IoT security is the technology area concerned with safeguarding connected devices and networks in the internet of things (IoT).
IoT involves adding internet connectivity to a system of interrelated computing devices, mechanical and digital machines, objects, animals and/or people. Each “thing” is provided a unique identifier and the ability to automatically transfer data over a network. Allowing devices to connect to the internet opens them up to a number of serious vulnerabilities if they are not properly protected.
IoT security has become the subject of scrutiny after a number of high-profile incidents where a common IoT device was used to infiltrate and attack the larger network. Implementing security measures is critical to ensuring the safety of networks with IoT devices connected to them.
IoT security challenges
A number of challenges prevent the securing of IoT devices and ensuring end-to-end security in an IoT environment. Because the idea of networking appliances and other objects is relatively new, security has not always been considered top priority during a product’s design phase. Additionally, because IoT is a nascent market, many product designers and manufacturers are more interested in getting their products to market quickly, rather than taking the necessary steps to build security in from the start.
A major issue cited with IoT security is the use of hardcoded or default passwords, which can lead to security breaches. Even if passwords are changed, they are often not strong enough to prevent infiltration.
Another common issue facing IoT devices is that they are often resource-constrained and do not contain the compute resources necessary to implement strong security. As such, many devices do not or cannot offer advanced security features. For example, sensors that monitor humidity or temperature cannot handle advanced encryption or other security measures. Plus, as many IoT devices are “set it and forget it” — placed in the field or on a machine and left until end of life — they hardly ever receive security updates or patches. From a manufacturer’s viewpoint, building security in from the start can be costly, slow down development and cause the device not to function as it should.
Connecting legacy assets not inherently designed for IoT connectivity is another security challenge. Replacing legacy infrastructure with connected technology is cost-prohibitive, so many assets will be retrofitted with smart sensors. However, as legacy assets that likely have not been updated or ever had security against modern threats, the attack surface is expanded.
In terms of updates, many systems only include support for a set timeframe. For legacy and new assets, security can lapse if extra support is not added. And as many IoT devices stay in the network for many years, adding security can be challenging.
IoT security is also plagued by a lack of industry-accepted standards. While many IoT security frameworks exist, there is no single agreed-upon framework. Large companies and industry organizations may have their own specific standards, while certain segments, such as industrial IoT, have proprietary, incompatible standards from industry leaders. The variety of these standards makes it difficult to not only secure systems, but also ensure interoperability between them.
The convergence of IT and operational technology (OT) networks has created a number of challenges for security teams, especially those tasked with protecting systems and ensuring end-to-end security in areas outside their realm of expertise. A learning curve is involved, and IT teams with the proper skill sets should be put in charge of IoT security.
Organizations must learn to view security as a shared issue, from manufacturer to service provider to end user. Manufacturers and service providers should prioritize the security and privacy of their products, and also provide encryption and authorization by default, for example. But the onus does not end there; end users must be sure to take their own precautions, including changing passwords, installing patches when available and using security software.
Notable IoT security breaches and IoT hacks
Security experts have long warned of the potential risk of large numbers of unsecured devices connected to the internet since the IoT concept first originated in the late 1990s. A number of attacks subsequently have made headlines, from refrigerators and TVs being used to send spam to hackers infiltrating baby monitors and talking to children. It is important to note that many of the IoT hacks don’t target the devices themselves, but rather use IoT devices as an entry point into the larger network.
In 2010, for example, researchers revealed that the Stuxnet virus was used to physically damage Iranian centrifuges, with attacks starting in 2006 but the primary attack occurring in 2009. Often considered one of the earliest examples of an IoT attack, Stuxnet targets supervisory control and data acquisition (SCADA) systems in industrial control systems (ICS), using malware to infect instructions sent by programmable logic controllers (PLCs).
Attacks on industrial networks have only continued, with malware such as CrashOverride/Industroyer, Triton and VPNFilter targeting vulnerable OT and industrial IoT systems.
In December 2013, a researcher at enterprise security firm Proofpoint Inc. discovered the first IoT botnet. According to the researcher, more than 25% of the botnet was made up of devices other than computers, including smart TVs, baby monitors and household appliances.
In 2015, security researchers Charlie Miller and Chris Valasek executed a wireless hack on a Jeep, changing the radio station on the car’s media center, turning its windshield wipers and air conditioner on, and stopping the accelerator from working. They said they could also kill the engine, engage the brakes and disable the brakes altogether. Miller and Valasek were able to infiltrate the car’s network through Chrysler’s in-vehicle connectivity system, Uconnect.
Mirai, one of the largest IoT botnets to date, first attacked journalist Brian Krebs’ website and French web host OVH in September 2016; the attacks clocked in at 630 gigabits per second (Gbps) and 1.1 terabits per second (Tbps), respectively. The following month, domain name system (DNS) service provider Dyn’s network was targeted, making a number of websites, including Amazon, Netflix, Twitter and The New York Times, unavailable for hours. The attacks infiltrated the network through consumer IoT devices, including IP cameras and routers.
A number of Mirai variants have since emerged, including Hajime, Hide ‘N Seek, Masuta, PureMasuta, Wicked botnet and Okiru, among others.
In a January 2017 notice, the Food and Drug Administration (FDA) warned the embedded systems in radio frequency-enabled St. Jude Medical implantable cardiac devices, including pacemakers, defibrillators and resynchronization devices, could be vulnerable to security intrusions and attacks.