, which range from network visibility and segmentation to dynamic policy enforcement. In 2020, the list of top IoT security companies includes the following:

Armis

Armis offers an “agentless” IoT security platform, enabling enterprises to gain visibility and control of any unmanaged connected devices entering the workplace.

Axonius

The Axonius cybersecurity asset management platform can identify, manage, and enforce security policies for a wide variety of IoT and traditional devices, as well as cloud computing instances.

Check Point Software Technologies

Check Point Software Technologies acquired early-stage security vendor Cymplify last year, giving the company new control, threat prevention, and runtime workload capabilities for preventing attacks on IoT devices.

Claroty

Claroty provides an integrated suite of cybersecurity products, including continuous vulnerability detection and threat monitoring tools, network segmentation, and secure remote access.

ReFirm Labs

With its Centrifuge IoT security platform, ReFirm Labs gives enterprises the ability to analyze firmware in IoT devices for out-of-device software components and vulnerabilities. The platform includes features such as continuous monitoring and prioritized alerts.

Other IoT Security Solutions

Through the incorporation of security-by-design principles and the innovative solutions offered by start-ups, the IoT industry is attempting to address the security concerns of its customers. Some of the top IoT security solutions on offer include:

Indegy

The Indegy platform oversees IoT industrial control network activities, including alterations to controller logic, configuration, and code, using an agentless controller verification technology.

Inspirit IoT

Inspirit IoT uses machine learning to provide intelligence for real-time, life-or-death, and mission-critical use cases or applications. The markets it serves are those in which performance, power, and time-to-market are critical.

Karamba

Karamba is a cybersecurity technology designed to stop hackers from breaching connected cars. It does this by hardening the connected Electronic Controller Units (ECUs) against foreign code, preventing hackers’ manipulation.

MagicCube

MagicCube uses proprietary technology to implement security in mobile and IoT devices, protecting sensitive data and cryptographic operations. The product also has remote management capabilities.

PFP Cybersecurity

PFP Cybersecurity offers a behavioral analysis platform that detects intrusion hardware, firmware, configuration, and data problems in IoT devices, and fixes them pre-emptively. Its 24/7 monitoring and remediation can be fully automated.

Summary:

IoT Security

In the IoT hardware manufacturing area, in particular, haste to bring products to market has been overriding the consideration of security for IoT devices. As we have already observed, IoT is still a relatively new and immature technology, with challenges that need to be overcome both by manufacturers and users. IoT security problems are exacerbated by a lack of knowledge on the user side and a certain complacency that IoT vendors and service providers know what they’re doing and protect the consumer. The issues: Poor Security Design on The Part of IoT Manufacturers, Lack of User Knowledge and Awareness, Poor Device Update Management, Rogue and Counterfeit IoT Devices, Co-opting of IoT Devices for Botnet Attacks, Using IoT Bots in Cryptocurrency Mining, Ransomware and Hijacking of IoT Devices, Spying and Sensitive Data Theft, Lack of Physical Protection for IoT Devices

See the article here.