One doesn’t need to be an expert to recognize the growing demand for Interner of Things (IoT) both on consumer and enterprise markets. Anyone who has visited CES over the past several years will confirm that the event’s focus has almost completely shifted towards smart and connected devices.
Fueled by the steady adoption of 5G as the primary communications standard for the near future, the market is rife with IoT solutions of all imaginable types. From smart light bulbs, thermostats, and electronic doorbells with built-in cameras to state-of-the art industrial equipment — everything is now designed to be intelligent, connected, and integrated.
However, the wide adoption of IoT also raises a lot of questions and concerns as to how equipment manufacturers and integrators can guarantee the security of sensitive private and business data.
Any connected device is a potential gateway right into the back end that it’s connected to, or a valuable asset on its own. Imagine a situation with a security camera being controlled remotely without anyone knowing. A smart lock to a restricted production area getting hacked. A smart speaker standing on a company’s VP’s desk sending an audio stream to competitors. Abrand-new connected scanner used by a company’s management team to make digital copies of important documents. The list can go on and on.
A leak of such information could jeopardize the very existence of a business, inflict irreparable reputational damage and, in some cases, pose a real threat to people’s health and lives. In this context, IoT security is the number one priority for manufacturers and software vendors developing cloud platforms and mobile applications for IoT. According to expert reports, the number of attacks on IoT devices had tripled within the last six months and nearly hit the 3 billion mark — and that’s a number you can’t ignore.
What you need to know about IoT security attacks
The wide proliferation of IoT technologies has made smart devices a new — and often easy — target for hackers. Not all products are created with the “security by design” concept in mind, and a great many of them come with serious security vulnerabilities. This makes every active connected device a potential entry point to underlying layers of software and data.
Unfortunately, the very speed at which the IoT and IIoT (Industrial IoT) market is growing is detrimental to the security of connected products. Security has always been about standards, guidelines, and protocols tried and tested over years — and equipment manufacturers may occasionally cut corners and ignore certain requirements in order to start shipping the product earlier and get their piece of the pie.
At the same time, security standards may not always be fully aligned with the rapidly evolving IoT market. To top it off, users tend to ignore basic security principles and leave their devices at default settings and exposed to intruders. All of these factors substantially affect the security of IoT devices available on the market today.
There are different levels at which IoT systems can be attacked:
- Hardware. IoT products are typically multi-component devices. Security flaws in any of them (memory, network controllers, physical interfaces, etc.) can be used for rendering a device inoperable or seriously undermining its performance.
- Communication channels. Wireless and wired connections used by IoT devices can be intercepted and hacked. Other typical scenarios involve distributed denial of service (DDoS) attacks and spoofing.
- Software. Arguably the weakest link in any IoT system: back ends, databases, and applications can be hacked using conventional methods and used for data and identity theft, corruption, and remote control over devices.
Surprisingly, even devices like connected coffee makers can be compromised and used for stealing confidential information from users. This is why manufacturers who prioritize security by design and focus on security in general are a lot more likely to succeed by delivering on the promise of a safe and protected IoT system.
Let’s take a look at some of the most typical attacks that IoT systems can fall prey to:
- Distributed denial of service
The most conventional type of attack, when a device gets flooded with requests and eventually becomes unresponsive.
- Remote access and eavesdropping
A connected device with a microphone (such as a smart speaker) can be hacked to become an effective eavesdropping device streaming audio to an outside listener.
- Ransomware infection
Hacking into an isolated network via an IoT device may result in ransomware blocking all other devices and demanding payments from the user.
- Conversion to botnets
Compromised connected devices turn into a botnet attacking other networks and devices.
- Data and identity theft
An insufficiently secure IoT device serves as a loophole that hackers use to find and steal valuable data accessible from the same network.
- Man-in-the-middle attacks
Hackers compromise a channel or multiple channels connecting two or more devices to data sources, thus intercepting data during transmission.
- Advanced persistent threats
Smart malware that is placed into IoT devices to remain undetected for prolonged periods of time and activate occasionally to intercept or corrupt data.
These are just a few examples of the potential threats to IoT networks and IoT devices. As the market diversifies, cybercriminals come up with more and more intricate ways to bypass security and get hold of users’ confidential information.
Why is IoT security so important?
The key difference between IoT and conventional software systems is that IoT belongs to both the physical and the virtual worlds. IoT components read data from a multitude of physical sensors, cameras, and microphones, process large amounts of data on the back end, and often perform actions in the physical world: unlock doors, change temperature settings, switch lights on and off, activate other systems, and so on. Therefore, a compromised IoT system can potentially do a lot more than a hacked program and poses a considerably higher threat to smart home owners and companies.
This physical–virtual duality of IoT solutions becomes even more important in industrial contexts, where a potential loss of control over a single component of a vast IoT network may have devastating effects. IoT systems are still often based on a centralized architecture that opens up access to other subsystems and components from a hacked device. Also, the ability of IoT devices to talk to each other increases the potential “attack surface” — that is, the potential outreach of a malicious program or intruder.
Finally, we shouldn’t forget that the mass adoption of IoT is often associated with the growing availability of commercial 5G networks. 5G makes it possible to use low-power, highly autonomous devices that connect to the network at extremely high speeds, which is obviously a good thing. The flip side is that 5G also makes stealing large volumes of data a breeze.
Notable IoT security trends in 2020
2020 will be a year of steady evolution for IoT security. As the market continues to expand, companies will invest more into enforcing the entire paradigm: from making security by design a fundamental engineering practice to implementing security features at all other levels and, most importantly, educating end users about effective methods of protecting their homes and businesses from prying eyes and data leaks.
Secure 5G deployments
We are going to be seeing more and more high-speed 5G networks deployed by leading carriers with a promise to make large-scale IoT projects a reality. There is a lot of excitement in the industry about massive machine-type communications (mMTC) that will eventually enable devices to communicate and exchange data with minimal or zero intervention from humans.
These networks will be inherently secure by design, but the big question is whether devices are ready for this new communication paradigm. Further advancement of IoT security standards in the context of 5G networks is going to be a strong trend in 2020 and beyond.
Implementation of the security-by-design approach
Security by design is by far the most fundamental approach to IoT security, with the potential of becoming a game-changer in case of its universal adoption. If hardware and software engineers working on new products dramatically prioritize security at all levels, from hardware and firmware to communication protocols and applications, it will homogenize the market and result in a sharp decline in the number of successful cyberattacks.
In 2020, manufacturers are expected to give priority to security and release inherently secure devices that will not be as susceptible to IoT attacks as their predecessors.
Raising awareness of security threats
Equipment manufacturers cannot be held solely responsible for the security of end users’ data. It is extremely important that consumers fully understand the vulnerability of their smart home components and start treating proper installation and configuration with due attention.
On the B2B market, companies will be investing more into comprehensive IoT network protection programs and deep security audits of software solutions working with IoT devices. Local governments and communications authorities will become increasingly active in promoting and enforcing more stringent IoT protection policies.
Using AI for more intelligent protection
As IoT devices get more powerful, developers will be able to take code execution closer to users, to the “edge” — hence the term “edge computing”. Running low-level code right on the device enables manufacturers to implement critical features that do not depend on cloud back ends or any outside applications.
Edge computing powered by fast CPUs also makes it possible to harness the power of AI for ultra-fast detection of security threats and cyberattacks. With AI onboard, the device can detect the most minute anomalies in incoming traffic and improve detection accuracy over time.
Biometrics and zero sign-on authentication
Passwords remain the weakest link in IoT security, as very few users really take the trouble of creating strong passwords and changing them on a regular basis. Many users even leave their devices’ passwords at default values, thus making them an easy target for intruders.
2020 promises to become a year in which conventional authentication methods will be gradually replaced with biometric authentication of various types. Another approach that will be getting increasingly more attention is zero sign-on authentication, which uses mobile devices as a digital key to users’ devices, apps, and services.
Teaming up with experts for maximum security
IoT isn’t all about security, but security is extremely important for building and reliably operating IoT and IIoT networks. Failing to implement even a single essential security component may jeopardize hundreds of connected devices and the reputation of your business as a whole. If you are serious about adding reliable protection to your IoT project, yet lack that expertise in your organization, it definitely makes sense to entrust this task to professionals.
We at Intellias have taken part in numerous IoT projects throughout our history and worked with a variety of platforms, device types, and areas of application. In addition to designing the architecture of IoT implementations and creating custom IoT software (user apps, monitoring portals, dashboards, AI-powered back end, analytical systems), we also leverage our IoT expertise to perform full-scale security audits and testing of existing and future IoT systems.
With a dedicated QA department working with all types of security testing, including penetration, load, and compliance, we can guarantee that we’ll make your system meet the stringent security requirements of today and be ready for the future.
Intellias will be happy to take part in your new IoT project. Contact our experts to learn more about our IoT security audit and enhancement services and we’ll get back to you quickly with more information and a personalized proposal.