The security threats associated with the Internet of Things are growing. Enterprises are paying more attention than ever to how to mitigate the growing risk. Transforma Insights recently published a report in collaboration with Wireless Logic and IoT Now called Why enterprises need ‘IoT Security-as-a-Service’. In this blog we explore the 10 key reasons why the threat from security breaches in IoT is growing.
There are more enterprises and consumers deploying IoT than ever before, opening up more potential hacking opportunities for bad actors. Consumer devices such as refrigerators, washing machines, ovens and lighting systems increasingly shipping with connectivity embedded. Enterprises are finding more and more ways in which IoT can be useful for streamlining business processes or giving them a competitive edge, whether that be in supply chain, manufacturing automation, retail or any other vertical.
The democratisation of the use of IoT makes for a greater number of potentially vulnerable systems and end-points. It also means that there is a great potential for losing track of legacy IoT deployments. Unlike most traditional ICT deployments, such as PCs, phones or servers, these IoT devices are usually unattended and will often be operating for decades without any need to replace them, or interact with them in any way. It’s easy to lose track of every thermostat, security camera and water pressure monitoring device installed on your network.
Hand in hand with the increase in use cases, the volumes are growing. At the end of 2022, Transforma Insights estimates that there were 13.2 billion IoT connections worldwide. By 2032 that figure is expected to increase to 34.4 billion. Simply by virtue of the growth in numbers of devices, the cyber security vulnerabilities are multiplied.
According to a recent survey by Transforma Insights, enterprise IoT adoption is heading into a new phase whereby businesses are entrusting more critical core systems and processes, including those directly affecting their relationship with customers, to IoT.
The counterpoint to this use for more mission-critical systems is that such IoT deployments are more appealing for ransomware attacks, and more appealing to state actors looking to find vulnerabilities in critical national infrastructure. One good example here is the Colonial Pipeline hack of 2021, whereby a US oil pipeline carrying refined fuel was subject to a ransomware attack. The increasing use of remote management of such critical assets opens up the potential for attack.
Many IoT devices are located remotely and almost all of them are unattended, i.e. there isn’t someone constantly interacting with them. As a result, many classes of IoT device are more vulnerable to being accessed by malicious actors. A good example is the case of mobile-connected traffic lights in South Africa, where thieves broke into the connectivity units and stole SIM cards which were used in other devices.
One of the key IoT trends of the last decade, well documented by Transforma Insights, is the emergence of the ‘Thin IoT stack’, which describes an emerging norm within the development of IoT applications to make use of specific off-the-shelf technologies that have been created explicitly to be optimised for use in constrained environments, the constraints being some combination of limited access to power, low bandwidth connectivity, and limited processing and memory.
One result of using these constrained technologies is that they often have limited capability to support security features. In some cases on-device processing is very limited, or networking protocols may not support the appropriate level of security, or the available data transmission may be so limited (due to the available technology or the desire to maintain battery life) that firmware updates are difficult to achieve. With the constantly evolving threat landscape it’s critical to be able to do firmware over the air (FOTA) updates, which may not be possible with some constrained technologies.
An under-considered aspect of IoT security is the extent to which different systems make use of common infrastructure, opening the up to security vulnerabilities. The most common are man-in-the-middle attacks on users’ Wi-Fi networks. These open up the risk of financial fraud and other serious issues. In one case, Pen Test Partners easily hacked an iKettle, to reveal the Wi-Fi password for the network on which it resided. The most famous example of this is probably the Las Vegas casino where financial details of customers were accessed by the hacking of a fish tank monitor. Target had a similar experience in 2013 when hackers made use of vulnerabilities in its HVAC system to access credit card information. And the famous Jeep hack of 2015 saw white hat hackers exploit a vulnerability in the infotainment system to get access to the CANBUS, allowing them to steer and stop the car.
Any IoT project involves multiple participants and a diverse array of technologies, including device, network, application, cloud, enterprise back-office, end user and more. All of these represent potential weak-points. A chain is only as strong as its weakest point.
Managing security on IoT devices is an order of magnitude more complex than managing it for a limited array of traditional ICT devices, such as handsets, PCs and IT infrastructure. While handling device management in a bring-your-own-device environment was slightly challenging due to the variety of device types, with IoT that is expanded ten-fold. Enterprises need to consider security vulnerabilities of a diverse range of devices across generic IoT deployments, such as building automation or security, and specialist vertical use cases, such as process automation, payment terminals, track & trace or inventory management.
There is a shortage of skills for developers in ICT in general and this is particularly pronounced in the IoT, where the set of capabilities required is very broad, spanning both hardware and software. Many security problems arise simply because the developer was not cognisant of the risks across associated domains with which they may not be too familiar.
This item could have been called ‘manufacturer corner-cutting’ because that’s largely what stimulates the need for regulation. Hardware developers trying to produce as cheap a product as possible will often cut corners, and security is one of those corners. The Mirai botnet, for instance, which infected as many as 400,000 consumer IoT devices, particularly video cameras, was able to do so simply because of a lack of basic security on those devices. Regulation is needed to ensure they do not do that.
These changes trigger an increasing requirement for more careful consideration of all aspects of IoT security, topics which are further elaborated on in the report.