“I’ve got gadgets and gizmos aplenty,” sang the delighted Ariel in The Little Mermaid. The real world is no different, except that our beloved ‘thingamabobs’ are often more sinister than their Disney counterparts.
From fridges ordering groceries to thermostats learning our heating preferences, Internet of Things (IoT) devices are an increasingly trusted part of everyday life. The problem is, what else are they introducing into our systems, and who are they sharing our information with?
IoT security issues are a growing problem that should be on everyone’s radar. After explaining what exactly IoT means, this article will delve into the IoT security challenges you will face as a cyber security defender. We’ll look at common IoT security weaknesses, review hacking risks, and explore how you can defend yourself.
Let’s dive in.
What Is IoT (Internet of Things)?
The IoT is a common shorthand for the ever-increasing collection of physical objects that can connect and exchange data with each other or other systems over the Internet. Each ‘thing’ can communicate in this way because it is equipped with technology that allows it to collect and share information, such as sensors, microphones, or other software.
You may already be picturing some examples of IoT devices – an Apple watch, perhaps, or a trusty Amazon Echo. But did you remember to think about insulin pumps that automatically adjust dosages for people living with diabetes, toothbrushes that monitor brushing proficiency, or pet feeders that remind owners when it’s time to refill the kibble?
Internet of Things Security
IoT security might not be something you’ve previously considered in its own right, but it’s increasingly important to think about it as a distinct category of your defenses. Here’s what you need to know.
IoT Security Overview
As IoT use cases become increasingly diverse, they also gain in popularity. The number of IoT devices is expected to grow from the current status quo of 18 billion items to 32 billion by 2030. This is notable as it represents a significant increase in ground for defenders to cover.
You’ll often hear cyber security professionals talk about securing their organization’s attack surface—the collection of potential points of entry for an attacker. With an influx of formerly safe items morphing into IoT system variations, the very features that make them so useful (e.g., connectivity, automated controls) create new risks that must be considered and addressed.
IoT security, then, is the act of protecting IoT devices and their connected networks from cyber attacks. It’s very important not only because of the increasing scale of IoT items but also due to their general, inherent level of vulnerability. Breaches can be devastating, with consequences including leaks of sensitive information, physical damage, and huge costs.
IoT Security Issues
IoT devices pose a specific security challenge due to their general lack of native defenses, with most items having no, or minimal, protective software built in. Additionally, further risks can stem from how these items are set up or maintained. Causes can range from poor password hygiene to outdated software, but all heighten the level of related cyber threat.
Here are a few of the common security issues found in IoT devices:
Establishes systems of good habits to achieve goals
- Weak passwords: Many IoT devices use default passwords, which make them easy for attackers to crack—particularly where all units of a given model use the same one.
- Embedded credentials: IoT devices can be prone to building non-encrypted passwords into their source code to help make things easier for their users. Unfortunately, this makes them difficult to change, leaving them vulnerable to exploitation.
- Infrequent or unsafe updates: Many, especially cheaper, IoT devices do not regularly receive robust security updates, meaning vulnerabilities remain unpatched and open to abuse.
- Insecure communication channels: Data is often transmitted without proper encryption (SSL/TLS), which is particularly problematic given that the information collected by an IoT device is often sensitive in nature. If you’re unfamiliar with SSL, watch the video below to learn more.
IoT Security Challenges
For many cyber security issues, much of the risk stems from human errors—either in how we set something up or how we use it. In the case of IoT security, however, several aggravating factors exist. Let’s look at three examples.
- Resource constraints: Many IoT devices have limited storage and processing power, often driven by the desire to appeal to consumers through energy efficiency. Unfortunately, this can also leave the items vulnerable to cyber attacks such as denial-of-service (DoS), where devices are targeted with an overwhelming amount of network traffic. If successful, this can often cause the victim object to crash.
Interestingly, breached IoT devices themselves are often subsumed into attacker botnets and subsequently used in distributed denial-of-service (DDoS) attacks.
- Large-scale deployments: We’ve already discussed the concept of the attack surface and described how the wide-scale adoption of IoT devices opens up new areas that need to be defended. An IoT-specific challenge is that not only are lots of new types of items being introduced into existing organizational networks, but many companies are adopting the same type of item en masse.
If a large company decides to switch its printers to smart printers. But that doesn’t mean replacing just one; it likely means 100s or even 1,000s are now in use —and if a vulnerability is later discovered, it could pose a significant attack vector.
- Legacy systems: Integrating older or existing systems with new technology is always challenging, and the IoT has proven to be no exception. Historic systems were often not anticipated to need the same level of connectivity as IoT, which can lead to vulnerabilities when the two are coupled together—particularly where additional components need to be introduced to bridge the gap.
Differences in approaches to data storage (e.g., structured/unstructured) can also be challenging, as a lack of standardization may lead to misunderstandings and missed alerts.
The above can play out in different ways depending on the context. For example, the level of impact will generally differ depending on whether an individual or an organization is breached and, if the latter, which industry is implicated. Let’s consider a few scenarios.
- Smart home: Many popular IoT devices used in our homes relate to our physical security, such as smart locks. A breach here could, therefore, result in criminals gaining access, enabling them to commit a burglary. Perhaps a less obvious risk is devices that, if hacked, could provide information on whether you’re home or how your house is laid out—such as smart robot hoovers.
- Healthcare: Representing one of the most prolific industry users of IoT, security breaches in the medical industry can feel particularly scary given the potential repercussions for patient safety. Breach implications range from the harvesting of sensitive patient medical data to physical consequences should hackers take control of, or disable, personal medical devices.
- Automobiles: When malicious actors successfully gain access to an internet-connected car, it can open up multiple cans of worms. Physical risks include having them take control of critical elements such as steering or brakes. However, there is also a privacy element—a breach in this scenario could allow GPS data to be collected, enabling real-time tracking.
IoT Hacking
In 2023, CheckPoint researchers called out a sharp increase in global cyber attacks targeting IoT devices. The chart below depicts the average number of weekly attacks observed per organization.
Given this, it’s increasingly important to understand how hacks can occur. Let’s examine three of the most common methods.
Man-in-the-Middle (MitM) Attacks
MitM involves malicious actors secretly intercepting and sometimes altering communications between two other parties. IoT devices are often highly susceptible to this behavior due to their poor encryption protections.
Where successful, attackers can change the data being sent, meaning a recipient might receive incorrect information or dangerous commands.
Brute Force Attacks
Brute force attacks are where different password combinations are repeatedly tried until the right one is identified. There are many different variations, such as dictionary or credential stuffing.
Although the simpler forms are not particularly sophisticated, they are often highly effective against IoT devices due to their high usage of weak, generic, or repeated passwords.
Zero-Day Attacks
Zero-day attacks, where software flaws are exploited or disclosed before a patch is available, are a growing issue – with Google and Mandiant reporting 50% growth from 2022 to 2023.
Consequences are often severe, with widespread and public damage; IoT items are prone to this type of attack due to the difficulty of applying security patches and poor baseline security levels.
In their 2023 Enterprise IoT and OT Threat Report, Zscaler provided details of the top IoT malware families observed in the Zscaler cloud between January and June 2023. Although Mirai and Gafgyt dominated the results, there was wide variation overall, demonstrating sustained threat actor interest in weak IoT security. This helps to show the diversity of the threat.
Other IoT malware families identified by Zscaler:
- BotenaGo
- HiatusRAT
- IoTReaper
- Moose
- Mozi
- Shikitega
- Silex
- Tori
- Tsunami
- Vpnlter
One particularly popular tool that helps attackers carry out the above is Shodan, a powerful search engine that identifies internet-connected devices by scanning IP addresses for connected devices. Any interesting findings, such as open ports, unsecured devices, or the services running on systems, are then collated and organized into a searchable database.
Although intended to help legitimate penetration testers, Shodan is often co-opted by malicious actors who use the attack techniques discussed above to find and exploit, rather than report, any points of weakness in the IoT that might otherwise remain unnoticed.
Additionally, Shodan makes it easy to see where particular makes or models of items are being used.
For a step-by-step guide to using Shodan, see our helpful article How to Use Shodan for Pentesting: A Step-By-Step Guide
Examples of IoT Security Failures
Now that you know what IoT devices are and some of the common difficulties in keeping them secure, let’s look at some real-world examples of where things have gone wrong. Below, you can see some videos discussing Internet of Things security failures—these help to illustrate the potential implications when we don’t successfully defend against IoT hacking.
Case study: Jeep Cherokee
As discussed, the automotive industry can be at risk of IoT attacks. The WIRED video below provides a real-time example of researchers remotely hijacking a moving car.
Case study: Pacemakers
In 2017, 500,000 pacemakers had to have their software patched after the US Food and Drug Administration (FFA) warned it was possible to fatally run down the battery or alter the wearer’s heart rate. Below, a fascinating interview conducted by the BBC shows how these types of security vulnerabilities can be abused:
Case study: Baby monitors
Reports of strangers hacking into baby monitors are nothing new, but what’s interesting is that it keeps happening despite awareness of IoT hacking issues. The video below shows a chilling interview with a family who found a stranger talking to their child through one of the smart devices as recently as 2023.
IoT Security Breach Mitigation
Maintaining a strong baseline level of security measures is crucial for protecting yourself and your organization while using IoT devices. Consider the following to enhance your defenses.
- Practice good cyber hygiene. Use complex, unique passwords and update them regularly. Apply security patches when prompted, and avoid using public Wi-Fi.
- If you can, consider setting up items on separate networks. Segregating IoT devices can prevent infections from spreading to other areas. This is particularly important for businesses, as it shields critical systems from less secure items.
- Disconnect items when you stop using something, as attackers can still abuse inactive devices.
An excellent way to keep your cyber hygiene strong is to stay linked in to industry standards and frameworks – saving yourself some work by taking the advice of trusted experts. Useful starting points for more detailed IoT security advice and approaches are provided below.
You should now have a clearer understanding of IoT security challenges and how attackers may seek to abuse common weaknesses in related devices. As we can see, this area is likely to become increasingly important as IoT adoption continues to grow, meaning understanding and embedding effective management strategies is crucial.
Although some potential ideas for mitigations are suggested above, it’s important to note that guidance will likely continue to evolve in the future.
If you want to learn more about ways to understand weaknesses in your security perimeter, the StationX Accelerator Program offers comprehensive penetration testing and endpoint defense training. It also provides access to a community of like-minded individuals, mastermind groups, and mentoring, where you can ask questions and discuss current best practices for IoT security management.
Guarantee Your Cyber Security Career with the StationX Master’s Program!
Get real work experience and a job guarantee in the StationX Master’s Program. Dive into tailored training, mentorship, and community support that accelerates your career.
- Job Guarantee & Real Work Experience: Launch your cybersecurity career with guaranteed placement and hands-on experience within our Master’s Program.
- 30,000+ Courses and Labs: Hands-on, comprehensive training covering all the skills you need to excel in any role in the field.
- Pass Certification Exams: Resources and exam simulations that help you succeed with confidence.
- Mentorship and Career Coaching: Personalized advice, resume help, and interview coaching to boost your career.
- Community Access: Engage with a thriving community of peers and professionals for ongoing support.
- Advanced Training for Real-World Skills: Courses and simulations designed for real job scenarios.
- Exclusive Events and Networking: Join events and exclusive networking opportunities to expand your connections.
TAKE THE NEXT STEP IN YOUR CAREER TODAY!
