Everything is bigger in the world of connected objects, also known as the Internet of Things. Well, except for the devices themselves. Indeed, these are usually small enough to contain only a few chips. And they’re often hidden from view. However, the sheer magnitude of data and devices in the IoT is a headache for any cyber security professional.
What is the IoT or Internet of Things?
In reality, the definition of the Internet of Things (also called IoT or IoT) is not fixed. It covers both conceptual and technical dimensions.
From a conceptual point of view, the Internet of Things characterizes connected physical objects with their own digital identity and capable of communicating with each other. This network creates a bridge between the physical and virtual worlds.
From a technical point of view, the IoT consists in the direct and standardized digital identification (IP address, smtp, http protocols…) of a physical object thanks to a wireless communication system which can be based on a RFID chip, Bluetooth or Wi-Fi.
The connected objects produce large quantities of data, the storage and processing of which is part of what is called Big data. Big data refers to all digital data produced by the use of new technologies for personal or professional purposes. This includes corporate data such as e-mails, documents, databases, business processor histories, etc.
In logistics, these can be sensors used to track goods for inventory management and routing. In the field of environment, it will be sensors monitoring air quality, temperature, noise level, building condition, etc. In home automation, IoT covers all communicating household appliances, sensors (thermostat, smoke detectors, presence detectors, etc.), smart meters and security systems connected to home automation box-type devices.
Here are the most significant cyber security threats facing the IoT today.
Exploitable and often hidden potential
Many connected objects are designed for limited tasks. These can be for example temperature detection or motion recording. But they run on microcontrollers and operating systems capable of doing much more in the background without hindering their primary purpose. This is an important opportunity for a cyber-attacker. And it represents a significant risk to the owners and the companies they work for.
It is therefore necessary to involve information security managers in a company’s IoT purchasing process. They must be involved in the same way as for any other technology acquisition. Whether it’s servers and storage racks or drones, cameras and smart lights, they should not be consulted after everything has been determined and purchased. Then it is far too late to act. Information security risk assessment must be carried out systematically upstream of any project.
Terminals that know how to be forgotten
Many connected objects are designed to be forgotten. They have to work for years, often with only a button cell as a power source. They can be built into walls or ceilings. They are also often mounted on factory equipment that is inaccessible to service personnel during maintenance rounds.
This is very practical for what they are intended for. They are expected to be reliable and require little maintenance. But they are a real issue for IT asset management and cyber security strategy. One of the main risk factors is that people forget about them.
To remedy this, create and apply the same type of strict replacement and refresh cycles already used for IT equipment such as data center servers and laptops. Since many IoT devices can be physically hidden for years, this may require more detailed documentation than a replacement plan such as that for traditional smartphones.
Failure to recognize the objectives of an attack on connected objects.
A well-thought-out approach to the security of IoT objects would benefit from building on past IoT exhibitions and operations. For example, smart cameras and payment card readers have been attacked and used to transmit data to unauthorized users. More recently, embedded systems have been targeted by ransomware programs. These programs have been used to extract payments in exchange for keeping critical systems operational. These systems included medical equipment. But cyber-criminals are now targeting growing categories of connected objects. And they may well be more interested in writing data than reading it in the future.
The imbalance between security and user requirements
Connected objects are generally supposed to work stably. They are expected to be reliable and available 24 hours a day. They are not expected to be regularly maintained and updated. Operational requirements for performance, reliability, resilience and security may be at odds with common practices for cybersecurity and privacy of conventional computer devices.
It’s an elegant way of saying that users will not accept or understand that an IoT device will shut down for 15 minutes to deploy a security patch. And that’s even though they would accept it for a smartphone or laptop. Responding to this would require deploying redundant backup devices, implementing planned maintenance windows or a concerted education campaign that aligns user expectations with security requirements.
Lack of accountability of manufacturers
IoT devices are designed to be easy to use. But this ease of use creates vulnerabilities and therefore creates risks. Good cyber security hygiene is essential in the IoT. And it starts, right from implementation. Start by ensuring that the default credentials of the administrator or superuser are quickly changed or disabled. Blocking and disabling Universal Plug-and-Play (UPnP) features and stopping traffic on non-essential network ports frequently used for IoT attacks are also basic precautions.
What if you can’t do these things? Then don’t deploy. These devices are not always intrinsically secure. Some don’t even allow you to change the username and password. Most of the biggest vulnerabilities come from the manufacturers themselves.
The Insider Threat
Insider risk is often a greater threat than that from the outside. This insider risk may come from employees who deliberately hijack devices for their own purposes. Another form of threat is manipulation by an attacker using phishing or other social engineering methods. The Internet of Things creates new exposure to an old problem. You need to be able to rely on your employees to defend you. You really need to draw attention to who has access to each connected object and what they can do with it.
Phishing education in general, which is usually aimed at avoiding scams through email and social networks, may not be enough. An attacker may attempt to bluff an employee into restarting or updating a device. And that employee may well consider it a reasonable request if the individual works nearby and has a sense of ownership.
Abandoned or unused items
The problem of IoT devices that are not updated, abandoned or simply forgotten has become so serious that hacker activists have actually infected unprotected devices with malware simply to prevent other software from taking control of them. These attacks use unpatched vulnerabilities to sneak in, then fix the vulnerability or shut down network ports to prevent other software from penetrating. So make sure your IoT policy specifically recognizes this risk. It needs to understand the activities of these gray hat hacktivists and take action before cyber criminals can do so.