11th November, 2021
The Internet of Things (IoT) has surged in popularity in recent years, with consumers embracing interconnected technology to the point where there are now 35.82 billion IoT devices globally. IoT devices can streamline domestic life, control appliances remotely, communicate with one another and myriad other things. But with so many gadgets, appliances and accessories now having the capability to connect to the internet – and each other – these pieces of tech could leave individuals and companies vulnerable to attack from hackers.
IOT SECURITY VULNERABILITIES
Many IoT devices are designed to connect to one another for convenience and ease of use, they often have little to no security to protect them from malicious actors. And many IoT devices contain large amounts of personally identifiable information (PII). It’s clear to see why they might become a target for hackers.
THE MAIN IOT SECURITY ISSUES INCLUDE:
Weak password protection
IoT devices often come with a default password which consumers are unlikely to change after setting up the device, making it very easy for hackers to “mass takeover” multiple identical devices if they know the password.
Lack of regular patches and updates and weak update mechanism
IoT software updates often fix bugs or security issues to prevent hackers. But many people overlook installing updates, and if these updates are not set to be done automatically, they risk leaving devices more vulnerable.
IoT devices process and communicate using apps, services and protocols. This is where many IoT vulnerabilities originate from. From weak or no encryption, to poor device authentication and authorization, insecure interfaces put IoT devices at risk of attack.
Insufficient data protection
One of the main problems with IoT security is that devices often contain highly confidential data – from video footage of rooms in a house to private health information. If this data is not sufficiently well protected it can become an easy target for hackers.
Poor IoT device management
IoT devices are often interconnected, meaning that once one device is compromised, hackers can use it to gain access to other connected devices. One such example took place in 2017 when hackers accessed a casino database through an IoT fish tank thermostat and were able to exfiltrate 10gb of data.
IoT devices holding and sharing more PII
IoT devices like smart watches, smart speakers, and smart CCTV hold large amounts of private personal data, which makes them very attractive targets for hackers. The information they gather can be sold on the dark web.
Little to no security legislation for IoT devices
So far very few governments have set legal requirements for inbuilt security in IoT devices. California became the first US state to specifically regulate the security of connected devices, but currently in the UK the government is still working on a “Secure by Design” regulation.
THE RISE OF IOT BOTNET ATTACKS
When an IoT network of devices is infected by botnet malware, they can be controlled by malicious actors. IoT botnets have been known to be involved in Distributed Denial-of-Service (DDoS) attacks in the past. IoT attacks are on the rise, with Security Intelligence reporting a 500% increase in overall IoT attacks year over year. The most common IoT botnets identified are:
- Mirai – takes advantage of insecure IoT devices by scanning the internet for open Telnet ports, then attempting to log in using default passwords. In this way, it has been able to amass a botnet army.
- Mozi – targeting routers and cameras. The malware builds a peer-to-peer network that it can use in DDoS attacks, remote command execution, and payload execution.
- Gafgyt – targeting vulnerable IoT devices like Huawei routers, Realtek routers, and ASUS devices, which it uses to launch large-scale DDoS attacks.
- Echobot – based upon the source code of Mirai, Echobot primarily targets IoT devices but can target other platforms including web servers and private data centres.
5G AND IOT SECURITY CONCERNS
With 5G becoming increasingly accessible, IoT devices are also becoming more accessible to individuals and companies. Many organisations are planning to use 5G networks to support IoT devices. 5G enables IoT devices to run faster, with reduced latency and minimal cost. But using 5G without a private network or adequate security measures could put the privacy of organisations and individuals at risk.
If hackers can infiltrate the 5G network, they could gain instant connectivity to every IoT device running on that network, accessing private data and using the devices as an out-of-the-box attack tool for a DDoS attack. This could lead to higher density attacks using IoT due to increased connectivity, accessibility, and coverage. There is also limited 5G IoT visibility, which would make it difficult for cybersecurity teams to identify and remove malware before it has infiltrated the network of connected devices.
WHAT CAN ORGANISATIONS DO TO PREVENT A 5G IOT ATTACK?
For organisations that are planning to utilise 5G on their IoT network, operators need full visibility. Devices will inherently operate more at the edge of the network, and it’s not feasible to monitor all the endpoints at device level. This will lead to a larger attack surface, with attacks more likely to target IoT devices for the following reasons:
- To gain access to PII on IoT devices such as smart watches for financial gain.
- As an easier means of initial access into a private network. This may enable lateral movement onto a work device, such as a connected laptop, which in turn could provide access to the corporate LAN.
- To amass a larger network of botnets, enabling greater DDoS attacks against victims.
The perimeter of enterprise networks has become ever more blurred, while the use of IoT devices becomes more intertwined with our personal and professional lives. PII will always be an appetising target for threat actors for financial gain, and at the same time so too will weak security within IoT devices. With these two factors coupled together (in addition to the potential new threat vectors for gaining access into corporate networks from private networks), there is a growing opportunity for threat actors to gain easier access to our networks and consequently more data.
Understandably there are a number of difficulties that surround implementing endpoint detection systems on devices, particularly where employees use personal devices to remote access their corporate networks. However, network security solutions can provide the additional visibility required to monitor malicious activity within a network, enabling identification of malicious command and control activity or growing botnets. This in turn enables a response to be effected at a higher level, maintaining network security.