Security in IoT
Iot devices power our lives more and more, and in more ways than you might expect. Currently, IoT devices power the economy with billions in revenue, and are expected to reach 1.6 trillion dollars in revenue by 2025. Currently, we’re nearing 30 billion IoT devices in use, and that number could reach 60 billion or higher by the close of 2025. These devices can do everything from monitor ambient conditions, create home or corporate security systems, remotely control our cars, and much more.
However, security in IoT isn’t always the stringent protection we expect from the majority of our online activities. In fact, it’s only beginning to approach somewhat standard levels of security. This may not seem to mean a lot, afterall, many government websites still rely on Internet Explorer, a platform known for its security weaknesses.
That being said, we should still consider the fact that IoT devices have intimate access to the closest details of our lives, and our businesses. With access to a webcam or security camera, a hacker can view and record anything the camera itself can. If a hacker intercepts packets of data during a backup, they can steal the crucial information your business relies on to keep ahead of competitors.
So, what are the biggest threats to IoT security, and what can we do about them?
Today’s Top IoT Security Threats
Malicious attacks, theft, and hackers can reach any type of online system. However, as IoT is still emerging, there are some more specific concerns that we don’t see as much with other online activities. While the threats range far and wide, these are the most common today:
Perhaps one of the most overlooked security threats, physical protection can be just as important as encryption. IoT devices do much of their work through the internet, but they still need a physical casing to exist. Unlike intangible ideas, physical items are much easier to steal once a thief gains access to the premises where they are. Some IoT devices aren’t necessarily right in the kitchen or living room, where owners can see that they’re safe and present.
Whether for personal or business use, some IoT devices are in more remote locations, where a person might not be around to physically see them. If there isn’t proper security surrounding the location and device, there doesn’t even need to be a hack to get to them. A burglary can easily result in a stolen device, and plenty of sensitive information as a result.
One way to physically protect IoT devices is with regular check ins, and a good security system if they’re in a more remote location. The device should also be encrypted with strong password and username credentials to ensure that even if the hardware is stolen, the information contained within isn’t easy to access.
Related: outside equipment
Even when IoT devices are in a safe, secured environment, that doesn’t mean they’re physically safe from outside threats. For instance, storage devices like USB drives or external hard drives. A device might be entirely safe, clean, and secure. However, a compromised drive can corrupt an entire network of IoT devices in as little as a few seconds. For businesses, this means that a well meaning employee could accidentally introduce a major security threat without ever knowing it. Using only verified, secure external devices, and prohibiting or limiting the use of employees’ personal hardware can help mitigate the risk.
Software Updates and Security
Unfortunately, as more technology rolls out, many manufacturers don’t provide the same level of security in updates for their older devices. When a device is new, it often has the best and most stringent security for the time. These updates might continue for a while, and even after the newest equipment comes out. However, over time, many manufacturers let the software updates fall by the wayside, and the updates are really as efficient and secure as they are for the new versions.
Another concern plaguing IoT devices is the transfer and backup of data during software updates. Typically, during and update the device automatically sends a backup of the data to the cloud to ensure nothing is lost should there be issues during the update. This is a good idea, and it does give you peace of mind should your network flicker out during the update. Unfortunately, these automatic backups aren’t always secure and encrypted as they should be. This gives hackers a ripe opportunity to steal data during updates, while you’re completely unaware.
Related: slow updates and patches for vulnerable software
This really comes down to the responsibility of the manufacturer, although it can plague users regardless. As soon as a vulnerability is detected, there needs to be an update to remedy any security concerns. While these updates often come out sooner or later, it’s the later aspect that causes real problems. A responsible IoT developer will send out a secure update as soon as possible in these instances. However, that doesn’t always happen. If you have this concern, it’s best to buy IoT technology from manufacturers you can rely on to be upfront and correct issues as soon as they come up.
Sometimes an operating system (OS) becomes outdated. That doesn’t mean you can’t use it, or use IoT devices with it. However, the software does need some working with, often in the way of a patch. These patches fill in the gaps that would otherwise leave space for malware or data theft.
Manufacturer Security Protocols
When it comes to security and compliance protocols, there really aren’t any solid rules for IoT device manufacturers. While there are some guidelines in place, that’s really all they are: guidelines. Manufacturers aren’t obligated to follow best security protocols, and some rush to release the newest gear, rather than committing extra time to developing more robust security.
These issues can arise from the hardware itself, weak credential requirements, or insecure data transfer and management built into the device, and the operations thereof. For example, many IoT devices come with preset login credentials. Username: Admin, Password: Password1
These preset credentials don’t necessarily present a security risk on their own. However, many users simply leave them as is. Afterall, it’s certainly easier to remember ‘Password1’ than a more complicated (and secure) password with a unique username. Unfortunately, as easy as this makes it for the user, it makes it basically effortless for hackers to gain access to the devices and data it corresponds to.
Not every manufacturer will advise the consumer to change these credentials. Even if they don’t, you absolutely should for your own security.
The End User
As many security gaps as there may be within some IoT technology, humans can cause just as many security risks on their own. Much like leaving the preset credentials in place, there are near endless ways people can accidentally compromise the security of their data and devices. We’ve touched on some of these already, but it’s important to recognize that technology can only do so much to protect our online security. No matter how well encrypted a device is, it can’t prevent a human from plugging in a compromised USB drive with a virus or other malware. Likewise, it can’t force you to create new, more secure login credentials, or prevent you from using the same password for everything, or using your address or phone number as a password.
In the same way, no matter how good the technology is, it can’t ensure you keep your devices in a secure location, with surveillance in place. Remember, not all cyber attacks target the device or network. In many cases, an unknowing person is a target, and spreads a security risk through actions they see as perfectly harmless. Another good example of this is sending data without proper encryption. A person may need to work on some documents at home, and email or message information to their personal accounts. As these data packets go to the next account, they’re vulnerable to theft if they aren’t sent using secure, encrypted means.
Malware, Ransomware, and Botnet Attacks
Malware can quickly compromise an entire network, even if it originally only gains access to one device. Typically, malware gets in through small cracks in network security, but once it’s in, it turns into a much larger problem that can result in destroyed systems, large scale data theft, and much more.
Ransomware works a lot like malware, but the end motivation is different. While malware focuses more on stealing data, whether personal or corporate, ransomware locks up that valuable and sensitive information. It works much like you might think, per the name. The ransomware gains access to a network or device, and targets sensitive data. It then encrypts the data or files with a special key. This key is very difficult, if not impossible for the original owner to unlock. The owner is then presented with a demand. It’s often for a certain amount of money, to get the encryption key to unlock and release their data.
Botnet attacks work with a massive level of ‘bots.’ These are essentially automated, computerized hacks that flood a network with entry requests. These quickly overwhelm a network with weaker security. Then, the hackers gain access to the network and the data contained therein. It takes a very strong and well encrypted security system in place to resist infiltration.
In our day and age, we want the best and newest devices, and we want them, ASAP. While rapid releases of new tech might satisfy the consumer, they can also create large security problems. Especially without a rigorous testing process. Often, it’s in the rush to release new IoT gear or software. Developers might be tempted to cut corners in their pre-release testing. Because IoT is still a newer technology, it has more vulnerabilities than other online devices, and can be compromised as a result.
To ensure they’re really secure, IoT devices need to undergo several different stages of testing for not only their operation, but also their resistance to malware and threats. Again, this has more to do with developers than it does the end user. However, users can defend themselves from security threats more if they make sure they only get devices that are tried and tested for any security flaws before release.
Outside IoT Devices
IoT devices from outside the network can provide ample security risks, and they can even go unnoticed by the most aware users. These are also sometimes called ‘rogue devices.’ Rogue devices can work in a few different ways. Sometimes they start as legitimate devices that undergo some altering to infiltrate the larger network. Other times, they start as counterfeit equipment and continue their jobs from there.
No matter how they start, they more or less have the same goal: infiltrate the network, and compromise data. However, not all rogue devices simply steal data. They can also ‘tweak’ the original data to fit their purposes, leaving it altered, and disrupting anything from personal records to company data, to products in development.
These rogue devices break the security of the network perimeter, and certainly don’t have authorization to enter the network. However, they can easily go unnoticed, because they can imitate the original devices, serve as a replacement for the device, or integrate with the IoT devices already in place.
Easy Ways to Improve Security
While a lot of IoT security does come down to the manufacturer, and the protections they build into their equipment, you can do things to improve security on your own too. Don’t worry, you don’t need to be a developer to do these. In fact, these are easy tips just about anyone can use. While they won’t guarantee a failsafe solution, they do make it harder for others to get access to your network, and your devices.
Take care with sharing information
Whenever you hook up a personal device to any other, you’re taking a risk. Would you choose to save your password information on a public computer? Probably not. Because that’s just asking for someone to steal your information, right? The same goes for connecting bluetooth devices to anything public, or unfamiliar. The fact is, as IoT technology gets more and more advanced, even the smallest devices hold more information than you might think. In short, unless it’s another personal device, or one you can 100% trust, don’t connect your devices to it.
Be smart with smart assistants
Google and Alexa are great for giving you an extra hand. Even the youngest kids learn how to work them, at least in part, by their wake words. What are wake words? They’re the vocal signal you give them, which essentially activates them. For example, “Alexa, what’s the weather today?” Or, “Hey Google, show me casserole recipes.” If you’re standing by your Alexa, but just say ‘what’s the weather today’ nothing happens, because you didn’t use the wake work.
While convenient, it can also pose certain security risks, especially if you have smart assistants connecting to several other smart home devices. For instance, a security system. It isn’t difficult for a home invader to simply use the wake word and turn it off, unless you have other measures in place. For sensitive systems, protect them by requiring a pin, password, or even changing the wake word for your smart assistant.
Use good password practices
As you probably know, you should be using unique passwords that are hard to guess. Don’t use your name, kids’ or pets’ names, phone number, address, date of birth, or anything similar. It isn’t hard for someone to do a quick Google search and find this information out. And it’s one of the easiest ways for someone to gain access to your network, and your data. Whenever possible, also use unique passwords for your different accounts and devices. It might seem like a lot more to remember, but it also goes a long way in preventing data theft.
Plenty of people keep the same passwords for years, or even decades. Yes, it’s easier. However, while it’s easier for you, it’s also easier for hackers. It’s best to change your passwords every six months to maintain optimal security.
Don’t neglect updates
Software updates take time, and they might seem like a burden, but there’s a good reason you keep getting those prompts. When software developers notice security issues, the primary way they fix them is through updates. If you don’t check all your devices regularly, consider enabling automatic updates. While most devices have the option for automatic updates, not all do. If yours doesn’t, make sure you manually check for updates on a regular basis.
Consider separate networks
Most people use their IoT devices on the same wireless network as their smartphones, laptops, and everything else. However, this network accesses your devices that likely contain some of your most sensitive information, like tax records, credit card numbers, and banking information. Securing IoT devices can be more difficult, which can also create vulnerabilities in your network. What many people don’t know is that more often than not, routers can create separate networks. Some people use these as guest networks for when they have visitors. But these separate networks can also serve a greater purpose: connecting your IoT devices to the internet.
Using separate networks creates a sort of barrier between your IoT devices, and your personal devices that contain more personal information.
With the emergence of IoT devices, we now have an opportunity. And a need, to merge the world of IoT technology, with the stringent security protocols we expect from our online activity.