Digitally connected devices and applications are encroaching every aspect of our lives, be it our homes, offices, cars or even our bodies. All objects are turning smart to be able to harness the benefits of being connected to the internet. The era of Internet of Things (IoT) is booming at an ever-expanding rate.
According to ABI research, there are over 40 billion devices connected to the wireless networks in 2020. There’s a massive amount of data being transferred over the network to and from these devices. While enterprise IT systems reside in the cloud, much of the IoT infrastructure resides at the Edge. The numbers of devices and workloads at the Edge are orders of magnitude higher than anything we might find in the data centers and they are very distributed in nature.
While in earlier times, the threat surface was limited to only enterprise IT setup, in a modern world, it has become much wider. Before we talk about security measures in IoT, let’s look at few threat vectors that surround it.
Common Threat Vectors for IoT
A threat vector is a path or means by which a cyber criminal can gain access to your core systems running in a network. With so many devices connected in IoT, the most common threat vectors are:
No physical boundaries
IoT devices transcend the traditional network perimeter and exist out there in the open. Traditional security approaches to restrict access to the devices are no more applicable. These devices can be shifted to any new location as and when needed and can be configured to access the network.
Weakly configured Wi-Fi and Bluetooth
Wi-Fi and Bluetooth configurations in IoT pose a major threat for data leakage. Weak encryption methods can allow attackers to steal credentials during the transmission of data in the network. Also, most of the times, the passwords are not uniquely set for each device leaving a gap for unauthorized access to the whole network if just one device is compromised.
Physical possession of the device
This is perhaps the worst of all the threat vectors where attackers gain physical access to devices and workloads. With this kind of access, attackers can easily get to the internals of devices and their content, but with tools like Bus Pirate, Shikra or Logic Analyzers, they can read all communication flowing in the network as well. Through physical possession of an IoT device, an attacker can extract cryptographic secrets, modify its programming or replace with another device under their control.
IoT vs IT
While IoT devices are present on Edge, the IT infrastructure is sitting on the cloud. One compromise on IoT security can lead to attackers gaining access to the core IT network through any of the IoT threat vectors mentioned above. Few real-life incidents are mentioned below.
Target data breach through HVAC
Target, one of the top 10 American retailer corporation, reported that hackers stole 40 million credit card numbers in one of the biggest data breaches in history. The hackers stole the credentials from the third-party HVAC vendor, got into the HVAC system and then gained access to the enterprise network.
Subway PoS Hacking
There have been several reported security breaches related to PoS. One of them is the $10 million Subway PoS breach where at least 150 franchises were targeted. Another similar breach happened at Barnes & Noble where credit card readers in 63 stores were compromised.
Another famous case of system breach was reported through SamSam ransomware that attacked the Colorado Department of Transportation and the Port of San Diego, in the U.S., in 2018 abruptly stopping their services.
Although the IoT regulations are in place in many locations, they are not enough to mitigate the risks involved with attacks. California has a “reasonable security level” of regulations when it comes to curbing attacks. Likewise, the UK has implemented the policies of unique passwords, companies must provide a clear vulnerability disclosure contact and regular security updates to the IoT devices connected to the state IT infrastructure. Although these codes of practice were welcomed by many security commentators, there’s not much clarity on who would enforce these policies. Officials added that they are working towards understanding how these regulations can be enforced through existing UK agencies.
Attackers are evolving at a much faster rate in their strategies while these regulations are implemented yearly or, at max, semi-annually. It is hard to keep up with the security from attackers just by relying on regulatory policies.
What Must Enterprises Do
While the above regulations are being put in place, enterprises have to come up with their own security measures for IoT devices.
To start with, they must have clear identification of IoT devices. Each of these devices must have their unique identities that can be managed well. That is of absolute importance and forms the foundation of much of the security measures that are later built upon.
Then software needs to be secured as well through measures like firmware, signed code, firmware compliance or workload compliance. All these measures need to be built out on top of the identity layer.
And finally, companies must have the top most layer of compliance that decides which versions of software must be running, or the level of firmware that must be running on the devices.
So, to sum up, for complete security solution for IoT devices, identity management should lie at the core of all followed by management of firmware and software and finally any kind of compliance needs to be built on top of it.