Security risk IoT devices - the underestimated danger
by Tina Siering
What exactly is IoT - and what are its advantages and disadvantages?
In the Internet of Things (IoT), devices with smart functions are wirelessly networked both with the internet and with each other. In addition to household appliances and everyday objects, such as intelligent air-conditioning and lighting systems, warning alarms and printers, there are also machines in the industrial and medical sectors that communicate with each other and are made accessible from the internet, for example to provide status information on a smartphone. The technical basis for communication via the IP network are processors and sensors that are implemented in the devices. By automating processes and proactively interacting with the user, IoT devices and machines can improve workflows, speed up production processes and, last but not least, reduce operating costs. IoT technologies can also be used to transmit consumer and business data in real time, enabling rapid optimisation of the customer experience and operations. In turn, IoT-based workplace monitoring protects employees from injury and overwork. Unfortunately, smart devices also carry security risks that impact the overall information security of a company or organisation.
In general, a distinction can be made between directly addressable IoT devices and IoT devices that require a central control unit. In most cases, directly addressable devices are connected to the LAN with their own IP address and can act autonomously or be managed centrally by a control unit. In addition, there are IoT devices that communicate exclusively directly with control units, e.g., via radio networks such as Bluetooth or ZigBee, and are thus not connected directly to existing data networks. Compared to IT in production, however, there is no data traffic that flows only in the classic north-south direction (from the company's own network to the outside), but also in the east-west direction, for example from one machine to another.
To prevent east-west traffic from getting out of hand, network segmentation should take place. In addition, network traffic should be analyzed to question anomalies in good time: Why, for example, does a machine's IoT sensor need contact with an external server? Unfortunately, the classic search for malware is often not sufficient in the Internet-of-Things area.
In addition, aspects of information security are typically given little or no attention during the development of IoT devices. Whether for budgetary reasons or to save computing capacity, there are many reasons. Many users take the hidden risks too lightly and successful cyber attacks are coming to a head. Thus, in addition to great practical benefits, IoT also offers great challenges for IT security.
Why IoT devices pose a high security risk
IoT devices are a popular target for cybercriminals primarily because they are largely poorly secured. As Palo Alto Networks' IoT Threat Report 2020 shows, only 2 percent of all IoT device traffic runs encrypted. This makes it easy for hackers to tap exposed data via a command-and-control structure. Fifty-seven percent of all IoT devices are vulnerable to medium- or high-level attacks.
So why is the security of IoT devices so neglected? For starters, buyers don't pay too much attention to the security of an IoT device; they are often only interested in the product's innovative features and forward-looking benefits. Like a Trojan horse, companies integrate IoT devices into their network environment without being aware of the hidden security risks. This can only be a good thing for the manufacturers: If they had to equip their products with effective security features, they would also be forced to raise the price. In view of the strong competition, they would then hardly be able to compete.
In the production environment, the situation is aggravated by the fact that the equipment or machines are sometimes used for ten years or more. This long service life also leads to another problem: absolutely outdated operating system versions are frequently encountered. In some cases, the systems are not even designed by the manufacturers for corporate use and no longer receive updates after a short time.
Anyone who buys an IoT device must be aware that many models run on the basis of proprietary operating systems, which often have major security gaps. NAS storage, PCs, smart TVs and media players pose a particularly high risk. Since the software is rarely or never patched, vulnerabilities remain even when they have long been known. Hackers therefore have plenty of time to develop an exploit and launch strategically sophisticated attacks. An additional risk is posed by preset device passwords, which users often do not change.
In healthcare, more than 80 percent of medical IoT devices run on unsupported operating systems, according to the 2020 IoT Threat Report. Among these, the majority of security issues and threats (51 percent) arise in connection with imaging systems that store sensitive patient data. In addition, 72 percent of healthcare VLANs mix IT and IoT resources, allowing malware to spread from computers to unprotected IoT devices and vice versa.
These are the consequences of compromised IoT devices.
The impact of cyberattacks on IoT devices can be devastating. It is not uncommon for attackers to aim to integrate IoT devices into a botnet. If they succeed in this endeavor, they can abuse the hijacked devices, for example, to carry out distributed denial of service (DDoS) attacks, resulting in limited or no service availability. In 2016, the so-called Mirai botnet caused a stir when it attacked the DNS provider Dyn.com with an extensive DDoS attack and temporarily paralyzed well-known services such as Reddit and Netflix.
By compromising an IoT device with malware, attackers can also change individual functions or take full control of the device. Furthermore, they gain access to data from the device and can gain access to the network. It becomes particularly tricky when hackers target industrial devices: A compromise in the environment of Industry 4.0 can paralyze the entire production, manipulate chemical recipes or - in the CRITIS area - trigger nationwide power failures. This would be tantamount to a catastrophe not only for the affected company, but also for the population.
How companies can better protect their IoT devices
Given the numerous threats posed by IoT devices, companies should take appropriate protective measures. Ideally, the device should only be connected to the Internet when it is in use. On the other hand, if it needs to be continuously accessible via the Internet, follow these tips:
- When buying, look for long-term support from the manufacturer for updates or hardware support.
- Ensure that your IoT devices can only communicate with the Internet in a limited way and not with your internal systems such as ERP, file servers and DCs by setting up a separate network segment.
- Make sure that not everyone can access your IoT devices over the Internet by using IP address filters or geo-IP filters, for example.
- Only use secure protocols such as HTTPS or SSH that establish an encrypted connection. Plain-text protocols such as HTTP or Telnet are taboo.
- Immediately change the default username and password as soon as you start using an IoT device. When doing so, choose a secure password (at least 12 characters, upper and lower case letters, numbers and special characters).
- Use multi-factor authentication to securely prove a user's identity.
- Disable your router's Universal Plug and Play (UPnP) feature after consulting your ISP.
- Optimize your patch management strategy to roll out patches quickly.
In addition, consider a managed detection and response (MDR) solution such as Allgeier secion's Active Cyber Defense (ACD) service. The threat-hunting solution proactively monitors your network and makes attacker activity visible at an early stage. Organizations are immediately notified when suspicious communications occur and can respond immediately. Because the solution includes all systems on your network - including laptops, smartphones, servers, printers and IoT devices - it is ideal for identifying bots and botnets.
There is no need to install agents on clients to use the ACD service. Checking whether systems are communicating to Command & Control servers and are therefore compromised is done at the network level (by monitoring beacons and identifying malicious traffic patterns).
The Internet of Things offers companies numerous opportunities to improve their operations along the entire value chain. At the same time, however, the security risks arising from the increasing networking of devices and production processes are causing them great concern. Many organizations fear hacker or DDoS attacks, industrial espionage and the integration of IoT devices into botnets. Not without reason: Since devices in the production environment are often in operation for ten years or even longer, they often run on outdated operating system versions for which the manufacturer no longer supplies security updates.
The consequences of a hacker attack, however, can be fatal: If attackers successfully integrate IoT devices into botnets, they can block services and restrict all business processes. Companies are therefore strongly advised to protect their IoT devices against cyber attacks with effective IT security measures. Allgeier secion's Active Cyber Defense (ACD) service is particularly effective: the MDR solutions focuses on early attack detection and also monitors IoT devices around the clock within a network. Since the managed detection and response solution reports hacker activities immediately, you can take countermeasures immediately and prevent a compromise.