The Internet of Things (IoT) cybersecurity crisis

By Zeki Turedi, EMEA CTO, CrowdStrike.

Over the past decade, the Internet of Things (IoT) has become one of the most critical and valuable technologies. The IoT is a system of connected devices embedded with sensors and software that allows them to transfer data over a network. This can include anything from a pacemaker in a human’s chest or a network-accessible screen, to a car with sensors that gather information on engine temperature or fluid levels. IoT has provided a vast number of benefits for businesses as it allows companies to actively observe their systems and collect data, insights and performance metrics without the need for human intervention.

But there are some issues. Protecting, monitoring and remediating threats related to this vast network of connected devices and technologies constantly gathering, storing and sharing data via the internet has made IoT security challenging. So much so that even the FBI recently issued an industry-wide warning around cyber criminals increasingly targeting internet-connected devices for the purpose of exploiting their vulnerabilities. So what’s the solution?

IoT is the future, but is it safe? It’s safe to say that IoT isn’t slowing down. IoT research shows that IoT connections, such as smart home devices, connected cars and networked industrial equipment, exceeded traditional connected devices, such as computers and laptops, for the first time in 2020, representing 54% of the 21.7 billion active connected devices. It is estimated that by 2025, there will be more than 30 billion IoT connections, which equates to about four IoT devices per human on the planet.

But, as with any successful technology, there are always problems. IoT hacks have been growing over time. The most significant attack was the Mirai Botnet hack in 2016, which targeted DNS service provider Dyn using a botnet of IoT devices. The Mirai malware successfully managed to infiltrate networks, where it automatically searched for more vulnerable devices and, using stolen credentials, gained access and repeated the process to gain control. This attack dismantled servers and significantly affected major media platforms such as Netflix, Reddit and Twitter. But IoT hacks don’t only affect tech giants. Cybercriminals are also targeting hospitals' medical devices and placing many patients at risk. St. Jude Medical, an American global medical device company, in 2017 experienced hackers gaining access to its patients' pacemakers. This gave the adversaries access to alter the pacemaker’s functions and even adjust settings that could potentially prove fatal to patients.

IoT security has become an even more pressing concern for organizations, given the recent shift to remote work due to COVID-19. With people now relying on both their home network and personal devices to conduct business activities, many digital adversaries are taking advantage of lax security measures to carry out attacks.

Understanding what you’re up against

Despite this heightened risk and broader threat surface, IoT cybersecurity is often still overlooked or minimal. Inadequate IoT security policies pose a grave risk for organizations, since any device can serve as a gateway to the wider network. Once adversaries gain access through a device, they can move laterally throughout the organization, accessing high-value assets or conducting malicious activity, such as stealing data, IP or sensitive information.

Many companies focus entirely on endpoint cybersecurity. But, the same levels of diligence needs to be applied to IoT devices. If IoT devices are not equipped with the same level of protection, the organization as a whole is at risk of a cyberattack.

Research shows that 33% of companies that have adopted IoT consider cybersecurity issues related to the lack of skilled personnel to be the most critical concern for their IoT ecosystem. This lack of skill and knowledge results in multiple common cybersecurity malpractices, such as using default credentials for matters of convenience and not staying up to date with the latest software or firmware updates on their device, which are necessary to prevent software vulnerabilities and manage bugs.

Cybercriminals are always adapting their methods of intrusion. A common pathway of attack for criminals is known as ‘on-path attacks’. These rely on the nature of IoT devices, which frequently don’t encrypt their data by default. The attacker then has the ability to relocate between two devices that trust each other and exfiltrate any data being passed between them. Another common vulnerability is stealing or deciphering simple credentials. Cybercriminals are experts at identifying weak or generic passwords and using them to slowly gain access and even admin control. Denial of Service (DoS) attacks are also a common technique. Here, cybercriminals will gain control of an IoT device and begin flooding the website with fake traffic, which overwhelms servers with web traffic and denies legitimate users from carrying out their everyday activities.

Securing IoT can secure a company’s future

IoT security should be a consideration for any organization's overall cybersecurity strategy. This includes carrying out IoT security best practices such as updating and patching devices, using strong passwords and multi-factor authentication, taking inventory of all connected devices, and ensuring the correct access is enabled for each one. No single security tool can provide uniform and complete protection across all IoT devices. But, the best cyber security partners provide a blend of security measures across all endpoints and the cloud, allowing companies to be as secure as possible.

Organizations need to develop a comprehensive cybersecurity strategy that protects against a wide range of cyberattacks across all devices at both the endpoint and network levels. The IoT security market has already grown significantly from £13.28 billion in 2021 to £15.63 billion in 2022 and this is only going to increase. Companies that stay vigilant with their IoT security are more likely to stay afloat in the upcoming years.

By Nick Edwards, VP Product, Menlo Security.
Sergei Serdyuk, NAKIVO’s VP of product management, sheds light on data protection trends and predictions for 2023.
By David Higgins, Senior Director Field Technology Office, CyberArk.
By James Anderson, Area Vice President, EMEA Channels at Exabeam.
By Amit Tailor, Systems Engineering Director at Palo Alto Networks.