11 Ways You Could Be Attacked Using The Internet of Things
It’s reasonable to wonder how the “Internet of Things” or IoT differs from the regular internet that we use all the time every day. In short, it doesn’t differ. The phrase simply refers to a growing class of devices that connect to the internet and use it to accomplish tasks that wouldn’t be possible without digital connectivity. A smart door lock is an example of an IoT device. It’s equipped with the hardware and software necessary to allow a homeowner to view the device from their smartphone or computer and open or close the lock. Many businesses work with multiple vendors to establish technology and security systems. This also means that your team should establish processes to work with each vendor and bring hardware and software into line with IoT security best-practices.
Most Popular Office IoT devices
Some popular IoT devices found in offices include, Internet-protocol (IP) phones, printers, intercom systems, and consumer electronics such as smart speakers. The greatest security challenge these devices tend to pose is in their software/firmware setup, which is often proprietary and may even contain critical weaknesses that are difficult to fix.
The Eleven Most Common IoT Vulnerabilities
With billions of IoT devices connected to the web and more coming online every year (this number is likely to exponentially increase with the advent of 5G cellular networks), it’s important to learn how these devices are most vulnerable to cyberattack.
Weak, Guessable, or Hard-coded Passwords
Password security might seem obvious, but it remains a commonly exploited gateway for cyberattackers to take control of a device. In the case of IoT devices, the passwords may be preset, such as “admin/admin” or in the worst case scenario password is hard-coded into the device and cannot be changed. IoT devices tend to run in the background and are easily forgotten about. It should be part of your IT teams routine to check and update the passwords on any IoT device.
Low Security Awareness by Users
In many cases, users may not be aware that the device is connected to the internet. They may also be creating opportunities for cyberattacker without realizing it. Bringing a smart speaker into work, connecting a personal hard-drive to a work computer, or even writing down a password on a piece of paper are all examples of user obliviousness that can give hackers the toe-hold they need to penetrate the entire network.
Insecure Network Services
A device running with an open port is a common security flaw that goes unnoticed with IoT devices. And due to the simplified UX of most IoT devices, the only way to know if there are open ports are your network is to run a port scan. This should be standard practice for your IT team when evaluating the integrity of your network.
Insecure Ecosystem Interfaces
Sometimes the very tools that you’re using to manage devices, such as web apps and APIs can expose you to cyberattacks. The key to identifying these type of issues is to think about your IT ecosystem in discrete stages, tracing each piece of software or hardware that you use and examining it for security weaknesses.
Lack of Secure Update Mechanism
Many developers release consistent software and firmware updates for IoT devices. However, if your IT team or employees are not observing an established update protocol, your technology will eventually fall out of date and create opportunities for hackers. It’s also important to use encrypted connections to perform updates whenever possible.
Insufficient Privacy Protection
IoT devices can passively collect information about your users, which in turn can be harvested by cyberattackers and used to penetrate other portions of the network. You should evaluate each device’s potential for holding and transmitting personal information. Then you can mitigate that risk by securing the device or replacing it with a device that doesn’t have the same weakness.
Insecure Data Transfer and Storage
Encryption is a critical tool against unauthorized network and information access. Encryption protocols have become extremely robust and once established allow the network to function normally, but with heightened security. Wherever possible you should encrypt data when it is being transferred and when it is “at rest” on a storage device.
Lack of Device Management
Your IT team may have a list of hardware and software assets, but if that list is outdated or difficult to use, you may not even be aware of all the IoT devices on your network. Without a robust management process, IoT devices can easily be forgotten about and fall out of maintenance, offering a tempting target for cyberattackers.
Outdated Components
Due to the constant and uneven progression of technology, you may be using IoT devices that are running outdated software, or that can’t be updated due to a lack of developer support. This vulnerability is often overlooked until a piece of equipment breaks and your IT team discovers that it can’t be fixed.
Insecure Default Settings
In other cases, an IoT device may simply have been left with its default setting intact and deployed on the network. Cyberattackers can exploit these devices simply by having access to identical unit from the same manufacturer and looking at the default settings. They can search for devices with the same settings and gain control of them quickly.
Failure to Maintain Physical Security
If a hacker is able to gain physical access to an IoT device, it’s almost guaranteed that he or she will be able to gain control of it. This can happen by allowing unauthorized visitors into your office space, or allowing employees to take devices home where they’re unsupervised and unprotected. Establishing strong physical security protocols around your technology system is an absolute must.
Who should manage security policy for IoT devices
In virtually every scenario your IT team should be responsible for managing IoT security policies and eliminating vulnerabilities. In some cases they may need to coordinate with your information and physical security teams to ensure end-to-end network and physical security. They will perform technology audits and work with vendors to ensure that equipment and systems are up-to-date and functioning with the proper level of security.
About i.e.Smart Systems
i.e.Smart Systems is a Houston, TX based technology integration partner that specializes in design and installation of audio/visual technology and structured cabling. For more than three decades, our team of in-house experts has partnered with business owners, architectural firms, general contractors, construction managers, real estate developers, and designers in the Houston market, to deliver reliable, scalable solutions that align with their unique goals.