Why Your Connected Device Represents a Prime Target to Hackers
Barely representing a challenge, IoT devices are considered easy pickings by hackers. Across the cybersecurity ecosystem and compared to other points in the network such as the cloud, web applications, computers, and software, IoT devices are not as guarded and easier to breach. With the lower threshold of entry to breach an IoT device, one would assume that the risks are not as significant. But the reverse is actually true. With their closer immersion into human life, the stakes are significantly higher.
IoT security has never been more critical than it is today. Product managers need to be aware of the ease in which it takes to compromise a device, understand why they are more attractive to hackers than other devices, and what solutions are available to ensure they’re safe once they go to market.
Easy to Hack
Like any good business model, the most successful hackers decide on which enterprises to attack through a cost versus benefit analysis. Those organizations with the largest number of exposed surfaces get prioritized over other organizations that are better protected. As IoT devices tend to have minimal protection, if any at all, more exposed surfaces are created as IoT devices are connected to the enterprise network.
So why do IoT devices have less protection?
For two main reasons:
Firstly, IoT devices are with their users, and that is often at the network’s edge where they are gathering data and delivering information in real-time, without the latency constraints of exchanging data with the cloud. But by nature of being beyond the safe confines of the network, traditional security measures are harder, if not impossible to apply. A survey conducted by Tripwire of 312 security professionals found that 99% of them struggle to secure their IoT and IIoT devices. According to Steve Wong, an open-source software engineer at VMware “In an edge scenario, there is no telling what can happen to that device”.
Secondly, the industry standard for protecting IoT devices is well below that for protecting computers and other endpoints. The endpoint security market is highly developed to the extent that you seldom find an enterprise computer without an EPP or EDR solution installed. If IoT has any security at all, it is only to the standards of security-by-design (SBD). SBD guarantees that a product is secure because it has been designed, from its foundation, with security in mind. Within this approach, the security expert works to minimize the potential attack surface area of a device by removing all potential vulnerabilities.
Although this process is important, it’s not enough. It relies on a premise that the attack landscape is static, can be anticipated and guarded against. The reality could not be further from this, hackers are perpetually changing their techniques and developing new malware that gives them better persistence and capabilities than what they had before. This means that to be truly effective a security solution must have a real-time mechanism that is able to detect and mitigate the new attacks that will arise throughout the product’s lifecycle.
Faults in the Firmware
To ensure the profitability of an IoT model, development must be kept in line with Minimum Viable Product (MVP). But the tremendous pressure to release an MVP within the shortest period of time typically leads to neglecting the security and privacy of the final product.
To keep a product within budget it will often be built with open-source operating systems and external software that are free, but also laced with malicious bugs. OpenSSL encryption library and Unix Shell are two examples of widely used open-source projects that had bugs embedded in them.
It’s also not uncommon for software used within the supply chain to no longer be supported by the manufacturer. This leaves customers with devices that are running old software that hasn’t been updated for years and now represent a severe security flaw.
Why IoT Devices are so Attractive to Hackers
Being easy to hack is one thing, but the pay-day offered by hacking IoT devices is a huge incentive in itself as they offer so much greater scope for damage.
IoT devices are primarily used for their ability to pick up data on their environment and transmit that data to a server or an app. Naturally, they hold a bevy of information, and depending on the device, that information can be highly sensitive. Consumer IoT devices hold anything from biometric data to photos and video footage, while Industrial IoT devices can hold credentials and encryption keys to critical infrastructure and environmental metrics. This data in the wrong hands could not only represent a threat to your customer’s organizational operations but any compromised data could put you in breach of privacy regulations.
On having gained access into an IoT device, a hacker may decide to cause havoc by significantly impairing device functionality or causing it to shut down completely. One method of achieving this is through a distributed denial of service or DDoS attack. This is where a hacker overburdens an IoT device by sending a huge amount of communication to it all at once, causing it to overburden and become unavailable.
Cause physical damage
IoT more deeply immerses digital capability into physical reality, for all the practical benefits this creates, it also raises the stakes in terms of the practical damage that a hacker can cause. An attack pathway can be designed to get remote control over the device and allow the hacker to do with it as they please. Whether that be to cause the device not to work properly or adapt the programmed functionality of the device. For example, a hacker can replace automated processes of a pacemaker with processes that would administer incorrect pacings and shocks.
IoT devices are also preferred because they can be pulled into a botnet for which hackers can sell on the darknet to make serious money. A botnet is a collection of IoT devices that are all running the same malicious script that is controlled by a hacker. They are often sold on the dark web to other hackers who can deploy their own malware to achieve any range of attacks, be they a DDoS, steal data, send spam, used in ransomware, or get control over the device and its connections. The more extensive the botnet, the higher the price. The Shadow botnet which included 100,000 devices sold for $36,000. The infamous Mirai botnet which compromised millions of devices undoubtedly sold for even more than that.
Getting off the hacker’s radar
Having an advanced IoT security solution will be key for product managers looking to establish their smart product in the market. A solution that will continually monitor for threats and mitigate them as soon as they’re identified will effectively discourage attacks as hackers scout for their next target. A protected device is by degrees so much harder to infect than an unprotected device, that for the amount of effort and time needed versus the benefits, it really doesn’t pay. For product managers and customers, this offers peace of mind, knowing the connected device will work as intended.