If you have a car with a tire pressure sensor, a heart monitor implant, smart lighting, or cleaning robots, provided that these devices are connected to the internet, it’s safe to say that you have a device that is part of the internet of things (IoT). The internet of things is a system of interrelated and interconnected devices with the ability to communicate, connect, and transfer data over a network without human interaction. There are 24 billion active IoT devices today, with plenty more billions projected to come online soon.
At least conceptually, the internet of things, or more specifically interconnected devices, has been around for a long time. In manufacturing, supply chain management, and utility industries, interconnected devices were already integral to their business processes. IoT exposes companies, organizations, and individuals to greater attack surfaces while being critical to modern industry and service delivery. Simply put, by having a greater and greater reliance on devices connected to the internet, our homes, production processes, and facilities are more vulnerable to malicious actors than ever before. We might love IoT, but cybercriminals love them more.
The most common mistakes present in the IoT that open individuals or organizations to attack are inadequate default settings, non-existent upgrade paths, and the use of inappropriate technology. Specific IoT devices may have default passwords and security settings that are inadequate in their level of encryption, or sometimes, cannot be changed. Non-existent upgrade paths result from firmware being impossible to update, thus making the device permanently toxic to the entire network. Inappropriate technology and insufficient controls can result from bad choices in terms of software where a device doesn’t necessarily need the permissions or the full operating system but is given such thus making it a very powerful tool in the hands of malicious actors.
Left unchecked, these vulnerabilities can result in denial-of-service attacks, malware, passive wiretapping, structured query language injection, wardriving, and zero-day exploits. All these attacks can paralyze entire companies and organizations and have ramifications for the whole supply chain, not to mention massive privacy implications for personal devices and networks.
On their own, companies and individuals can develop habits to make them less vulnerable to attacks. The first is to compartmentalize IoT devices in separate networks when possible, scan and test software, and firmware for vulnerabilities, update accordingly, use strong firewalls, secure routers and WIFI, and use multilayered protection, including antivirus. Next would be to monitor and research threats, best practices, and frameworks for a given setup or industry, and audit and share analytics when possible.
More has to be done; however, public policy must catch up with the times, and regulators must implement basic policy to ensure that IoT devices coming to market could be reasonably expected to conform to basic cybersecurity principles. One example is the US National Institute of Standards and Technology’s “Foundational Cybersecurity Activities for IoT Device Manufacturers,” setting basic standards for the industry. While no measure is perfect in securing any network, organizations that rely on IoT for their production processes must also invest in active efforts and expertise to ensure that their systems are up to the task. LZ Cybersecurity offers certified experts to ensure that everything is up and running and that your data and proprietary information are safe.
Abomhara, M. & Køien, G., 2015. Cyber Security and the Internet of Things: Vulnerabilities, Threats, Intruders and Attacks. Journal of Cyber Security and Mobility, 4(1), pp. 65-88.