The IoT cybersecurity crisis

Zeki Turedi, EMEA CTO, CrowdStrike, emphasises the need for the companies to remain vigilant with their IoT security.

Over the past decade, the Internet of Things (IoT) has become a critical advancement for our ever-integrated and interconnected world. An IoT device is typically a system or systems of connected devices, typically embedded with sensors and software that allows them to transfer data over a network. This can include anything from a pacemaker in a human’s chest or a network-accessible screen, to a car with sensors that gather information on engine temperature or fluid levels.

IoT has provided a vast number of benefits for businesses as it allows companies to actively observe their systems and collect data, insights and performance metrics without the need for human intervention. Think about knowing if a light is on in a huge tower block without needing to even be in the same building.

But there are some issues.

Protecting, monitoring and remediating threats related to this vast network of connected devices and technologies is challenging. Not only are they constantly gathering, storing and sharing data via the internet but how they are built massively varies depending on the device’s functionality, vendor and price. So what’s the solution?

IoT is the future, but is it safe?

It’s safe to say that IoT isn’t slowing down. IoT research shows that IoT connections, such as smart home devices, connected cars and networked industrial equipment, exceeded traditional connected devices, such as computers and laptops, for the first time in 2020, representing 54% of the 21.7 billion active connected devices. It is estimated that by 2025, there will be more than 30 billion IoT connections, which equates to about four IoT devices per human on the planet.

But, as with any emerging technology, there are always problems.

IoT hacks have been growing over time. The most significant attack was the Mirai Botnet hack in 2016, which targeted DNS service provider Dyn using a botnet of IoT devices. The Mirai malware successfully managed to infiltrate networks, where it automatically searched for more vulnerable devices and using stolen credentials, gained access and repeated the process to gain control. This attack dismantled servers and significantly affected major media platforms such as Netflix, Reddit and Twitter.

But IoT hacks don’t only affect tech giants. Cybercriminals are also targeting hospitals’ medical devices and placing many patients at risk. St. Jude Medical, an American global medical device company, in 2017 experienced hackers gaining access to its patients’ pacemakers. This gave the adversaries access to alter the pacemaker’s functions and even adjust settings that could potentially prove fatal to patients.

IoT security has become an even more pressing concern for organizations, given the recent shift to remote work due to COVID-19. With people now relying on both their home network and personal devices to conduct business activities, many digital adversaries are taking advantage of lax security measures to carry out attacks.

IoT devices are not created as equal as each other. Due to the needs of the device, the vendor and also the lack of international regulations surrounding IoT, devices can be developed with little or no security requirements built in. Furthermore, the ability to update IoT devices or patch them against vulnerability is again dependent on the device’s manufacturer and massively varies. This adds complexity to organisations wishing to keep their IoT devices secure and updated.

Understanding what you’re up against

Despite this heightened risk and broader threat surface, IoT cybersecurity is often still overlooked or minimal. Inadequate IoT security policies pose a grave risk for organizations since any device can serve as a gateway to the wider network. Once adversaries gain access through a device, they can move laterally throughout the organization, accessing high-value assets or conducting malicious activity, such as stealing data, IP or sensitive information.

Many companies focus entirely on endpoint cybersecurity. But, the same levels of diligence need to be applied to IoT devices. If IoT devices are not equipped with the same level of protection, the organization as a whole is at risk of a cyberattack.

Research shows that 33% of companies that have adopted IoT consider cybersecurity issues related to the lack of skilled personnel to be the most critical concern for their IoT ecosystem. This lack of skill and knowledge results in multiple common cybersecurity malpractices, such as using default credentials for matters of convenience and not staying up to date with the latest software or firmware updates on their device, which are necessary to prevent software vulnerabilities and manage bugs.

Cybercriminals are always adapting their methods of intrusion.

A common pathway of attack for criminals is known as ‘on-path attacks’. These rely on the nature of IoT devices, which frequently don’t encrypt their data by default. The attacker then has the ability to relocate between two devices that trust each other and exfiltrate any data being passed between them.

Another common vulnerability is stealing or deciphering simple credentials. Cybercriminals are experts at identifying weak or generic passwords and using them to slowly gain access and even admin control.

Denial of Service (DoS) attacks are also a common technique. Here, cybercriminals will gain control of an IoT device and begin flooding the website with fake traffic, which overwhelms servers with web traffic and denies legitimate users from carrying out their everyday activities.

Securing IoT can secure a company’s future

IoT security should be a consideration for any organization’s overall cybersecurity strategy. This includes carrying out IoT security best practices such as updating and patching devices, using strong passwords and multi-factor authentication, taking inventory of all connected devices and ensuring the correct access is enabled for each one. No single security tool can provide uniform and complete protection across all IoT devices. But, the best cyber security partners provide a blend of security measures across all endpoints and the cloud, allowing companies to be as secure as possible.

Organizations need to develop a comprehensive cybersecurity strategy that protects against a wide range of cyberattacks across all devices at both the endpoint and network levels. The IoT security market has already grown significantly from £13.28 billion in 2021 to £15.63 billion in 2022 and this is only going to increase. Companies that stay vigilant with their IoT security are more likely to stay afloat in the upcoming years.