Digitally connected devices and applications are affecting every aspect of our lives, be it our homes, offices, our cars or even our bodies. All facilities are becoming smarter to be able to reap the benefits of internet connection. The Internet of Things (IoT) era is booming at an ever-increasing pace.
According to ABI research, there are over 40 billion devices connected to wireless networks by 2020. There is a massive amount of data being transferred over the network to and from these devices. While enterprise IT systems reside in the cloud, most IoT infrastructure resides in the Edge. The number of devices and workloads on the Edge are orders of magnitude higher than anything we can find in data centers, and they are highly distributed in nature.
Whereas in earlier times, the threat area was limited to the IT enterprise configuration, in a modern world, it has become much wider. Before we talk about security measures in the IoT, let’s look at some threat vectors that surround it.
Common IoT threat vectors
A threat vector is a path or means by which a cybercriminal can access your key systems operating on a network. With so many devices connected to the IoT, the most common threat vectors are:
No physical boundaries
IoT devices go beyond the traditional perimeter of the network and exist there in nature. Traditional security approaches to restrict access to devices are no longer applicable. These devices can be moved to any new location as needed and can be configured to access the network.
Poorly configured Wi-Fi and Bluetooth
Wi-Fi and Bluetooth configurations in the IoT pose a major threat to data leakage. Poor encryption methods can allow attackers to steal credentials while transmitting data over the network. Also, in most cases, passwords are not set uniquely for each device leaving a gap for unauthorized access to the entire network if only one device is compromised.
Physical possession of the device
This is probably the worst of all threat vectors where attackers gain physical access to equipment and workloads. With this type of access, attackers can easily access the inside of devices and their content, but with tools like Bus Pirate, Shikra or Logic Analyzers, they can read all the communication that also flows on the network. Through the physical possession of an IoT device, an attacker can extract cryptographic secrets, modify its programming, or replace it with another device under their control.
IoT vs IT
While IoT devices are present on the Edge, the IT infrastructure is sitting in the cloud. A compromise on IoT security could lead attackers to access the main IT network through any of the IoT threat vectors mentioned above. Some real life incidents are mentioned below.
Violation of targeted data through HVAC
Target, one of the top 10 U.S. retail corporations, reported that hackers stole 40 million credit card numbers in one of the biggest data breaches in history. The hackers stole the credentials from the HVAC third-party vendor, entered the HVAC system, and then gained access to the enterprise network.
Metro PoS Hacking
Several security breaches have been reported in relation to PoS. One of them is the $ 10 million Subway PoS breach where at least 150 franchises were targeted. Another similar breach occurred at Barnes & Noble where credit card readers in 63 stores were compromised.
Another famous case of system breach was reported through SamSam ransomware that attacked the Colorado Department of Transportation and the Port of San Diego, USA, in 2018 by abruptly halting their services.
Although IoT regulations are in place in many countries, they are not sufficient to mitigate the risks involved with attacks. California has a “reasonable level of security” of regulations when it comes to deterring attacks. Likewise, the UK has implemented unique password policies, companies need to ensure clear vulnerability detection contact and regular security updates for IoT devices connected to the state IT infrastructure. Although these codes of practice were welcomed by many security commentators, it is not clear who will implement these policies. Officials added that they are working towards understanding how these regulations can be implemented through existing agencies in the UK.
Attackers are evolving at a much faster pace in their strategies, as these regulations are enforced annually or, at most, semi-annually. It is hardly difficult to keep up with attackers just by relying on regulatory policies.
What companies should do
While the above rules are being established, companies need to come up with their own security measures for IoT devices.
To get started, they need to have clear identification of IoT devices. Each of these devices must have their own unique identities that can be well managed. This is of absolute importance and forms the basis of most of the security measures that were built later.
Then the software must also be secured through measures like firmware, signed code, firmware compliance or workload compliance. All of these measures need to be built on the identity layer.
And finally, companies must have the highest level of compatibility that decides which versions of software should work, or the level of firmware that should work on devices.
So to sum it up, for the complete security solution for IoT devices, identity management has to be at the core of everything followed by firmware and software management and finally any kind of compatibility has to be built on it.
Post Why is IoT Security so important today? first appeared in AppViewX.
*** This is a syndicated blog of the Blogger Network of Security Bloggers – AppViewX commissioned by AppViewX. Read the original post at: https://www.appviewx.com/blogs/why-is-iot-security-so-important-today/