Use of the Internet of Things (IoT) has exploded both at home and in the workplace, as IoT becomes increasingly convenient for consumers and critical for businesses to stay competitive. But along with ease and competitive edge, increased use of IoT also exposes consumers and businesses alike to greater security risks. In research conducted by IT security firm Gemalto, only one-third of businesses said they had “complete control” over the data their IoT products or services collect as it moves across partners, and just 57% of businesses said they encrypt all data captured by IoT devices. Clearly, the skyrocketing adoption of IoT has not been matched equally by security protocols.
Some of the biggest security challenges facing IoT include the following.
Security is often not embedded in the design, making the devices themselves physically insecure. As with any sector experiencing rapid growth, in producing IoT devices, manufacturers are facing tremendous pressure to push products to market quickly. And sometimes, that speed can cause designers and manufacturers to skip important security features in the design phase.
In some cases, the devices themselves are not designed to accommodate advanced features. For example, a thermostat designed only to monitor climate may not have been designed to encrypt data, but if other devices in the network are capturing more personal or critical data, it should be.
Then, of course, there is the physical aspect to many connected devices: they can be lost, leaving a piece of the network exposed to whoever finds it.
Weak Password and Authentication
Many IoT-connected devices, some with hardcoded or default passwords, put the onus on the consumer to update the password. And, even if the user does update the password, the password requirements themselves often do not force strong enough passwords, leaving these connected devices protected by very simple passwords, which can often be guessed with just a few attempts. Discover tips on creating strong passwords here.
The network itself can be insecure if multiple unnecessary ports are available, or buffer overflow impacts the device users themselves. And, in many cases, the data itself originates outside the original network. For example, a user with a wearable device may generate data on a home WiFi, office network, and café WiFi in a single day. This places some of the responsibility on network administrators to police where traffics comes from on the network – and check whether the location of requests for data make sense.
An increased number of devices means an increased number of entry points for hackers, and an increased number of items that need to be behind a secure firewall. For example, a decade ago, securing your laptop or desktop would have been the only necessary security step for a consumer. Today, consumers need to consider everything from watches to baby monitors when they think about security. Often, it can be these seemingly insignificant items that offer hackers the gateway they need into the full network.
Insecure Web Interfaces
IoT-enabled devices are built with an interface that enables users to interact with the device, which includes the account number, default credentials, details exposed during network traffic, scripting as users move across sites and account lockouts. If devices are not designed carefully to ensure credentials are not exposed in network traffic, weak passwords are prohibited, and accounts are locked out after repeated failed attempts, hackers can more easily breach the web interface.
IT security requires regularly updating, as hackers are consistently finding new gaps to breach. This means companies producing IoT devices should also be responsible for updating all devices to combat new vulnerabilities. Sometimes, this comes with very practical challenges. For example, a connected air conditioning system may have to be removed entirely to receive a new OS, an expensive task that likely requires an expert.
Connecting Legacy Assets
Sometimes, organizations retrofit legacy assets that were not originally designed to connect with the IoT, often to cut costs. This approach not only expands the surface a hacker can attack, but also often connects devices that were never designed to protect against IT threats in the first place.
Lack of Industry and Government Standards
Currently, there is not a government policy – nor an industry standard – to dictate how businesses should approach IoT. A lack of industry standards can also pose issues for connecting devices from different systems, as currently there is no single framework IoT devices are directed to be built on. While there is clearly a gap between adoption and security, both business professionals and consumers nearly unanimously agreed in Gemalto’s research: there should be some IoT security regulation (96% of business professionals and 90% of consumers). Data privacy laws, however, can impose strict fines for organizations that don’t comply, and organizations need to maintain an updated knowledge of how that impacts the design and use of connected devices.
Data Privacy Challenges
Even if data isn’t hacked, data privacy is a question for the company collecting the data. For example, is a policy in place to guarantee the personal data collected from a Fitbit isn’t sold to another company or used to inform a healthcare policy? To support data privacy, only critical information should be collected, data should be anonymized, and sensitive data should be avoided altogether. This data should then be encrypted, with restrictions established for who can access the data and how long the data will be stored. Organizations should also have a team ready for immediate response if a breach occurs.
Convergence of IT and OT
Historically, IT and Operational Technology (OT) have operated in two different spheres, but as organizations connect operation devices to the IoT, IT experts are now responsible for protecting systems and providing security in areas that may be outside of their expertise. Whereas an IT focus is often centered around data security, OT teams typically focus on system availability and physical access. As a result, organizations need to ensure the professionals they appoint for IoT security have the skillset required to meet these demands.
Awareness and Training
One of the largest security threats has nothing to do with the technology at all: it’s the people who operate them. Manufacturers, organizations and users alike should maintain awareness and training to avoid breaches caused by human error.