Digital Security Expert Group
Previously, smart devices (IoT) attracted only technology fans, but now they are increasingly becoming an integral part of everyday life. Smart devices are increasingly making their way into our homes and helping us monitor and manage various aspects of life, such as lighting, heating, security, and entertainment. Thanks to smart devices, we can use our resources more efficiently and save time.
For organizations, introduction to the use of the Internet of Things has grown from a concept to a priority in recent years. As companies integrate IoT devices into their network infrastructures, they are looking for new ways to use and manage the collected data.
According to IoT Analytics, by the end of 2022, more than 14.4 billion devices powered by Internet of Things (IoT) technologies were connected worldwide, with an average annual increase in subscribers to IoT networks of 18%.
In this article, we will explain what IoT is and consider the main security risks of IoT devices with expert forecasts.
The Internet of Things (IoT) is a concept that represents a system for remote interaction of physical objects with each other and/or with the external environment. Data exchange between devices takes place in real time and without direct human intervention.
IoT includes a growing number of technological products, from wearable devices (watches and smartphones) to larger ones (robot vacuum cleaners, coffee makers, refrigerators, and even cars).
Applications of IoT technology cover a wide range of fields, including medicine, automotive, home appliances, heavy industry, mining, transportation, and environmental surveillance.
Because IoT-enabled devices can connect to a wider network, they can achieve extensive functionality. However, this poses a completely new challenge: protecting all of this data. An IoT connection — if not properly secured — can have dire consequences.
Palo Alto Networks staggering statistics also confirm the existing problems – only 98% of all IoT device traffic is unencrypted, revealing personal and confidential data on the internal network.
Digital Security experts conducted a study where they reviewed 100 different cases of hacking IoT devices (from a smart alarm clock to an electric car). Experts came to the conclusion that more than 60% of devices have a high and medium risk of hacking. This means that most of the devices were not serviced properly, remained with uncorrected security errors, and worked with outdated firmware.
Consider common IoT security issues.
One of the biggest risks associated with IoT is an unsecured data link. During an attack, when information is transmitted between two nodes over the network, an attacker can intercept, listen to, and replace the transmitted information. Thus, by decrypting traffic, threat actors can gain access to confidential information, including network configuration data.
According to 2020 data, 95% of medical networks integrated Amazon Alexa and Echo devices with hospital surveillance equipment. Voice assistants can unknowingly eavesdrop and record conversations and can put an organization at risk of HIPAA violations. 20% had PCI DSS violations when IoT devices with credit card information were on the same subnet or VLAN as a tablet, printer, copier, or security camera.
Medical devices are most vulnerable to attacks. An attacker can become the owner of only one simple device, such as a blood pressure monitor. Getting access to a single device gives you access to the entire network of devices and equipment: from wireless glucose meters that send data to the organization's unified medical system, to MRI scans and surgical robots.
A tip from Digital Security experts: Use data encryption during transmission whenever possible. If you can't encrypt data during transmission, try isolating the network where the device is located. Network segmentation helps reduce the attack vector associated with the device.
After any device is released, the manufacturer must provide updates to address new security risks. However, many manufacturers "support" their devices for a short 1-2 years, and some even stop releasing updates after the release. This makes IoT devices vulnerable to attacks.
Another danger is outdated devices. Some businesses with specific production may have equipment older than 10 years with components that are difficult to replace. From a security perspective, companies should plan for the end of the life of their assets. It is extremely important to make sure that your hardware vendors provide security updates and bug fixes, as well as support your devices.
According to Kaspersky, two-thirds of healthcare organizations use medical equipment with an outdated operating system. For example, Windows XP or MS-DOS increase the percentage of security breaches several times. And Linux with older versions of the kernel is, as a rule, a vector for lifting privileges, i.e. a complete capture of the device.
Advice from Digital Security experts: To protect yourself, businesses should only use devices from trusted manufacturers with good experience in supporting devices and releasing timely security updates. To mitigate risks, it is important that the enterprise vulnerability management system is capable of scanning IoT devices. If you don't have the ability to install a patch, then at least you will know the potential vulnerabilities associated with the device. Then you can take other actions to protect yourself.
It is also useful to take care of the ability to organize and remotely manage the "circus" of IoT devices. that is, monitor updates, install these updates, and respond quickly if devices are attacked.
You should also take into account the duration of hardware support. Make sure that it comes with the ability to update configurations and security patches.
You also need to update the software to avoid security breaches. Make sure that you regularly install patches that fix bugs, and add additional layers of security if possible.
Many IoT devices come with passwords that cannot be changed. As a result, all devices in the same line have the same password.
In January 2020, a list of Telnet credentials for more than 500,000 servers, routers, and IoT devices was published. The password dump was obtained by using the factory default settings for user credentials and simply guessing passwords. This is the biggest Telnet password leak known to date.
Weak authentication can also be a problem, because the device does not take adequate measures to verify users. This can allow external attackers and insiders to gain access to IoT endpoints and systems.
A tip from Digital Security experts: Organizations need to use password management solutions and discover new IoT devices as they are added to the network. It is also better to plan the protection of all endpoints from scratch. Opt out of devices with pre-installed passwords that can't be changed. Make sure that users set strong passwords, limiting the creation of weak ones on the technical side. Another working solution is to add multi-factor authentication.
Previously, smart devices (IoT) attracted only technology fans, but now they are increasingly becoming an integral part of everyday life. Smart devices are increasingly making their way into our homes and helping us monitor and manage various aspects of life, such as lighting, heating, security, and entertainment. Thanks to smart devices, we can use our resources more efficiently and save time.
For organizations, introduction to the use of the Internet of Things has grown from a concept to a priority in recent years. As companies integrate IoT devices into their network infrastructures, they are looking for new ways to use and manage the collected data.
According to IoT Analytics, by the end of 2022, more than 14.4 billion devices powered by Internet of Things (IoT) technologies were connected worldwide, with an average annual increase in subscribers to IoT networks of 18%.
In this article, we will explain what IoT is and consider the main security risks of IoT devices with expert forecasts.
What is IoT and where is it used?
The Internet of Things (IoT) is a concept that represents a system for remote interaction of physical objects with each other and/or with the external environment. Data exchange between devices takes place in real time and without direct human intervention.
IoT includes a growing number of technological products, from wearable devices (watches and smartphones) to larger ones (robot vacuum cleaners, coffee makers, refrigerators, and even cars).
Applications of IoT technology cover a wide range of fields, including medicine, automotive, home appliances, heavy industry, mining, transportation, and environmental surveillance.
Key IoT security risks and vulnerabilities
Because IoT-enabled devices can connect to a wider network, they can achieve extensive functionality. However, this poses a completely new challenge: protecting all of this data. An IoT connection — if not properly secured — can have dire consequences.
Palo Alto Networks staggering statistics also confirm the existing problems – only 98% of all IoT device traffic is unencrypted, revealing personal and confidential data on the internal network.
Digital Security experts conducted a study where they reviewed 100 different cases of hacking IoT devices (from a smart alarm clock to an electric car). Experts came to the conclusion that more than 60% of devices have a high and medium risk of hacking. This means that most of the devices were not serviced properly, remained with uncorrected security errors, and worked with outdated firmware.
Consider common IoT security issues.
1. Unsecured data transmission channels
One of the biggest risks associated with IoT is an unsecured data link. During an attack, when information is transmitted between two nodes over the network, an attacker can intercept, listen to, and replace the transmitted information. Thus, by decrypting traffic, threat actors can gain access to confidential information, including network configuration data.
According to 2020 data, 95% of medical networks integrated Amazon Alexa and Echo devices with hospital surveillance equipment. Voice assistants can unknowingly eavesdrop and record conversations and can put an organization at risk of HIPAA violations. 20% had PCI DSS violations when IoT devices with credit card information were on the same subnet or VLAN as a tablet, printer, copier, or security camera.
Medical devices are most vulnerable to attacks. An attacker can become the owner of only one simple device, such as a blood pressure monitor. Getting access to a single device gives you access to the entire network of devices and equipment: from wireless glucose meters that send data to the organization's unified medical system, to MRI scans and surgical robots.
A tip from Digital Security experts: Use data encryption during transmission whenever possible. If you can't encrypt data during transmission, try isolating the network where the device is located. Network segmentation helps reduce the attack vector associated with the device.
2. Lack of security updates and outdated hardware
After any device is released, the manufacturer must provide updates to address new security risks. However, many manufacturers "support" their devices for a short 1-2 years, and some even stop releasing updates after the release. This makes IoT devices vulnerable to attacks.
Another danger is outdated devices. Some businesses with specific production may have equipment older than 10 years with components that are difficult to replace. From a security perspective, companies should plan for the end of the life of their assets. It is extremely important to make sure that your hardware vendors provide security updates and bug fixes, as well as support your devices.
According to Kaspersky, two-thirds of healthcare organizations use medical equipment with an outdated operating system. For example, Windows XP or MS-DOS increase the percentage of security breaches several times. And Linux with older versions of the kernel is, as a rule, a vector for lifting privileges, i.e. a complete capture of the device.
Advice from Digital Security experts: To protect yourself, businesses should only use devices from trusted manufacturers with good experience in supporting devices and releasing timely security updates. To mitigate risks, it is important that the enterprise vulnerability management system is capable of scanning IoT devices. If you don't have the ability to install a patch, then at least you will know the potential vulnerabilities associated with the device. Then you can take other actions to protect yourself.
It is also useful to take care of the ability to organize and remotely manage the "circus" of IoT devices. that is, monitor updates, install these updates, and respond quickly if devices are attacked.
You should also take into account the duration of hardware support. Make sure that it comes with the ability to update configurations and security patches.
You also need to update the software to avoid security breaches. Make sure that you regularly install patches that fix bugs, and add additional layers of security if possible.
3. Weak authentication and weak password policies
Many IoT devices come with passwords that cannot be changed. As a result, all devices in the same line have the same password.
In January 2020, a list of Telnet credentials for more than 500,000 servers, routers, and IoT devices was published. The password dump was obtained by using the factory default settings for user credentials and simply guessing passwords. This is the biggest Telnet password leak known to date.
Weak authentication can also be a problem, because the device does not take adequate measures to verify users. This can allow external attackers and insiders to gain access to IoT endpoints and systems.
A tip from Digital Security experts: Organizations need to use password management solutions and discover new IoT devices as they are added to the network. It is also better to plan the protection of all endpoints from scratch. Opt out of devices with pre-installed passwords that can't be changed. Make sure that users set strong passwords, limiting the creation of weak ones on the technical side. Another working solution is to add multi-factor authentication.
