The scope and danger of unsecured, Internet-connected hardware will only continue to deepen.
Rapid changes in how Internet of Things (IoT) devices around us interact with each other have created a landscape defined by unprecedented security vulnerabilities. There are three main security concerns with them and some possible fixes.
In December 2020, Forescout identified 33 vulnerabilities impacting four open source TCP/IP stacks. These are used by millions of devices around the world. They allow attackers to target a smart home or an automated industrial environment and use nearly any device as an entry point into the network.
According to IBM, the average cost of a data breach is just under $4 million, and it takes organizations an average of 280 days to identify and contain a breach. Meanwhile, the destructive potential of botnets has grown over the past few years. They propagate malware, mount distributed denial-of-service (DDoS) attacks, and spread disinformation on social media.
Problem 1: Unsecured API Connections
Application programming interfaces are widely used for devices to communicate with one another but are rarely built with robust security. For instance, when a data analyst directly accesses a database, most security systems will log that user's name and role. But an external user may not have to offer those credentials. So, two log entries can be as such:
● John_Smith: Data Analyst – 172.20.118.97
● App_User: Service Account – 172.20.0.159
Only one of these gives you useful information about the user's identity. If your smart devices and IoT equipment don't collect useful data, you lack edge-to-end network visibility.
Cybercriminals scour the Internet for exposed API tokens. It's one of the easiest ways to quickly create and leverage an enormous botnet made up of zombie IoT devices.
How to Solve API Connection Issues
Security engineers and enterprise IT teams should treat apps and APIs like data gateways. This means reviewing API connections to make security-oriented changes.
If an IoT device has any external connection capacity, it should be configured to securely categorize incoming user requests and block unauthorized ones. Developers need to inform security professionals about "shadow APIs" that might go unnoticed. Teams must work together to identify deprecated and outdated APIs.
Restricting and monitoring API access is arguably important. Use of the OAuth industry standard is an ideal approach. It includes a Device Grant Type parameter that accommodates devices with limited input capabilities, like most IoT devices.
Problem 2: Obsolete Firmware Updating Mechanisms
IoT presents an ability to compromise a single device to move laterally through an entire network. These devices typically receive firmware updates wirelessly, making them more compelling and easier targets.
But it isn't just mass-produced consumer hardware that is at risk. Infrastructural and heavy industrial tools are subject malicious firmware. The 2015 cyberattack on a major Ukrainian power station involved malicious firmware.
If IoT devices continue to proliferate, new security measures will need to be taken to secure them from malicious firmware updates. These types of attacks will become increasingly frequent as everyone continues to invest in remotely managed tools that handle their own firmware updates.
How to Solve Firmware Security Holes
Anyone who wants to secure IoT firmware updates immediately runs into a fundamental challenge. How do you protect a device that doesn't have user/password credentials?
One can use a secure cryptoprocessor designed solely for user authentication. It uses a public-private key framework to authenticate incoming requests, including firmware updates.
Government agencies, enterprise organizations, and manufacturing can set conditions. Such large organizations have the power to dictate what devices they do and do not use. They can even modify consumer retail devices to suit security needs.
Furthermore, enterprises command the resources to develop and deploy secure IoT frameworks that can self-authenticate without revealing internal data. There are available frameworks to make authentication and secure updates possible with less cost.
Problem 3: Insufficient Privacy Protection
Privacy protection and compliance is quickly becoming the norm for jurisdictions around the world. Europe has GDPR. California has CCPA. These regulations have changed the way consumer-facing tech companies operate in fundamental ways.
Data maintenance analysts must report breaches to supervisors, and affected individuals must be informed. It's easy to see how this works on a social media platform, but how would it work in a hospital? Unlike other devices, security breaches associated with medical IoT devices can have immediate life-or-death consequences.
In the US, HIPAA and HITECH regulate the way healthcare data is used. But these rules only apply to devices and companies that work with official healthcare entities, and not consumer devices.
Enterprises and industrial organizations run into similar problems when developing IoT systems. Devices on a network contain sensitive data about employees. This data needs to be protected. Not doing so increases the risk of identity theft and financial fraud.
How to Solve Data Privacy Issues
When it comes to personally identifiable data, the bottom line is to secure it according to industry-standard regulations. This is even if regulators don't require your company to maintain HIPAA compliance.
Solving this problem requires a cultural shift in attitude toward the inherent value of user privacy. Not everyone likes sharing tracking data with social media giants. Not every employee wants their productivity scores shared, either.
Organizations that have a robust cybersecurity policy in place will be better positioned to respond to personal security concerns. There are few organizations that uphold stringent data privacy standards. Even fewer place an inherent value on user privacy independent of its ROI. Those that do might become the trendsetters of tomorrow’s IoT security landscape.
Start Thinking Beyond Today's Threats
We live in an era when mobile phones, washing machines, home thermostats, and even solar panels can be press-ganged into botnet service. They can be used to perform devastating DDoS attacks on any organization in the world.
As medical IoT devices become a reality, the scope and danger of unsecured, Internet-connected hardware only deepens. There are plenty of devices requiring security experts now. Future devices, like medical IoT, also require them to start thinking about threats of tomorrow now.