As high as 92% of industrial establishments have adopted IoT in some form by the end of 2019. There will be 80 billion IoT enabled devices by 2025. But the rapid growth of IoT surfaces some unique security challenges.
IoT faces major security challenges in physical security, network issues and software vulnerabilities.
Easy Physical Access
The spread-out nature of IoT networks makes it vulnerable to physical attacks. It is easy to secure data centres, routers, and switches in the secure facilities of conventional IT. But the critical assets of most IoT ecosystem spread out across a wide geographical area.
A smart city ecosystem includes traffic cameras, parking meters, noise sensors, and other devices. An enterprising hacker, dressed in a hard hat and hazard vest, may fool anyone as he works on a parking meter. Video surveillance to detect such threats could itself become the target of attackers!
The sheer diversity of the devices makes a uniform security approach difficult. The approach to secure a connected car differs from securing swarms of small solar-powered sensors on a farm field.
The recent demonstration by two white hat hackers on how to hack a Jeep Cherokee makes explicit the threat. The hackers accessed the firmware of the Jeep’s Uconnect dashboard system, to re-write it and access the rest of the controls through the CAN bus.
The IoT Security Foundation recommends:
- disabling all unessential ports on an external device.
- using tamper-proof circuit boards
- embedding entire circuits in resin
The Menace of Hidden Devices on the Network
Device discovery is basic to secure the IoT network. For all the focus on securing networks, many enterprises are not even aware of all the devices on their network.
IoT is an operational technology rather than a technology administered by the IT staff. Line-of-business personnel sometimes connect devices to the network without telling IT. The security implications of such actions may doom the network.
In an ideal world, the IT team works with the operational team, and provisions for all connected devices. Such an ideal world often falls short because of practical and business exigencies. A harried sales executive, in a hurry to close the sale, may have no time to inform and gain the approval of the IT team.
- Deploy network scanners to discover connected devices. A good scanner adopts network traffic analysis, device profiles, and white-lists to make sure no device slips through the net.
- Have a white list of devices. Disable access to all unknown devices.
- Restrict network connectivity through a router. Connect the whitelisted router to a secure VPN service.
The Importance of Software Patching
Most enterprises understand the importance of patch updates. Regular patch updates preempt hackers from exploiting a software vulnerability. But many IoT sensors, unlike conventional devices, do not have built-in computing ability.
In a daring attack on a USA casino in 2017, hackers exploited a trivial vulnerability in the smart thermometer to gain access to the network. The hackers left the main servers alone. Rather, they exploited a vulnerability in the IoT temperature sensors of the casino’s fish tank. The temperature sensors connected to the central system in place to monitor the casino. The hackers gained access to the servers, retrieved data on high-paying customers, and extracted it to the cloud.
In another major breach involving IoT, the Mirai malware used common usernames and passwords to gain access to IoT devices. The malware used default access credentials “admin” and “password” to install itself on thousands of IP cameras and monitors. Once installed, it commandeered the IoT device into a bot.
Select the right hardware. Opt for patchable hardware even if it costs more. The fines and damages of a network breach can ruin the company.
Patching may need extracting the firmware and updating it. When doing so:
- Check connections over local and external networks for possible man-in-the-middle attacks. Analyse the communication protocol.
- Check the web interface for encrypted connection (https) and common web application exploits.
- Update the device’s firmware regularly. While updating the firmware, do not forget to analyse the device itself as a physical entity. Check if hackers can interact with the embedded board.
Adopting the Security-by-Design UK-Singapore IoT Statement improves the security of smart IoT products. The statement has recommendations such as:
- discontinuing the use of universal default passwords,
- making vulnerability disclosure processes the norm across the IoT industry,
- deployment of software security updates for the entire lifetime of IoT products, and more.
Effective IoT security requires talent competent in micro-controllers, wireless communication, reverse-engineering firmware. They also need ability in web application vulnerabilities detection and binary vulnerabilities exploitation.
Today, one in two enterprises cannot detect breaches on their IoT devices. Almost two out of every three enterprises believe their IoT security needs improvement.
It is high time enterprises made IoT an integral part of their cybersecurity program. Conduct a thorough end-to-end cybersecurity risk assessments, co-opting IoT devices. But the conventional approach of ‘connect it first, secure it later’ is not workable for IoT. IoT requires a proactive approach with a focus on pre-empting threats.