Top IoT security vulnerabilities: 2020 and beyond
By Max BurkhalterJune 17, 2020
The rapid evolution of connected technologies - many of which fall under the "internet of things" umbrella - has been both a blessing and a curse for modern enterprises. While environmental sensors, artificial intelligence platforms and machine learning capabilities have provided a variety of operational benefits for organizations across industry lines, the severe lack of built-in security is having a notable impact on cybersecurity practices.
The issue is that IoT devices are particularly prone to hacking and targeted malware, according to the Department of Justice's Cybersecurity Unit. Once infected, IoT equipment can be used to launch large-scale botnet attacks that threaten the stability and performance of private networks. To offset these threats, companies of all sizes are having to pay closer attention to the inherent risks of IoT adoption and put new processes in place to protect vulnerable endpoints.
OWASP highlights top IoT security threats
The Open Web Application Security Project (OWASP) was launched back in 2001 to help device manufacturers, enterprises and consumers understand the security risks associated with IoT integration. As part of its ongoing efforts to advocate for better cybersecurity decision-making, OWASP identified 10 IoT vulnerabilities that are having the biggest impact on users, including:
- Weak, guessable passwords: Most IoT devices come with preset credentials (usernames and passwords) that are provided by the manufacturer. These default credentials are often publicly available and can be easily broken through brute-force attacks. To ensure new IoT devices are secured, IT administrators must set up new login criteria before deploying them in live environments.
- Unsecured network services: One of the core features of IoT devices involves networking capabilities that allow endpoints to communicate amongst themselves over a secure internet connection. When insecure network services are running on a device, sensitive data can be compromised and authentication processes can be bypassed.
- Unhealthy IoT ecosystems: When IoT devices are integrated with centralized management platforms and legacy systems, users can unknowingly introduce security vulnerabilities at the application layer. These include compromised authentication controls, weak encryption protocols and unoptimized input/output filtering.
- Inefficient update mechanisms: To prevent IoT devices from being compromised, companies must be able to send real-time updates to each endpoint as soon as they're made available. Without a trusted form of firmware validation, patch delivery and security monitoring, IoT devices could be running outdated versions with glaring code vulnerabilities.
- Lack of privacy protections: IoT devices often collect and store users' personal information, which may be compromised if hackers are able to bypass built-in security features and authentication protocols. The broader IoT system - including data stores and API interfaces - can also be leveraged to steal sensitive data unless properly secured.
- Improper data transfer and storage: Even the most robust IoT equipment can be exploited if users fail to encrypt data within their IT ecosystems. Sensitive information can be stolen at the point of collection, while it's in transit or during processing. This accounts for why access controls are considered a top priority when managing a fleet of interconnected IoT devices.
Other key IoT security concerns
Alongside weak IoT architecture and management processes, connected technologies can also be exploited through zero-day vulnerabilities that are hard to detect. For example, security researchers at JSOF recently discovered a collection of TCP/IP vulnerabilities (named Ripple20) that have existed as far back as 1997. These flaws, which were present in a popular TCP/IP stack library developed by the software firm Treck, have to do with how devices connect to the internet. The Ripple20 vulnerabilities have impacted a wide range of IoT products, from smart home devices and printers to industrial control systems and power grid equipment. While JSOF has been working closely with Treck and other cybersecurity experts to release patches, the implications of these vulnerabilities are broad and far reaching.
Targeted malware is yet another concern for IoT device operators - hackers have been modifying existing malware strains to more easily take control of connected technologies and add them to massive botnets for use in large-scale DDoS attacks, according to a 2019 article from ZDNet. These types of complex cyber attacks are only growing in frequency and scope. In fact, honeypots owned and operated by Kaspersky Labs detected 105 million attacks on IoT devices (stemming from 276,000 unique IP addresses) in the first half of 2019 alone. To mitigate these types of targeted operations, security researchers have recommended that companies use threat data feeds to track and block network connections from potentially malicious network addresses. Of course, integrating this functionality requires the right connectivity tools and data management features.
Perle offers industrial-grade networking tools that can help businesses of all sizes create more agile and secure IoT ecosystems. Our LTE routers and gateways can support the deployment of high-performance connectivity solutions by integrating location-based services and remote management capabilities at scale.
To learn more, explore our customers' success stories.