Securing the IoT

Back in 2015, some experts predicted that there would be more than 50 billion connected devices by 2020. The forecasts are now more modest—according to Ericsson, there were nearly 11 billion connected devices at the end of 2019, and that will rise to nearly 25 billion by the end of 2025⁴⁹—but the hype has been replaced by results. When asked how critical Internet of Things (IoT) devices are to the smooth running of their organization, 65% of respondents answered eight or more on a 1–10 scale.

Adopters are using IoT for a wide range of purposes. Most commonly, they are using it to monitor the efficiency of equipment, enhance productivity and monitor the physical security of buildings (all over 60%), and to enhance products and services for customers (48%). Just over a quarter (26%) are using it to measure the wellness of people.

IoT devices are having a major impact in nearly every sector. The volume and variety of devices using wireless connectivity has grown massively. Two-thirds of respondents are using cellular networks to connect their IoT devices.

IoT is no longer in its infancy. Almost half (49%) of those that we surveyed that were using IoT had at least one full-scale deployment. And a third (33%) said they  have over 1,000 IoT devices in use. That goes up to two-thirds (67%) in retail, where IoT-based technologies are enabling frontline staff to deliver better customer experiences and providing insight that's helping to manage inventory and keep physical stores relevant.
 

What new risks does IoT introduce?

The use of IoT brings its own challenges. Since devices are often in remote locations, they can be vulnerable to physical tampering or network attack. Seventy-six percent of IoT respondents said that at least some of their devices are difficult to access, either embedded in a system or in a remote location, making them harder to update or replace.

It’s important to look ahead when designing devices—over a third (36%) of companies said that the anticipated lifetime of their IoT devices is five years or more—but you can’t plan for everything. Many early devices lack security features that are now critical and lack the ability to update software and firmware remotely.

It’s not just the actual data being captured by IoT devices that’s at risk. Over a quarter (26%) of IoT respondents think that their devices are of less interest to hackers than other systems—but it’s possible that they’re unaware of how easily IoT can be used as a gateway into their network. A cybercriminal could use IoT devices as a stepping stone to more sensitive data and wider business systems. A well-known example involved a hacker getting into a smart HVAC system maintained by a third party and using this as a lever to steal the details of millions of payment cards from a major retailer.

New and emerging threats

The sheer volume of IoT devices, many with weak security protection, presents a huge opportunity for hackers. That connected doorbell might improve your home's or office’s physical security, but it could also be a Trojan horse for your IT security. Many IoT products have been found to have extremely weak cybersecurity— including, worryingly, devices such as smart locks. A single vulnerable  IoT device could offer hackers a virtual open door to your network and everything that’s attached to it.

Many hackers are also looking to exploit the lack of visibility many  users have into what their IoT devices are doing. They are planting malware on the device to create a botnet—an army of devices typically used for things like distributed denial-of- service (DDoS) attacks. The device continues to work as normal, so the owner is completely unaware of its side hustle. In 2019, a botnet used more than 400,000 IoT devices to launch an attack, similar to the Mirai botnet that wreaked havoc in 2016.

Data tampering is another significant threat. This occurs when hackers modify data in transit. This can have serious consequences in industrial  or manufacturing environments. For example, inaccurate or falsified data transmitted from heat or temperature sensors could not only ruin batch production, it could destroy equipment or endanger employee safety.

When deploying IoT devices, you should also be wary of SIM theft. This is attractive to attackers because of the low effort required—often all they need is a screwdriver. The hacker physically breaks open a connected device, such as a smart lamppost, and removes the SIM card. They then put the SIM in their own device, and take advantage of free calls and data at the company’s expense.

Almost one in three were hit.

Stories about connected cars being susceptible to hacking might make better news than a HVAC system actually being compromised, but that’s masking the real danger. Nearly a third (31%) of IoT respondents admitted to having suffered a compromise involving an IoT device. That goes up to 52% for information and media companies, and 47% for retail. The public sector was least likely to be hit, but still almost a quarter (23%) were compromised.

Cutting corners is partially to blame. Two-fifths (41%) admitted to having sacrificed IoT security to “get the  job done.” As with mobile device security, this was shown to have consequences. Organizations using IoT that sacrificed security were 1.7 times as likely to have suffered a compromise involving an IoT device.

Data privacy matters.

But it is still a work in progress for many of the organizations using IoT.

The use of encryption is growing.

The vast majority of the companies we interviewed thought that their IoT data was of value to hackers. Despite this, less than half (47%) said that they encrypt all IoT data sent across public networks.

The major cloud service providers (including Amazon Web Services, Microsoft Azure and Google Cloud Platform) are enforcing best-practice security policies, such as encrypting all message queuing telemetry transport (MQTT) traffic—a lightweight protocol used for IoT data. According to Asavie, the volume of MQTT traffic that is encrypted is up from 55% 12 months ago to 65% in its latest data. Hopefully this indicates that more companies are now aware of the need to apply encryption to their IoT traffic.⁵¹

Why are companies cutting corners?

Seventy-six percent of respondents said their organization  is at moderate to significant risk from IoT device threats. So why are they sacrificing security? The top reason given was expediency—60% said that time pressure was behind the decision. In the drive to get to market quickly, security often takes a back seat. Over half (51%) said that security is not a priority for v1.0 (minimum viable product); it’s something they “can worry about later.”

Another reason behind many security shortcuts is design restraints. IoT devices tend to be small and compact, and not all of them are very “smart.” When designing IoT products,  it’s often tempting to bypass the security features that are standard for more sophisticated mobile devices.
 

Will new regulations drive change?

New regulations are coming into force to help protect businesses, consumers and citizens from IoT-related attacks. In 2018, California became the first U.S. state to introduce an IoT cybersecurity law. Oregon followed suit in 2019. As of January 2020, these laws require any manufacturer of IoT devices to equip them with “reasonable” security features. They also require each device to come with a unique password or force users to set their own.

Several bills have also been introduced to the U.S. Congress. The IoT Cybersecurity Improvement Act would establish cybersecurity standards for internet-connected devices purchased by federal agencies. This has been approved by both the House and Senate Homeland Security Committees. The Cyber Shield Act, introduced in 2019, is also being discussed. This bill seeks to establish an advisory committee of cyber experts from government, industry and academia to create cyber benchmarks for IoT devices.

In the U.K., the government has published the Code of Practice for Consumer IoT Security to set out guidelines  for  businesses  involved in the development, manufacturing and selling of consumer IoT devices. Although the guidelines aren’t mandatory, there have since been discussions about enshrining them in regulation. The European Union has also introduced a cybersecurity standard for consumer IoT devices.

Even though IoT-specific regulations are yet to come into force in most jurisdictions, we’re already seeing a shift in the mindset of organizations. Seventy-four percent of IoT respondents said they have reassessed the risk associated with IoT devices in light of regulatory changes.