Poor security threatens Internet of Things hypergrowth

Most people familiar with computers and information technology know something about the Internet of Things (IoT) and probably own an IoT device or have seen it in use in the workplace. IoT adds internet connectivity to computing devices, mechanical and digital machines, and a huge array of non-computer objects.

Its growth, meanwhile, has been astounding — so much so that it has often been called the second phase of the internet.

There are now more than 11 billion connected devices worldwide, up from almost nothing a decade ago. This number is expected to swell to more than 27 billion in 2025, according to IoT Analytics, and most consumers and companies that employ IoT are happy they do. It includes “smart” home devices, such as smart cameras and doorbells; Wi-Fi enabled lights; toys; smart appliances; healthcare and fitness devices; smart automobiles with nascent self-driving capabilities; and industrial sensors.

Such objects have become a fundamental driver of global digitization, making life at home and in business easier and more productive.

Nonetheless, the IoT universe has a huge shortcoming that could gum things up.

In a world replete with endless cyberattacks, IoT devices have minimal security, in part because cybersecurity stewards and their bosses are busy with other things and aren’t demanding improvement. Neither does it help that IoT has much lower memory and computational capabilities than normal IT systems and cannot be centrally managed and configured. So IoT manufacturers focus mostly on developing and making ever more connectable products in a relentless effort to steal market share from competitors.

IoT is no longer new, but it has still been compared to the early days of the internet. Companies rushed haphazardly into the internet gold rush without adequately addressing internet security, and viruses, worms and spam became ubiquitous. At a subdued level, history may be repeating itself with IoT.

The upshot is that IoT remains based on a shaky business model, notwithstanding its whirlwind success. It’s true that internet users seldom put security first. But this doesn’t mean they don’t care about security at all, especially if they have been attacked, as more and more have. IoT device makers deliver updates for firmware — the device’s operating system — but many only for a short duration and most similarly fail to provide sufficient security updates.

This has consequences. According to the Nokia Threat Intelligence Report 2020, IoT devices recently were responsible for 33 percent of all infections observed in mobile networks, double the percentage in 2019. In large part, cybercriminals doubled down on security weaknesses amid the Covid-19 pandemic in an aggressive move to steal personal data. Companies have been the biggest targets because many have lots of IoT devices, providing a huge number of entry points for hackers to ultimately access all the data available on their networks.

The first major attack exploiting vulnerable IoT devices occurred five years ago, when internet service provider Dyn since acquired by Oracle, was successfully breached by an IoT botnet. It was among the largest denial-of-service attacks ever launched, bringing down huge portions of the internet, including Twitter, the Guardian, CNN, Netflix and Reddit. The botnet was made possible by Mirai malware, which searches the internet for vulnerable devices.

There have not been many other huge IoT-based attacks because hackers in the interim have focused much more on phishing schemes and, in particular, lucrative ransomware attacks. There have been plenty of smaller attacks, however, especially in healthcare. The vast majority of global healthcare providers that have implemented IoT devices have experienced a cyberattack on at least one of those devices, according to a worldwide survey of 700 security leaders by Swedish software company Irdeto.

Another high-profile attack occurred late last year when dozens of customers of Amazon-owned Ring, a provider of home security in the form of smart cameras installed on doorbells or inside people’s homes, were attacked and harassed and sometimes threatened with violence. Recently, other IoT users not attacked per se but analyzed by cybersecurity pros and deemed highly vulnerable included Peloton, the popular indoor spin bike company; cardiac pacemaker manufacturer Abbott; electric car manufacturer Tesla; and Owlet, the maker of a Wi-Fi baby heart monitor.

The question now is whether IoT device manufacturers will change their ways and incorporate better security from scratch. In addition to the aforementioned roadblocks, such an expensive move could threaten relatively low price points in a competitive market and pressure profits.

Corporate customer pressure is the key to change. This may happen at some point as corporate CISOs become increasingly aware that IoT devices are a significant attack vector. One bright spot is the passage of a new law late last year — The IoT Cybersecurity Improvement Act — which mandates tougher security requirements for IoT devices sold to federal government agencies. If the federal government ultimately sees fewer IoT security issues, as a result, corporations may take notice and similarly begin requiring stricter standards.

In the meantime, here are some measures that companies and often consumers can take to improve IoT security:

Scrutinize IoT vendors. When possible, refrain from buying their products if they don’t provide security updates on an extended basis.
Regularly check for patches and updates. Vulnerabilities can come from any layer of IoT devices. Even older vulnerabilities are still being used by cybercriminals to infect devices, demonstrating how long some unpatched devices stay online.
Regularly change default passwords. Too many people use the same login and password for every device they use, an open door for cybercriminals. The default password on every new device must be changed, and every login must be unique for every employee and require strong passwords.
Apply network segmentation. This way, users can minimize the risk of IoT-related attacks by creating an independent network for IoT devices, preventing hackers from deeply penetrating the entire system.

It’s worthwhile to bear in mind that technology today can amplify the consequences of a successful data breach more than ever. And now, industries and consumers are relying heavily on inherently vulnerable IoT devices. If this doesn’t change, this could ultimately undermine many of the benefits of the internet.

ON DEMAND: In this webinar, Regina Lester, Vice President of Security & Safety Operations at Toledo Zoo, will share her insights on implementing security technologies in the entertainment sector and the challenges all organizations face — large and small — when it comes to balancing budget and security.