Security Experts:

Connect with us

Hi, what are you looking for?


IoT Security

IoT’s Importance is Growing Rapidly, But Its Security Is Still Weak

The explosive growth of IoT devices opens an extensive attack surface that needs to be addressed

The explosive growth of IoT devices opens an extensive attack surface that needs to be addressed

The weakest link in most digital networks is the person sitting in front of the screen – the defining feature of the Internet of People (IoP). Because that’s where, through cunning and manipulative tactics, unsuspecting recipients can be tricked into opening toxic links. Little do they know, however, they’ve unwittingly opened the gates to digital catastrophe.  

Of course, I have nothing against people. In fact, some of my best friends are people! But digital devices, left to themselves, are essentially immune from social engineering scams. Unlike people, they are not impressed with amazing free offers, nor are they moved by urgent pleas for cash from an acquaintance who claims to be stranded in some obscure location or terrible circumstance.  

Today, more digital devices than ever are connecting to corporate networks. In fact, McKinsey estimates that 127 new IoT devices go online every single second – a pace enabled by the rapid spread of 5G networks. But, because IoT devices are unsentimental about emotional appeals, the opportunity for a bad actor to hack into an internet-connected network has been narrowed. And the attractions of IoT technology remain truly authentic. As far back as 2015, a Samsung white paper put it this way:

“Much more than just a trendy term, the IoT delivers real, measurable benefits by helping companies of all sizes to use their assets more efficiently; react to market trends in real time; better understand their customer’s needs; increase environmental efficiency and reduce their carbon footprint; ensure that best practices are always in place; drive employee and partner productivity; and transform the customer experience.”  

That’s impressive. At the same time, however, there are risks uniquely associated with unmanaged IoT sensors and their related technologies including gateways, hubs, cloud servers, mobile apps, and control devices, all of which need to be taken seriously. A recent Forrester report pointed out that as the proportion of unmanaged devices within enterprises grows, so does the organization’s attack surface. And that surface is expanding at a breakneck pace, with survey respondents estimating that unmanaged devices now outnumber managed ones on their networks by three to one. 

In the same Forrester study, however, two-thirds of those surveyed claimed they had personally experienced a security incident related to their unmanaged IoT devices. And there are plenty such devices to go around. They include office equipment and peripherals, automation sensors for buildings, personal consumer devices, VoIP phones, smart TV screens and monitors, Bluetooth keyboards, headsets, HVAC systems, security systems, lighting systems, cameras, vending machines, smartphones, gaming consoles, smart speakers, medical devices, routers, switches, firewalls, and many more. And that doesn’t even count the proliferation of specialized IoT devices used in manufacturing, transportation, and agriculture. 

There are some practical explanations for those vulnerabilities. In April 2021, SecurityWeek reported on flaws disclosed in the code of four TCP/IP stacks used to integrate network communication protocols and establish connections between devices and the internet.

Attacks exploiting these flaws could wreak havoc in critical infrastructure networks affecting, for example, transportation, or manufacturing settings. Infiltrating a connected device or server can disrupt an entire system or serve as a springboard for burrowing into an organization’s network.  

Some of the scariest potential abuses of IoT systems affect medical devices. Last summer, McAfee security researchers identified a series of vulnerabilities in a B. Braun infusion pump that neglected to verify who was sending the commands – commands which could lead to it dispensing lethal doses of medication4. And in October, Medtronic recalled one of its insulin pumps for similar reasons. 

There are, however, a growing body of best practices designed to protect IoT devices and the information they handle. In general, these involve taking a matrix of prevention, detection, and mitigation steps, and applying them across different layers of the modern IoT ecosystem, including the machines, devices, sensors, and servers that either collect, connect, or transmit data. Some of these are available in the form of off-the-shelf protection products – software that can poll the IoT devices on a network, highlight their risks, and block cyberattacks by applying real-time threat intelligence. 

But there are also industry specific IoT protection software solutions. Some involve on-device agents tailored to foil attempted cyberattacks across specialized environments such as smart offices, healthcare institutions, and manufacturing units. Firmware protection systems are also available that use zero-trust strategies to prevent infection from unauthorized lateral access movement across the network. These types of robust authentication mechanisms – and there is a wide assortment of them – come strongly recommended.

However, there are also steps that can be taken without investing in any new technology. For example, you can segment your data and critical networks to keep them from being accessed by IoT devices. You can do regular backups. You can encourage the formation of training programs for your IT staff. Formulating a compliance and privacy policy that addresses sensitive data is very important. So is deleting data that you no longer need, as well as keeping your IoT devices current with their manufacturers’ updates. Although well established, changing passwords and installing strong firewalls continue to remain high-value protective measures.  

A recent article directed to procurement executives cited research claiming that 90 percent of consumers today lack confidence in IoT device security. While that figure may not be quite as high among IT professionals and business leaders, it underscores the pressing need to work on building confidence by tightening IoT security, especially in an insecure world where these unmanaged devices are playing a rapidly-growing and increasingly important role. 

Written By

Marie Hattar is chief marketing officer (CMO) at Keysight Technologies. She has more than 20 years of marketing leadership experience spanning the security, routing, switching, telecom and mobility markets. Before becoming Keysight’s CMO, Marie was CMO at Ixia and at Check Point Software Technologies. Prior to that, she was Vice President at Cisco where she led the company’s enterprise networking and security portfolio and helped drive the company’s leadership in networking. Marie also worked at Nortel Networks, Alteon WebSystems, and Shasta Networks in senior marketing and CTO positions. Marie received a master’s degree in Business Administration in Marketing from York University and a Bachelor’s degree in Electrical Engineering from the University of Toronto.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content

IoT Security

Lexmark warns of a remote code execution (RCE) vulnerability impacting over 120 printer models, for which PoC code has been published.

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...

IoT Security

A vulnerability affecting Dahua cameras and video recorders can be exploited by threat actors to modify a device’s system time.

IoT Security

Vulnerabilities in electric vehicle charging management systems can be exploited for DoS attacks and to steal energy or sensitive information.

IoT Security

Today’s growing attack surface is dominated by non-traditional endpoints.

Cybersecurity Funding

Internet of Things (IoT) and Industrial IoT security provider Shield-IoT this week announced that it has closed a $7.4 million Series A funding round,...

IoT Security

Australia's Defense Department said that they will remove surveillance cameras made by Chinese Communist Party-linked companies from its buildings.

IoT Security

Chinese video surveillance company Hikvision has patched a critical vulnerability in some of its wireless bridge products. The flaw can lead to remote CCTV...