IoT—the Internet of Things—is all around us, whether we’re aware of it or not. From doorbells to thermostats to kitchen appliances, an ever-growing list of devices is being made “smart” and connected to the internet. The numbers involved are accordingly enormous, with the global IoT market expected to cross $1.5 trillion in revenues by 2029. This transformation has its benefits, increasing convenience for consumers and opening the doors to a host of new applications and features for commonplace products. However, the IoT revolution also has a dark side, with thousands or even millions of insecure devices opening the door to security catastrophes. So what are the network security implications of IoT, and how can they be managed?
Why IoT Network Security is Crucial
Before getting into the nitty-gritty on vulnerabilities and solutions when it comes to IoT and network security, it’s important to take stock of the reasons why IoT network security is so essential in the first place, something that has been recognized in recent years in the unfortunate circumstance of major data breaches and cyberattacks. Here are some famous examples in recent years to outline the scale of the threat:
2010: The Stuxnet malware attack damages Iranian nuclear facilities through faulty instructions to programmable logic controllers, considered one of the first cyberattacks to utilize IoT devices
2013: First IoT botnet discovered, including devices like appliances, baby monitors, and TVs
2015: Researchers conduct cyberattack against a Jeep, gain control of a number of subsystems through in-vehicle connectivity system
2016: Mirai IoT botnet disrupts services of multiple multinational corporations through attack on DNS provider Dyn, resulting in the largest Distributed Denial of Service (DDoS) attack in history
2021: Hack of cloud-hosted surveillance service Verkada results in hackers gaining access to over 150,000 cameras located in schools, factories, office buildings, hospitals, and other enterprise locations
And the threat hasn’t stopped growing since these incidents. The emergence of IoT botnets-for-hire has emerged as a particularly serious issue, with cybercriminals on the dark web advertising their networks for use in on-demand DDoS attacks. Given this threat landscape, it is more essential than ever to understand the vulnerabilities facing IoT devices, and what can be done about them.
How IoT Creates Network Security Vulnerabilities
IoT’s implications for network security arise out of several key elements that are core to how IoT devices function. In particular, most IoT devices combine low power consumption for their processing capabilities with wireless network communication. This combination is what enables sensing, processing and communication capabilities to be present within previously “dumb” devices, but at the same time opens these devices up to potential security risks that may be easier to deal with or not present at all in higher-powered devices. These security challenges include the following:
- Software and Firmware Update Limitations
One of the biggest security implications of IoT has to do with what happens well after the devices themselves have been manufactured and shipped. Many IoT devices, especially simpler ones, sacrifice processing speed for power efficiency and cost savings, which creates a problem down the line: updating device software and firmware. Both network bandwidth and device processing limitations may mean that updating software and device firmware is slower and more difficult, or even impossible, as compared to traditional internet-connected devices. Therefore, when updates are needed to patch vulnerabilities, end users are less likely to go through the hassle of physically accessing and connecting devices to update them, opening the door to vulnerabilities being exploited.
- Password and Authentication Weaknesses
Another key security risk for IoT devices lies with the design choices made by developers, and how users respond to them. How developers establish password and authentication systems for their devices and platforms has a big impact on security. In many cases, IoT devices lack any sort of authentication at all, which is a huge problem for obvious reasons, turning the device into a potential trojan horse into the network.
Another case is the use of default passwords, which are often simple as they are meant to be temporary. However, the user failing to replace the default password, for whatever reason, can easily turn this seemingly innocuous design choice into a major vulnerability. Even when users do replace the default password, insufficiently secure replacements may leave the door open to exploitation.
- Lack of Standardization
Another challenge for IoT security is the lack of standardization between manufacturers, and often even between product lines from the same manufacturer. This applies to consistent standards across functional areas, including security standards, meaning that there are widely varying levels of vulnerability across IoT devices. Several standards have been proposed and established that may help to rectify this problem in the future, including Matter, Thread, and Z-Wave, but adoption is far from universal.
- Lack of Encryption
Exactly how widely various security measures are being implemented in the IoT landscape is often hard to gauge, but the information out there isn’t promising: encryption in particular is a glaring weakness when it comes to IoT security, with a 2019 report from ZScaler finding that 40% of IoT devices entirely lack traffic encryption, and over 90% of data transactions being unencrypted. These numbers have probably declined over the last 5 years, but lack of encryption remains a glaring risk factor for IoT security, especially because the fix is fairly simple.
- Physical Access Risk
Due to the nature of IoT devices, the challenge of physically protecting devices from intrusion presents significant risk. Taking measures to truly protect physical access may be infeasible for many devices, making monitoring the best solution, which is often lacking due to being overlooked or budgetary or other constraints.
These various risk factors are hardly the only challenges to IoT network security, but they are amongst the most threatening. Given these threats, however, the question must be asked, how can developers and product designers mitigate these risks and maximize the security profile of their devices?
Solutions to Secure IoT Devices
Specific solutions will depend on the particular product category and use case, but there are a few different things to keep in mind that will apply universally to IoT products. Consider the following (non-exhaustive) list:
- Design with Security in Mind
Arguably the most important practice is to maintain a focus on IoT security throughout the design process. While seemingly obvious, overlooking security may lead to potentially easily fixed security vulnerabilities being overlooked, like implementing TLS encryption. Developing and designing with security in mind can help ensure vulnerabilities are tackled early on instead of emerging later in the product life cycle. In practice, this can include being aware of the intended use cases of your devices and limiting access and functionality to suit those use cases, rather than over-engineering (and creating vulnerabilities as a result).
- Maintain OTA Update Capability
No matter how well designed a device or piece of software is at inception, over time flaws inevitably creep up, and nowhere is this truer than in the security realm, where new vulnerabilities are always being uncovered. Therefore, maintaining the ability to deliver security fixes through software updates is essential to protecting IoT devices, even if it comes at the expense of other functionality or increases costs.
- Incorporating Standard Security Practices
Oftentimes, going back to the basics can be a fruitful effort, and that’s the case for IoT as well. That can mean applying common security tools and practices from other domains to IoT design and development. This includes encryption, as discussed earlier, but also other tools such as firewalls (though the use of network rather than device level firewalls may be more appropriate in many cases), VPNs, and various security techniques for devices that make use of SIMs for connectivity. Other key tools to keep in mind include Network Access Control (NAC), segmentation, security gateways, multi-factor authentication, and zero trust network architecture (ZTNA).
- Select Vendors Wisely
Even if you have your own house in order, third party vendors and services can remain a weak point. Choosing vendors and services wisely, especially when it comes to security vendors, can minimize the risk that is outside of your direct control.
Conclusion
Given the vast scope of different applications that come with IoT—ranging from smart homes and wearable devices to industrial control systems and connected vehicles—and the myriad opportunities for exploitation, securing IoT devices and networks can be a daunting challenge. However, by understanding the potential attack vectors and ways to respond to and secure against them—including designing with security in mind from the outset, incorporating features such as encryption, authentication, secure boot processes, and regular software updates—this challenge can be turned into a manageable problem to be tackled by effective design and development work.
