IoT is now pervasive and often represents a security weak link in enterprises. It’s far past time for organizations to account for IoT as part of their core endpoint security and edge security strategies.
Read on to learn about the top IoT security vulnerabilities, as well as best practices for your hardening your IoT environment and reducing risk.
The Expanding IoT Threat Landscape
The Internet of Things (IoT) refers to the growing network of physical devices, vehicles, and home appliances always connected to the internet. These devices are collecting and sharing data, which is creating new opportunities for businesses and consumers alike. IoT is also powering edge computing networks, allowing delivery of data closer where it is needed. This has implications for everything from self-driving cars to remote monitoring of operational technology (OT).
However, IoT and IIoT (industrial IoT) continue to pose massive security risks. Over the years, we’ve seen devastating botnets (Mirai, Meris, etc.) comprised of inadequately secured IoT endpoints leveraged by attackers to perpetrate devastating attacks at so devastating, the world to shuddered. We’ve also seen IoT as part of sensitive industrial controls systems compromised, putting actual lives at risk. Further, we’ve all heard tales of the creepy IoT-embedded dolls and other kids toys attackers have exploited to eavesdrop and invade privacy.
An increase in IoT, coupled with adoption of 5G, means IoT risk can be expected to increase in the coming years. 5G offers faster internet speeds and more reliability than ever before. However, 5G also comes with its own set of security risks to consider. One of the benefits of 5G is how it will enable more devices to be connected to the internet. Cyber criminals will have more opportunities to target devices, with the potential to create IoT botnets at far greater scale than ever seen before.
Top IoT Security Risks & Vulnerabilities
Now, let's look at some of the top IoT security vulnerabilities and how to harden your devices to prevent or mitigate them.
1. Unsecure Communications
One of the biggest risks associated with IoT is unsecure communications. Data transmissions between devices is susceptible to interception by third parties. This could allow threat actors to gain access to sensitive information, like user passwords or credit card numbers.
Security Controls: Leverage encryption to protect data in transit, whenever possible. If you are unable to encrypt data in transit, then try to isolate the network in which the device resides. Segmentation will help reduce attack vector associated with the device. Organizations can use BeyondTrust’s Privileged Remote Access to consolidate the access to these segmented networks in a secure and encrypted manner.
2. Lack of IoT Security Updates
Once a device is released, it's up to the manufacturer to provide updates to address new security risks. However, many IoT / IIoT manufacturers do not release timely updates. Many manufacturers stop releasing updates altogether after a certain point. This leaves IoT devices vulnerable to attack from known security flaws.
Security Controls: To protect against this, businesses should only use devices from manufacturers who have a good track record of releasing timely updates. To offset this risk, it is important your vulnerability management system is capable of scanning IoT devices, so be sure to add them to your list of devices that are scanned. If you are unable to automate device patching, then attempt to fingerprint the devices as best you can. If there are no facilities enabled for you to install the patch, then at least you will know the potential vulnerabilities associated with the device. Then, you can take other mitigating actions to protect it.
3. Insufficient Authentication and Password Hygiene
Insufficient authentication hygiene means the device lacks adequate measures to verify users are who they claim to be. This could allow external attackers, as well as insider threat actors, to access IoT endpoints and systems that should be off-limits.
Security Controls: To protect against this threat, businesses should use strong authentication methods, like two-factor authentication or biometrics. In addition, drive access to IoT devices through a secure centralized infrastructure access solution like Privileged Remote Access. Also implement a method for:
a) discovering new IoT devices as they are added to your network, and
b) rotating the passwords associated with the accounts on the device.
Almost all devices have one or more privileged accounts that are part of the operating system. You can use a solution like BeyondTrust Password Safe to discover, onboard, and systematically manage these passwords. But since IoT devices usually have very lightweight operating systems, it's not possible to install an agent on the device to enforce security policies for accounts. So, you need to take other steps, like network segmentation and good password hygiene, to protect your IoT devices.
Best Practices for Hardening Your IoT Security
IoT continues to revolutionize how businesses operate and how consumers live their lives. It is a key part of the digital transformation wave on which so many companies are now riding. However, many organizations have still not adequately considered how to protect IoT as part their overall cybersecurity planning.
This blog has highlighted some of the top IoT vulnerabilities as well as steps you can take to protect against them. By taking these precautions, you can help ensure your business is safe from the primary attack vectors.
If you have any further questions about the IoT security vulnerabilities or OT security, our team of experts at BeyondTrust would be happy to help. Contact us here.
Tal Guest, Senior Director of Product Management
Tal Guest is a Director of Product Management with over 20 years of industry experience. He directs a group of product managers, responsible for expanding privileged access management core capabilities in the areas of remote access and the service desk. Tal also helps establish long-term business strategies based on current/future market conditions and problems faced in the privileged access management area of cybersecurity.