It’s an exciting prospect to have your fridge communicate with your grocer and directly order food and drinks when stocks are depleting. Remote diagnoses of patients or companies remotely repairing machinery parts of their clients are other cases in point.
With 50 billion devices expected to be connected with each other by the end of next year, the Internet of Things (IoT) trend will only accelerate. The advent of 5G will only provide another boost to the IoT ecosystem. It’s hardly surprise, then, that the global enterprise IoT market is predicted to touch $58 billion by 2023, growing at 26% compounded annual growth rate between 2017 and 2023, according to a January Market Research Future report.
However, numerous security breaches right from the Stuxnet virus to Mirai and more show that demand for IoT is growing with little regard to security. Most organizations already face information risks from IoT devices and almost 20% of organizations have detected an IoT-based attack in the past three years, according to a Gartner IoT Security Survey Report form 2018.
“IoT-based attacks are already a reality; yet, most Information Security functions are just starting to think about how to manage IoT risk. Leading CISOs (chief information security officers) and their teams must work more broadly in the organization to understand IoT use cases, educate and categorize IoT risks, and adopt emerging IoT security practices,” says Rajpreet Kaur, principal analyst, Gartner.
Reports suggest organizations stand to lose millions of dollars because of the downtime caused by attacks on their IoT devices and networks. An example of it was the series of distributed denial-of-services attack (DDoS) on domain name systems (DNS) service provider DYN in October 2016 in Europe and North America. The hackers breached thousands of IoT devices like IP cameras, baby monitors and network printers using Mirai malware and then took control over them to take down platforms of DYN’s customers like Twitter, Visa, Netflix and Reddit.
Another Malware called BrickerBot broke into thousands of IoT devices in April 2017 and bricked them by overwriting the stock firmware with garbage code. “There is no definitive list of the most vulnerable IoT devices, as overall IoT devices do lack effective security controls. But as per the breach records, industrial control systems (ICS), supervisory control and data acquisition, or SCADA and power grids have been the primary target for major IoT attacks,” cautions Kaur.
Unsecured IoT devices pose the highest risk to the privacy of a consumer. A vulnerable IoT device can give away your location, passwords, and data.
According to a February 2019 Avast report, the biggest IoT threats to businesses are to security systems such as cameras and doorbells which record and have access to sensitive company data. Devices such as network printers are potential access points for hackers and can give them access to any document printed by employees.
A widely used tactic for IoT attacks is botnets. Cybercriminals can take control over thousands of vulnerable IoT devices and turn them into a network of botnets to carry out DDoS attacks by sending out a targeted stream of network requests to server or computer network they intend to bring down.
IoT devices are easy targets for hackers due to lack of standardization and regulatory compliance and poor vendor support and security practices. Implementing security at the endpoint is also not practical due to the high diversity of devices and their low power and performance.
“IoT device resources are limited and these resources are already fine-tuned to perform a specific task. Adding a security solution to smart devices would therefore potentially ruin device performance and negatively impact the customer experience,” cautions Vladislav Iliushin, IoT threat researcher at Avast.
He insists that since most smart device data is streamed over the network, network-level protection is the most sensible solution to protect IoT devices.