Ask Steve

Steve Szabo is Head of Global Products and Solutions for Verizon’s Internet of Things(IoT) business unit. He’s responsible for delivering industry-leading solutions leveraging Verizon’s 4G LTE, NB-IoT and CAT-M1 networks. His current focus is producing next-gen solutions powered by 5G and mobile edge computing. We asked him about the state of IoT security.

Q: Steve, we’ve heard a lot of talk recently about SIM theft—people literally breaking into smart devices and stealing SIMs. What’s the best way for organizations to defend themselves against this?
 

A: The level of risk really depends on where your devices are located. But whatever the case, your best defense is binding each SIM card to the device via its IMEI. This means the attacker can’t use the SIM by simply putting it into another device. An IoT platform should enable you to set a data limit per device—so even if a criminal gets their hands on the SIM, their spending, and your losses, will be capped.
 

Q: Is it realistic to expect companies to encrypt all of their IoT data? What about really basic sensors that are only transmitting something simple like a temperature reading?

A: Encryption is a powerful tool, but isn’t used nearly as often as we’d like to see—despite the availability of new chips designed for the size, power and price constraints of IoT devices.

We recommend encryption for all applications and networks, for data at rest and in transit. Even data as seemingly innocuous as temperature readings might be of value to a hacker—for example, does it include when a building is in use and when it’s not? Also, what if a criminal were to intercept communications and feed incorrect readings into the system? This could increase energy bills or cause harm to temperature-sensitive products like food and medicine.

Q: Changing default passwords seems like a pretty obvious precaution to take. Why are so many people and companies still failing to do it?

A: I think there’s still a lot of naivete when it comes to IoT risks. A lot of people think it’s just the data held on their devices that’s at risk. But by hacking that device, an attacker could use it as a foothold to gain access to so much more. Of course, expediency is also likely to be a factor. Having unique passwords for hundreds of devices requires processes, and there’s often pressure to deliver quickly — as our survey shows.
 

Q: Of course patching is important. But what if your devices are in remote locations or buried many feet underground?

A: Lots of organizations have IoT devices in locations really difficult to access. But it’s not just location that makes many IoT devices difficult to update; many IoT devices are built to be as small as possible and as frugal as possible—36% of IoT respondents said that they expected devices to last over five years. That’s a lot if you’re using a battery.

Despite these constraints, we think that it’s critical to build in the functionality to perform updates securely over the air (OTA). OTA updates enable you to patch any vulnerabilities and take advantage of new security practices as they emerge. It also gives you more opportunities to improve functionality over the device’s lifespan.