The internet of things (IoT) is a network of devices, vehicles, buildings, and other internet-enabled objects that are embedded with electronics, hardware, and sensors.
Their connectivity is what enables these “things” to collect and exchange data. This interconnected mesh of devices makes up the base ‘layer’ for a smart web that will soon enable trillions of daily “if this then that” automated actions that occur without human oversight.
The number of active IoT units worldwide had already surpassed 12 billion by mid-2021. Given the unmonitored nature of IoT devices and the complexity of their networks, they pose a perfect storm of abundant, highly complex, and completely novel security risks. With such rapid adoption of the technology, and its increasing ubiquity at home and work, it’s becoming a critical task for companies and individuals to ensure IoT security.
The threats across all classes of IoT are broad and ever-changing, but for simplicity, there are two main categories we can segment IoT security into: Device and Network.
The trouble with IoT security
IoT devices are in our homes, cars and offices—defined loosely, IoT includes any device that can connect to the internet. This encompasses a lot more devices than you may think. At home, this could be a smartwatch, smart lights, baby monitors, TVs, or video game consoles. At work, the devices are more likely to be cameras, routers, smart locks temperature and climate control, or supply chain monitors. These devices have access to our schedules, communications, and business logistics. They track our health and wellbeing, and are always listening to our conversations—sometimes even recording them without our knowledge.
You don’t need to work in cybersecurity to see where this could all go wrong. With such a rapidly shifting landscape, as threat vectors and attack surfaces evolve into something less recognisable, even the most astute security professionals can struggle to get their head around where the next major IoT threat might emerge. Because IoT devices are meant to perform so many functions without constant human input, they’re already less secure by design. Unlike Windows and macOS machines, users will be less likely to patch an IoT device, simply because they don’t have to directly interact with it that often. Since IoT devices are typically much simpler than laptops or smartphones, the operating system is often hard-coded and won’t auto-update either. Users log on once to set a device up and then never interact with the configuration again, except to troubleshoot issues.
While Android, Apple or Amazon media players might be tied to a user account, and have the smarts to only accept commands from an authorised voice, that level of security is not as common in a crowded marketplace where the need to be affordable often outweighs the need for security. Consider the example of a no-name brand IoT speaker that connects to your Wi-Fi network to play songs from your laptop. A speaker like this might also accept Bluetooth connections for compatibility with remote controls and multi-speaker setups. You may connect to the speaker via an internal web server and browser interface, or perhaps it accepts commands through a built-in screen and buttons. In either case, the device is a black box—we generally won’t get a look under the hood at its firmware, OS or network activity.
The dangers of IoT hacking
But this mystery box has the potential to act as an ad hoc Wi-Fi or Bluetooth access point, letting passersby connect to your local network to browse your devices and files, or use your internet connection to launch attacks. It has the potential to send data back to the manufacturer about your network details and activity, while allowing backdoor access to your systems. It can also monitor what’s happening in the room via any built-in communications device. Your robot vacuum may even be mapping your home’s floor plan and sending it back to the manufacturer without your knowledge. At home, the privacy and security concerns are unnerving. Within a business, they represent incalculable risk.
IoT cybersecurity risks aren’t limited to cheap media players or home appliances. The diaspora of white label manufacturing outsourced across the world, along with relaxed security protocols during the pandemic has provided more opportunity for man-in-the-middle firmware attacks that can see trusted brands of high-end IoT devices like IP cameras and routers compromised out of the box. Through malice or negligence, insecure firmware in brand new products has been found to provide backdoor access to compromised devices. The risk is compounded by a lack of visibility of network traffic through the very devices designed to detect intrusion. And if those devices are a part of sensitive industrial processes, the results of a hack can be potentially catastrophic.
Clearly, securing every single device is simply not realistic. Modern industrial and commercial IoT networks can host thousands of interconnected devices, all with varying degrees of complexity, security and age. So what’s the solution?
You can’t secure every IoT device, but you can secure the network
Traditional networks with conventional firewall configurations are designed to protect your business from external threats. Once inside your network however, an attacker with access to even one device could infect others by leveraging internal trusted subnets. The best solution proposed for IoT devices is Network Segmentation built on Zero Trust principles.
This strategy involves using IoT firewalls to divide networks into smaller segments, which assumes no trust between each segment. The approach offers greater control over who has access to privileged information and data, enforced with additional internal checkpoints. In effect, it assumes all IoT devices on the network to be potentially malicious, reducing the risk of a single compromised device opening ports and spreading malicious code onwards.
Networking segmentation and trust is a bespoke solution that has emerged through trial and error as the IoT industry matures. What IoT devices can see and access online should be set up along the same lines as a guest Wi-Fi network. Assume that any external party can connect to a any device, and restrict all incoming and outgoing traffic to a single channel which doesn’t interact with any business-critical sub-network, or subnet. Creating separate untrusted subnets is the most effective way to prevent threat actors moving between systems once they’re inside the perimeter. They may be able to compromise a device or two, but they’ll be asked to prove their credentials every time they try to access another network segment, effectively containing the harm they can do.
Compartmentalisation: The future of IoT security
The risk posed by IoT devices is significant because so much goes on behind the scenes. In modern environments it’s already impossible to maintain visibility of everything happening with each device. If the security of your network isn’t up to a baseline standard, with processes aligned to industry best practice, hackers can and will find ways to access the IoT devices on it—and through them, the rest of your business.
IDC projects IoT spending to hit the trillion-dollar milestone in 2022, with uptake increasing year on year. The importance of securing networks that hosts potentially billions of devices will require stepping away from conventional security practices.
Securing devices will mean securing network segments and nodes, while finding new ways to cast a wider net around unfamiliar, highly complex risk matrices. A more comprehensive approach to segmentation, trust, identity, access control, and broader real-time monitoring of network patterns will be key to securing IoT networks of the future.