IoT (Internet of Things) security helps enterprises protect their networks from threats exacerbated by internet-connected devices, which often aren’t designed with advanced security features that prevent network compromise or data breaches. For enterprises using multiple smart devices on their company network, IoT security is critical to protecting sensitive data and important software.
IoT security includes the limitations placed on IoT device access, the proper updating and patching of IoT software, and networks designed to protect systems and applications from unauthorized access.
IoT security is possible, but it’s difficult because the Internet of Things sprang up before enterprises were prepared to implement proper protective measures. For some vendors, IoT security has been reactive; many devices come with hardcoded passwords, which can’t be changed and make breaches much easier for attackers.
Setting access policies for all IoT endpoints is critical for preventing unauthorized access and lateral movement across devices. Access policies specify who can enter a network. Even simple identity and access management (IAM) features like strong passwords are essential for IoT devices.
Internet of Things networks often include devices and network technology from different vendors, which may have either no built-in security features or use a variety of protective programs. It’s very difficult to build a unified approach to security if your enterprise is using multiple software solutions that aren’t designed to integrate. Some IoT devices also have software that isn’t regularly updated or patched.
In enterprise environments, IoT devices often connect to the company network. If the network doesn’t have traffic controls — such as a next-generation firewall — attackers will be able to move between devices and log into any accounts that they have credentials for or that are unsecured.
Threats to IoT security encompass most enterprise IT vulnerabilities because any company with unsecured IoT devices on its network is subject to endpoint and network threats. A few primary examples include:
Backdoors: These types of malware are installed on devices that have known vulnerabilities, allowing attackers to gain unauthorized access to a network by tricking the application into thinking the source of the authentication request is legitimate.
Hard-coded or default passwords: Some IoT devices have passwords that were assigned to them by the manufacturer and can’t be changed, which is an inherent risk that can’t be mitigated. Other devices have default passwords that enterprises can change but do not. These are easy targets for hackers, as gaining network access is simply a matter of knowing the hard-coded password or guessing a popular default one.
Insufficient updates: Not all IoT device manufacturers or users regularly update the firmware or operating system on their devices. If a device isn’t immediately patched when developers learn of a vulnerability, attackers can exploit that vulnerability.
No built-in security: IoT devices don’t always have built-in security measures like password protection or antivirus software. While devices like laptops are designed with basic security features, IoT devices often aren’t. This makes them vulnerable to even the most basic malware.
Full network access: If an unsecured IoT device is connected to a company’s private Wi-Fi network, an attacker can move laterally through the organization by first accessing that device. If the IoT device has a default password or no password at all, an attacker has an easy way to access the company network.
Because IoT devices often access company networks, securing them protects customer information and high-performance business applications. Securing customer data decreases the chance of paying fines due to data protection negligence or the chance of losing company reputation.
Securing smart devices isn’t just about maintaining finances and reputation, though. In some cases, it can mean life or death. In hospitals and other medical organizations, IoT devices are used to monitor patients, supply medication, and manage heart behavior. Even devices like pacemakers and defibrillators can be attacked and controlled by external individuals.
It’s not likely that an attacker would hack a device like a pacemaker — they won’t receive a ransom payment from a breach like that, and often access to these devices requires a person to be physically close to the device. But if an attacker gained physical proximity to a target wearing a pacemaker and accessed the device via the same wireless network, they could edit the data on the device. With sufficient technological skills, a threat actor could change how a pacemaker controls a victim’s heart.
In some cases, IoT vulnerabilities aren’t just a possibility but a reality. One of the best known examples in the past 10 years is the Mirai botnet attack, which affected multiple major web applications, like Amazon, The Guardian, The New York Times, and Netflix. In 2016, a group of IoT devices — such as security cameras and baby monitors — that had been infected with malware targeted Dyn in a DDoS attack, flooding the provider with requests. Dyn was a domain name system (DNS) provider, so the attack resulted in portions of the internet being out of service.
More recently, camera equipment vendor Verkada was breached in 2021, and the attack exposed footage from 150,000 surveillance cameras to the hackers, including cameras at security company Cloudflare. Verkada reported that a total of 97 customers had their camera feeds exposed or viewed.
To lessen the dangers of IoT vulnerabilities, enterprises should:
Looking to explore IoT security solutions? Read Top IoT Security Solutions.