IoT Devices Are Easy Targets for Cyberattacks
The Internet of Things (IoT) is everywhere in the modern, connected world. Consumer goods like refrigerators, doorbells, and even coffee makers are now internet-accessible. Businesses use connected printers, smart TVs, and smart boards in their offices; down in the manufacturing plant, there are heavy machines accessible from a centralized terminal constantly beaming data back for monitoring.
The number and type of these connected devices – in all industries and all contexts – is only going to increase over the next few years. We’ve written previously about the growth in IoT devices, with around 30 billion devices expected to come online by 2030, as well as about the major security challenges that connected systems present.
Despite this, IoT devices perform critical functions in many enterprises in terms of performance monitoring and operational efficiency among other benefits. Unfortunately, the security reality is that IoT devices are easy targets for threat actors. These connected devices operate on often outdated software, with operating systems that either can’t accept updates or break down when one is received and lack vendor support in some cases. Given this reality, IoT devices overall present a security risk to the enterprise.
IoT Devices Have Weak Security Measures
One of the big problems with IoT devices at the individual level is weak security measures. Equipment like workstations, network controllers, and other more general-use technology commonly come preloaded with security technology designed to offer a base level of protection. These systems also require a setup process before they can be used and connected to the internet that provides the opportunity to secure them against at least known attacks.
Among the weak security measures in place is that IoT devices are commonly shipped with default passwords. These passwords are not often able to be changed before connecting the device to the internet and, depending on the device, are often extremely difficult to update. It’s even possible to find the list of most commonly used IoT passwords online. Default passwords open up the network to attacks because it’s easy for threat actors to use them for initial access. When used at scale, attackers can use weak IoT passwords to provide an easy foothold into the network.
Weak default passwords aren’t necessarily a security risk by themselves. A lot of equipment has extremely basic admin passwords when first delivered, which is why standard practice is to change the default password before adding a new device to the network. The problem is that IoT devices are shipped and deployed at an unprecedented scale, which makes updating the password quickly enough nearly impossible. That’s if there is an accessible UI that makes it possible to change the default password in the first place, and the default password isn’t included in the device’s firmware.
Beyond this, 98% of IoT traffic remains unencrypted. This lack of baseline data protection in IoT can expose personal and confidential data to the open internet. Exposure of this magnitude makes it easy for threat actors to scoop up what they need for credential theft and data exfiltration, among other goals.
Data encryption is a hallmark of secure communication. Given that IoT devices often don’t encrypt their network traffic at all, they present a clear risk of data exposure. Paired with weak default passwords that can be difficult or nearly impossible to change, this reality makes IoT devices inherently riskier than other enterprise technologies. This is further proven by the lack of security standards in the development of IoT devices.
Lack of IoT Security Standards Hinder Defenders
Much of the technology in common use at home and in the enterprise is built to specific security standards. This is meant to ensure that there’s some basic level of security against known attacks. Windows workstations, for example, come with default security built into the operating system. Most hardware and software manufacturers, in fact, have some security standards that they build against.
The same can’t be said for IoT devices. The creators of IoT operating systems and devices in general have no accepted industry standard for security, and yet 80% of companies have integrated IoT in their operations in some way. These devices could be in any number of situations, including environment sensors in factories, connected medical devices in hospitals, and smart TVs or whiteboards in corporate conference rooms.
This level of adoption is troubling, given that IoT firmware developers don’t prioritize security in their development pipelines. Although open source code on its face isn’t any more vulnerable than proprietary code, there remains the challenge of ensuring that the code is bug-free and secure. It can be harder to build secure firmware when the codebase is open source, especially without secure coding practices.
To make matters worse, many IoT devices lack vendor support for patching vulnerabilities. Vendors either don’t release patches for their devices, or the devices won’t accept patches without breaking down. Many IoT products aren’t designed to be easily updated or can’t be taken offline because they’re too critical. Connected pacemakers fit this description, as do environmental sensors in power plants for two examples.
These weak security standards and issues with patching even severe vulnerabilities create a perfect storm of possible entry routes for threat actors. Enterprise adoption of IoT devices is unlikely to abate, so instead organizations need to limit their risk of a breach.
Limit IoT Risk With Asimily
IoT adoption will continue to grow over the next few years – of this, there is little doubt. No agreement on security standards, paired with weak authentication and other issues, means that connected equipment presents a risk for cybersecurity teams to address.
The Asimily platform is designed to counter the risks of IoT devices. Through the perpetual scanning of a dedicated product, vendors can discover connected equipment attached to their network. Having a complete intact inventory allows organizations to fully understand which devices are attached to their network.
Once security teams understand which IoT devices are on their network, including poorly managed or unmanaged systems, they can more readily mitigate the impact of the riskiest assets. Asimily’s protection technology includes the ability to plan to segment out IoT devices with the biggest vulnerabilities to reduce the possibility of any compromised device serving as initial access to a larger network. But it provides simpler and easier-to-implement fixes as well for most vulnerabilities.
Asimily is built to help organizations resolve their IoT security challenges through effective inventory creation and anomaly detection, among other capabilities. With Asimily, companies investing in the internet of things can ensure that they don’t fall victim to threat actors trying to exfiltrate data through connected devices.
To learn more about Asimily, download our Total Cost of Ownership Analysis on Connected Device Cybersecurity Risk whitepaper or contact us today.
Reduce Vulnerabilities 10x Faster with Half the Resources
Find out how our innovative risk remediation platform can help keep your organization’s resources safe, users protected, and IoT and IoMT assets secure.