Recent data leak highlights the importance of IoT back-end security

Cybersecurity remains a major pain point for organizations looking to harness the power of internet of things technologies, yet consumers are often the ones dealing with the fallout of large-scale data breaches. According to the Identity Theft Research Center, close to 4.5 million sensitive records were exposed in 2017 alone, representing a whopping 126% increase from the previous year. This spike in security incidents seems to be the new normal for businesses across industry lines, though companies that collect personally identifiable information represent the most likely targets for malicious activity.

To combat threats of data theft and exploitation, IT security professionals around the world have been aggressively advocating for IoT standardization and cybersecurity awareness. While these efforts have helped to shine a light on the practice of monetizing consumer information that was stolen from unprotected devices, they've done little to curb the practice as a whole.

Orvibo IoT database leaks billions of consumer records
In late June, researchers from vpnMentor, a virtual private network testing service, discovered a publicly accessible database that currently houses over two billion user logs collected from smart home appliances through the popular IoT management software, SmartMate. According to the vpnMentor team's findings, the developer in charge of the platform and database, a Chinese tech firm named Orvibo, failed to secure its consumer records with any substantive password protections. In total, around two million customers located in the U.S., UK, China, Japan, France, Australia and Brazil have been impacted by the vulnerability, though the scope of the issue is not yet understood.

This security incident is quite unique among recent high-profile data breaches, as the company itself is wholly responsible for the leak. In most cases, hackers will infiltrate a network through phishing scams, malware or brute force attacks, but no such activity has been identified. What's more, the SmartMate logs stored on the database include a variety of sensitive information that malicious actors may already be harvesting, such as:

• Serial numbers
• Usernames and passwords
• Email and IP addresses
• Account reset codes
• GPS data for every IoT device

So long as the database remains publicly accessible, the amount of available information will continue to expand, leaving customers open to identity theft, credential jacking and even full account takeovers. According to a blog posted on vpnMentor's website, researchers have been trying to contact Orvibo since June 16, but have not yet received any reply about the database's vulnerability.

Some companies have started using biometric security systems to protect mission-critical data stores.

Securing IoT devices and databases
Most companies that manage IoT databases invest heavily in network-level protections that fit into their overall cybersecurity infrastructures, and regularly perform tasks that increase their ability to detect and respond to data breaches. This includes securing servers, implementing robust access rules and establishing two-factor authentication for authorized users. While these safeguards can help protect sensitive data from external threats, they often prove useless when hackers target specific devices. For example, most IoT appliances (like those integrated with the SmartMate platform) do not possess built-in security firmware and often run on factory settings. Customers who are unaware of these glaring vulnerabilities are often less active about securing their devices, updating default credentials and keeping an eye on performance logs.

Corporate IoT users who fail to uphold cybersecurity best practices are also at risk of identity and credential theft. For example, a 2018 survey from LastPass found that 91% of business professionals understand the risks of reusing passwords across multiple accounts, but 59% report doing so anyway. Confronting this issue will likely require companies to dedicate significant time and resources to cybersecurity training, as a single point of failure can lead to large-scale data breaches that could impact their reputation and financial growth.

3 tips for managing IoT devices
Device-level security is quickly becoming a primary focus of IT professionals who are responsible for managing a fleet of connected technologies, but it's also crucial for consumers who have outfitted their homes with smart appliances. The most straightforward practice is to update the default usernames and passwords of every new device before it is actively deployed. Other important back-end security strategies include:

1. Understanding your endpoints: Every new IoT device represents a potential entry point for hackers to exploit, but no two technologies are ever exactly the same. Learning about the unique configurations and security flaws of each IoT appliance can help companies and consumers anticipate risks and take proactive measures.

2. Using up-to-date encryption protocols: When cybercriminals launch large-scale attacks, their primary target is the data flowing in and out of IoT devices. Integrating cutting-edge encryption software can help ensure that sensitive information is protected.

3. Utilizing patching and remediation tools: Just like any piece of computing hardware, IoT devices must be updated to continue performing their intended functions. Looking into the patching requirements of embedded technologies before making a purchase can prevent users from having to replace their equipment down the line.

Perle offers industry-grade connectivity tools that can help companies safeguard their mission-critical operations and maintain their system sustainability over the long term. Read some of our customer stories to find out how we've helped other companies improve their infrastructure and stay connected when it mattered most.