The explosive growth of IoT devices opens an extensive attack surface that needs to be addressed
The weakest link in most digital networks is the person sitting in front of the screen – the defining feature of the Internet of People (IoP). Because that’s where, through cunning and manipulative tactics, unsuspecting recipients can be tricked into opening toxic links. Little do they know, however, they’ve unwittingly opened the gates to digital catastrophe.
Of course, I have nothing against people. In fact, some of my best friends are people! But digital devices, left to themselves, are essentially immune from social engineering scams. Unlike people, they are not impressed with amazing free offers, nor are they moved by urgent pleas for cash from an acquaintance who claims to be stranded in some obscure location or terrible circumstance.
Today, more digital devices than ever are connecting to corporate networks. In fact, McKinsey estimates that 127 new IoT devices go online every single second – a pace enabled by the rapid spread of 5G networks. But, because IoT devices are unsentimental about emotional appeals, the opportunity for a bad actor to hack into an internet-connected network has been narrowed. And the attractions of IoT technology remain truly authentic. As far back as 2015, a Samsung white paper put it this way:
“Much more than just a trendy term, the IoT delivers real, measurable benefits by helping companies of all sizes to use their assets more efficiently; react to market trends in real time; better understand their customer’s needs; increase environmental efficiency and reduce their carbon footprint; ensure that best practices are always in place; drive employee and partner productivity; and transform the customer experience.”
That’s impressive. At the same time, however, there are risks uniquely associated with unmanaged IoT sensors and their related technologies including gateways, hubs, cloud servers, mobile apps, and control devices, all of which need to be taken seriously. A recent Forrester report pointed out that as the proportion of unmanaged devices within enterprises grows, so does the organization’s attack surface. And that surface is expanding at a breakneck pace, with survey respondents estimating that unmanaged devices now outnumber managed ones on their networks by three to one.
In the same Forrester study, however, two-thirds of those surveyed claimed they had personally experienced a security incident related to their unmanaged IoT devices. And there are plenty such devices to go around. They include office equipment and peripherals, automation sensors for buildings, personal consumer devices, VoIP phones, smart TV screens and monitors, Bluetooth keyboards, headsets, HVAC systems, security systems, lighting systems, cameras, vending machines, smartphones, gaming consoles, smart speakers, medical devices, routers, switches, firewalls, and many more. And that doesn’t even count the proliferation of specialized IoT devices used in manufacturing, transportation, and agriculture.
There are some practical explanations for those vulnerabilities. In April 2021, SecurityWeek reported on flaws disclosed in the code of four TCP/IP stacks used to integrate network communication protocols and establish connections between devices and the internet.
Attacks exploiting these flaws could wreak havoc in critical infrastructure networks affecting, for example, transportation, or manufacturing settings. Infiltrating a connected device or server can disrupt an entire system or serve as a springboard for burrowing into an organization’s network.
Some of the scariest potential abuses of IoT systems affect medical devices. Last summer, McAfee security researchers identified a series of vulnerabilities in a B. Braun infusion pump that neglected to verify who was sending the commands – commands which could lead to it dispensing lethal doses of medication4. And in October, Medtronic recalled one of its insulin pumps for similar reasons.
There are, however, a growing body of best practices designed to protect IoT devices and the information they handle. In general, these involve taking a matrix of prevention, detection, and mitigation steps, and applying them across different layers of the modern IoT ecosystem, including the machines, devices, sensors, and servers that either collect, connect, or transmit data. Some of these are available in the form of off-the-shelf protection products – software that can poll the IoT devices on a network, highlight their risks, and block cyberattacks by applying real-time threat intelligence.
But there are also industry specific IoT protection software solutions. Some involve on-device agents tailored to foil attempted cyberattacks across specialized environments such as smart offices, healthcare institutions, and manufacturing units. Firmware protection systems are also available that use zero-trust strategies to prevent infection from unauthorized lateral access movement across the network. These types of robust authentication mechanisms – and there is a wide assortment of them – come strongly recommended.
However, there are also steps that can be taken without investing in any new technology. For example, you can segment your data and critical networks to keep them from being accessed by IoT devices. You can do regular backups. You can encourage the formation of training programs for your IT staff. Formulating a compliance and privacy policy that addresses sensitive data is very important. So is deleting data that you no longer need, as well as keeping your IoT devices current with their manufacturers’ updates. Although well established, changing passwords and installing strong firewalls continue to remain high-value protective measures.
A recent article directed to procurement executives cited research claiming that 90 percent of consumers today lack confidence in IoT device security. While that figure may not be quite as high among IT professionals and business leaders, it underscores the pressing need to work on building confidence by tightening IoT security, especially in an insecure world where these unmanaged devices are playing a rapidly-growing and increasingly important role.
