Internet of Things (IoT) security is the safeguards and protections for cloud-connected devices such as home automation, SCADA machines, security cameras, and any other technology that connects directly to the cloud. IoT technology is distinguished from mobile devices (e.g., smartphones and tablets) technology based on its automatic cloud connectivity in gadgets. IoT security involves securing traditionally poorly designed devices for data protection and cybersecurity. Recent data breaches have shown that IoT security should be a priority for most manufacturers and developers.
How IoT Security Works
IoT devices are anything that connects to the cloud and collects data. It could be locks, garage door openers, temperature monitors (e.g., Google Nest), refrigerators, security cameras, ovens, televisions, or any other gadget that connects to the cloud. Many of the latest warehouse machinery connects to the cloud. Notice that these devices are not considered mobile devices, which have a standard operating system and their own cybersecurity standards. IoT devices use an operating system, usually Linux, but it’s a modified version of the full software.
Because IoT devices work differently than standard mobile devices, they require their own set of cybersecurity rules unique to the way they operate. They don’t have the advantage of inherent security rules that come with a mobile device such as iOS and Android. When IoT first became popular, several data breaches and disastrous attacks were launched against these devices. Even today, IoT security is still a challenge for many developers and manufacturers.
IoT security involves protecting data as it transfers from the local device to the cloud. It also protects the device itself from being compromised. Because users rarely change the default password for IoT devices, malware named Mirai is a significant threat. Mirai targets IoT devices with the default password still active and running Linux and makes it a part of a botnet. This botnet is then used to launch a distributed denial-of-service (DDoS) against a target. Simply changing the default password and blocking Telnet services will help stop Mirai’s brute-force attack on IoT devices.
Because IoT devices communicate with the cloud, security must also involve protecting transferred data and the location where it’s stored. The cloud stores a myriad of data points that could be used in identity theft or intrusion of the user’s privacy if an attacker can compromise the user’s account. Although many website owners work with SSL/TLS on data transfers, IoT device manufacturers have been found to transfer cloud-connected devices without encryption.
Authentication issues have also plagued IoT security. Most notably is missing authentication or broken authentication found in children’s toys. Data breaches on children’s toys potentially give an attacker access to a toy’s activity and the child’s personal information. Better authentication tools and protection from brute-force password attacks stop attackers from obtaining this information.
There is no one way IoT security works, but it’s been a goal for cybersecurity professionals to educate developers and manufacturers on the proper methods of coding with security and placing better protections on cloud activity. IoT security includes encrypting data traveling in the cloud, better password controls, and coding IoT actions that defend against attacker-controlled scanners and tools. With no accepted standards, IoT security is in the hands of users who own the devices and the manufacturers and developers who release them to the public.
Challenges with IoT Security
IoT manufacturers must take steps to better secure devices, but a lot of the challenges with IoT security include user interaction and education. Users must change the default password when installing a device, but many are unaware of the dangers or just prefer the convenience of using the default password. Users must be educated to change the default password, but manufacturers can’t force them to change it or risk losing business.
Another issue is the lack of updates. Even if a manufacturer has several updates to manage bugs and vulnerabilities, users must install them. If users don’t update firmware, the device could be vulnerable to several attacks for months. Users don’t typically search for updates consistently, so they also are unaware that firmware updates exist.
Cybersecurity standards are defined for mobile devices, desktops, and web applications, but no standards exist for IoT security. IoT security is the “wild wild west” of cybersecurity, and it’s left to developers to code security into their applications properly. This has left a hole in cybersecurity protections on IoT devices. Manufacturers have their own standards, but these standards are not sufficient to protect against advanced attacks.
Most users and developers don’t see IoT devices as an attack target, so they often skip the best cybersecurity practices while developing products. In addition to insecure coding, IoT manufacturers don’t always have their devices penetration tested for vulnerabilities and exploits. With web and mobile devices, it’s standard to offer bug bounties to hackers to find issues before attackers do and pay penetration testers to find bugs before software is released.
Tools to Better Secure IoT Devices
Users and manufacturers can take several steps to better secure IoT. Most cybersecurity relies on user actions, which is why cybersecurity is weak in the industry. User education can help alleviate many problems related to IoT security, but manufacturers also have ways they can help stop attacks on user accounts and devices.
Here are some ways IoT security can be used to stop attackers:
- Always change device passwords during setup. Never use passwords across multiple websites or devices, as attackers will use a list of passwords to attempt to brute force device access. Strong passwords are also necessary. Using “password” as the password will make it easy for attackers to brute force it using dictionary attacks.
- If the IoT device has a smartphone app, be aware of the permissions the app asks for to proceed. Android and iOS require apps to ask for permission to phone resources. For instance, if the app asks for contact access, it’s likely the app will take a snapshot of your contacts. Deny access if it’s not necessary.
- Use a VPN to connect to the device when accessing it remotely. IoT devices often come with an app that can be installed on a smartphone where users can access devices from the Internet. Transmission of data from the device to the cloud may not be encrypted. By using a VPN, the data transferred will always be encrypted and not vulnerable to man-in-the-middle attacks.
- Some IoT device apps want to connect with social media. The data could be shared with social media platforms unknowingly. Restrict connecting to social media apps when it is not necessary.
- Block unnecessary ports on your network. Attackers use scanners to identify open ports, and if the Telnet port is found open, it could lead to additional attacks using the Telnet protocol. If the devices provide the option to block specific protocols, block the ones that will not be used, and are unnecessary.
- Regularly check the manufacturer site for updates. Firmware updates include patches for bugs and security vulnerabilities. These updates should be installed as soon as possible because as soon as attackers are aware of the vulnerabilities patched in the updates, they will design malware and exploits against them.
Infographic: IoT Security Q&A and Checklist
We encourage you to share this checklist with your coworkers, friends, and family members to help them minimize IoT risks now and into the future.
Proofpoint Cloud Security Solutions
With Proofpoint cloud app security solutions, you can detect, investigate, and defend against cybercriminals accessing your sensitive data and trusted accounts.