Smart devices, which are part of the IoT ecosystem (Internet of Things), are not only increasingly prevalent at homes. They also find their way into businesses of all sizes including enterprises. Unfortunately, the cybersecurity of IoT devices leaves a lot to be desired and is often overlooked.
When a business decides to make IoT solutions part of their infrastructure, security features are rarely even considered before purchasing. At the same time, IoT device manufacturers focus on functionality and often completely ignore security measures when developing their products. As a result, businesses end up with security holes that are very difficult to mitigate short of completely replacing the equipment to reduce the potential attack surface.
There have been several reports and whitepapers analyzing the Internet of Things security state. One of them that highlights the problem is SOHOpelessly Broken 2.0 by ISE. While it focuses on small office and home devices, the situation is not much different for enterprise-oriented solutions. The report shows that every device tested as part of the exercise was vulnerable to cyberattacks. Interestingly enough, most of these vulnerabilities were specific to the web (SQL Injection, Cross-site Scripting, command injection, CSRF, Path Traversal), which highlights how IoT security strongly interweaves with web security.
Why Are IoT Devices Insecure?
The Internet of Things landscape is still very immature and chaotic. There are not enough IoT standards so manufacturers develop their own. While devices must use certain common technologies to work with the Internet, their core structure is completely up to the manufacturer. They often use atypical hardware, run on uncommon operating systems (often custom-made, simplified ones), use proprietary network protocols, and are in general difficult to analyze and protect.
At the same time, every smart device must be somehow controlled and administered by users. Most of them use web interfaces for that purpose, simply because such interfaces are user-friendly and easy to implement. Unfortunately, most manufacturers do not embrace secure web coding practices and do not test their devices for web security – this is an issue even for the biggest brands (as proven by the whitepaper mentioned above). As a result, smart devices are often very easy to break into.
However, user interfaces are not the only purpose for which IoT devices use web technologies. To connect to other Internet-based systems, IoT must use existing standards and REST APIs are one of the most common methods to communicate with other devices and applications. However, REST APIs are just as prone to web vulnerabilities as the user interface. Therefore, many IoT devices end up exposing vulnerable APIs to the rest of the world.
If a device is found to be vulnerable, another issue surfaces: updating the software in such a device is not always easy. The user can only wait for the manufacturer to get their act together and quickly release firmware updates that fix the problem. Unfortunately, many manufacturers often don’t treat such issues seriously enough and the customer ends up having to either terminate the device lifecycle (scrap it), strongly isolate it or wait for the update with fingers crossed and hope that the vulnerability is not exploited by anyone.
Why Does the Lack of IoT Security Threaten Enterprises?
In some industries, smart devices are the only way to achieve greater efficiency. For example, IoT is becoming more and more common in asset tracking and manufacturing, improving customer experience, monitoring medical devices, and more. However, even if an enterprise is not focused on IoT, many new hardware products on the market are smart by design. For example, when you buy new printers for the offices, you may unknowingly end up with IoT devices. Even enterprise-class network equipment nowadays can feature IoT functionality.
Therefore, the biggest threat for enterprises is the lack of awareness. Enterprise security teams may not even be informed of the availability of smart devices in internal networks. The fact that most IoT devices are used internally should not mean that their security is less important. Web interfaces may be misconfigured and accessed from the outside, thus letting the attacker enter internal networks. Organizations are also directly susceptible to insider security threats. Last but not least, your vulnerable IoT device might be used as an accessory, for example, for a botnet-based DDoS attack against another organization.
How to Secure IoT?
Completely securing your IoT is not easy because it requires a combination of device security, network security, web security, and more measures (depending on the type of device). Also, there are very few dedicated IoT security solutions and service provider offerings on the market. The key to success here is to begin even before purchasing.
- Consider every new device introduced into the business infrastructure as a potentially insecure IoT device. Even the new fridge for your office kitchen may have IoT capabilities and ultimately become a target for an attack if misconfigured.
- Do not blindly trust the manufacturer, even if it’s a renowned brand. Make security analysis part of every purchasing process.
- Isolate your IoT devices as much as possible. For example, place a specific device behind a firewall that allows only access to other devices that it must communicate with or place all IoT devices inside a demilitarized zone (DMZ).
- If possible, have dedicated administrators with dedicated machines. Do not keep the admin web interface open to everyone in the business.
- Thoroughly research the device before purchasing in terms of any previous vulnerabilities. If it happened once, it may happen again.
- Make sure that your device has the latest firmware before it is actually connected to your network. Very often, the new firmware is available already upon purchase.
- Last but not least: take security in your own hands. Before purchasing a fleet of devices, test one of them for web and network security. Use a web vulnerability scanner and a network vulnerability scanner, perform or outsource additional penetration tests, and make scans part of a regular schedule because new vulnerabilities may surface with firmware updates.