IT Pro is supported by its audience. When you purchase through links on our site, we may earn an affiliate commission. Learn more
In-depth

IoT privacy and security concerns

We take a look at what's needed to really secure internet-connected devices

There is a well known story told within the cyber security industry, of an American casino that was hacked via a fish tank.

An unauthorised party, as the story goes, remotely accessed the tank's internet-connected thermometer and used it as an entry point into the casino's wider network, where they eventually found client details.

Whether true or not, this is a rather extreme case, but it is useful in explaining the dangers of the Internet of Things (IoT). With all manner of gadgets and objects, connected to the internet – and your home/work network – the options for entry have never been greater for hackers.

Yet, the internet keeps expanding. You can find smart versions of Office lights, TVs, teddy bears, and even coffee machines you can control with a smartphone. It also seems that with each new IoT product there comes a new exploit, another story of ransomware or DDoS attack. It's because of this that governments and experts have called for 'secure by design' products, effectively banning default passwords.

IoT also creates issues around data privacy, particularly with audio-based services, such as smart speakers that are often reported to secretly listen to our daily conversations on the grounds of service improvements.

Still, there is no indication that this expansion of the internet is ever going to slow down. So instead, we need to ask ourselves what can we do to make out ecosystems safer?

IoT security threats to businesses

It would be foolish to think that internet-connected thermostats or other smart devices do not pose a security threat for organisations, particularly at a time where employees are predominantly working from home. The shift to mass remote working has meant that the average 'office' is now full of more internet-connected devices than ever, from AI-powered smart speakers and video doorbells, to phone-controlled light bulbs and robot vacuums.

With employees using their home Wi-Fi network to log onto work devices, having IoT devices on the same network could be putting corporate networks at risk.

That's largely because there has been a lack of security-first thinking when developing IoT products. Take Mirai for example, a malware that used vulnerable internet-connected devices, such as IP cameras and home routers, to create a botnet that launched a DDoS attack against DNS provider Dyn. This caused large swathes of the internet, including Amazon, Slack, and Visa to become unavailable across Europe and North America in October 2016.

These IoT-based threats have increased since, and research from Dutch software firm Irdeto found that these attacks cost UK businesses £244,000 on average in 2018.

Security by design

Internet of Things

Shutterstock

The IoT industry is infamous for not prioritising security, especially when it comes to devices in the low budget bracket. Default passwords leave devices, and the network to which it’s connected, vulnerable to cyber attacks. Hackers can target devices with known default access credentials and launch an attack through what is essentially an open gateway.

Indeed, you might think the blame here falls with the manufacturer. In today’s cyber landscape, consumers should expect their devices to be shipped with ample security provisions to protect them from such attacks, however, the blame can sometimes be passed down to the victim. It presents a difficult question around where the onus of security should be placed - on the manufacturer which makes the device, or the customer which actually uses it.

There is an argument to be made for both sides. Manufacturers could quite feasibly ship devices with unique, complex access credentials making it more difficult for an attacker to brute force their way in using known logins. Alternatively, manufacturers could also ship devices with no set login credentials at all and simply require the user to set their own in order for the device to become operational.

Related Resource

Six myths of SIEM

Things have changed when it comes to SIEM solutions

Whitepaper cover with black & white birds eye view of a cityscapeFree Download

On the other hand, consumers should know that in today’s world cyber threats are everywhere and simply setting a strong password on the devices they use should be part and parcel of owning technology. Consumers are also well-known for being poor patchers, opting to choose the ‘remind me later’ option whenever an update notification appears.

Whatever side of the argument you fall on, the general consensus within the industry is that adopting a ‘secure by design’ approach is the best way to prevent IoT attacks. Vendors should work alongside experts in cyber to ensure every stage of the manufacturing process meets the appropriate standards.

The UK government has funnelled millions into the development of adequate standards and education around security by design principles in recent years and most recently the EU mandated a new directive compelling all device manufacturers to secure their products before shipping to the EU. 

Enterprise attack surface evolution

It's clear something has gone wrong in the tech world when your users become the network perimeter, given the role of blocking threats from infiltrating any further into the network.

IoT devices open up the network to a much wider spread of risk, serving as even more endpoints that need to be secured, while also diluting the resource put aside for the regular, legacy definition of threat protection.

The smart flip-flop

A city skyline connected by networks to represent IoT

Shutterstock

Given what you cannot do to prevent IoT device compromise, what's the flip-side? It's not quite as much of a 'length of string' exercise as the almost infinite variety of devices we are talking about might suggest. And talking of which, that 'built by bean counter' accusation we made earlier will, in fact, start to fall away as vendors see the market opportunity in delivering a secure product.

Expect network segmentation and device-to-device authentication (if not any meaningfully strong data encryption) to sit high in IoT device feature lists.

An eye on the future

Whatever the future brings you must not lose sight, or site for that matter, of these devices. You need to know what devices you have, what they connect with and how they do it.

Visibility is key to securing the IoT as far as it touches your enterprise, and these touch-points are where attackers will be probing for weakness to bridge the gap between device and enterprise infrastructure.

This article was first published on 09/11/21, and has since been updated

Featured Resources

How to hold more productive meetings

Tips and tricks to get the most out of your meetings

Free Download

Enabling the future of work with embedded real-time communication

A new dimension of human interaction is coming to digital work

Free Download

How to do hybrid work right

Overcoming challenges in the transition to hybrid work

Watch now

HCI 2.0 From HPE: How it can help your business thrive

Why SMBs need to accelerate digital transformation with HCI

Free download

Recommended

Hackers could use new Wslink malware in highly targeted cyber attacks
malware

Hackers could use new Wslink malware in highly targeted cyber attacks

1 Nov 2021
FBI raids Chinese POS business following cyber attack claims
malware

FBI raids Chinese POS business following cyber attack claims

27 Oct 2021
Malware developers create malformed code signatures to avoid detection
malware

Malware developers create malformed code signatures to avoid detection

24 Sep 2021
New malware uses search engine ads to target pirate gamers
malware

New malware uses search engine ads to target pirate gamers

21 Jul 2021

Most Popular

Windows Server admins say latest Patch Tuesday broke authentication policies
Server & storage

Windows Server admins say latest Patch Tuesday broke authentication policies

12 May 2022
16 ways to speed up your laptop
Laptops

16 ways to speed up your laptop

13 May 2022
How full-stack observability can accelerate IT innovation
Sponsored

How full-stack observability can accelerate IT innovation

3 May 2022