It’s dangerous to ignore the potential security issues that come with IoT. In 2021, it’s safe to say that most of us used smart devices and got tracked by the Internet of Things at least a few times. Voice assistants and smart speakers like Amazon’s Alexa, Google Home, and Apple’s HomePod already live inside millions of homes and offices.
While these smart “things” powered by artificial intelligence play our favorite songs and provide an update on the weather, they could also lead to a major security incident on an enterprise network.
What Is IoT?
The Internet of Things or IoT for short refers to intelligent connected gadgets that collect and share data over the Internet. Surprisingly this technology isn’t anything new, however, the ubiquity of wireless networks and the proliferation of cheaper computer chips now make it possible to make just about anything part of IoT.
Before it was called IoT, we had Operational Technology (OT). In factory and manufacturing facilities, IT components like sensors helped add an extra layer of digital intelligence to objects that were otherwise static or “dumb.”
Once IoT is added, any object becomes “smart” and communicates essential data with zero human intervention in real-time. Today, IoT makes up the fabric of a smarter planet. As this technology evolves, it better engages us, becomes more responsive, and merges the digital and physical worlds that much closer. At the same time, we also have to contend with IoT security issues.
As all these intelligent tools connect to the internet, IoT security risks are heightened.
What Are the Different Types of IoT Devices?
The Internet of Things is multifaceted and widely diverse. Apart from smart speakers and assistants, some leading examples of IoT include:
- Smart CCTV cameras
- Smart refrigerators
- Smart door locks
- Smart medical sensors
- Smart printers
- Smart security systems
- Smart TVs
In addition to smart IoT devices found in homes, there are many more:
- Cellular (3G/4G/5G) sensors for fleet management in transportation and logistics or connected cars
- Low Power Wide Area Networks (LPWANs)for asset tracking, consumables monitoring, environmental monitoring, facility management, and much more
- Zigbeefor short-range, low-power, wireless standard (IEEE 802.15.4) utilities automation (including smart bulbs, thermostats, etc.)
- Radio Frequency Identification (RFID)to optimize retail and logistics
How Can IoT Home Devices Such as Alexa Create Security Issues to My Companies Network?
All the intelligent gadgets listed above help make our personal and work lives much more manageable. Everyday tasks become effortless when a smartphone can, turn on a car, control lighting, send documents to get printed, change the thermostat, and even access motion activated security cameras. However, as more devices connect to home and enterprise networks, risk exposure can grow exponentially.
4 Ways the IoT and its Devices Threaten Network Security
The following are just a few real-life examples of security challenges brought about by IoT or its associated devices. As such, you must take steps to mitigate the risk of IoT and related security breaches.
1. Alexa
Recently, four healthcare workers filed a lawsuit seeking class-action status. They allege that Amazon failed to disclose that Alexa records, stores, and analyzes every interaction. They state that the device listens to, interprets, and evaluates the content for business (or marketing) purposes.
The healthcare workers who bought the devices to use at home noticed that Alexa was activated even though no one had issued any commands. The plaintiffs include a substance abuse counselor and healthcare worker in the psychiatry field. While they were working from home, the conversations recorded by the smart device would constitute a HIPAA violation.
2. Printers
Even connected printers aren’t safe from IoT security issues. At home or in the office, valuable data such as documents, and domains are stored on printers. Additionally, security research firm Quocirca, found that smart printers on enterprise networks are a potential and widely used vector used for cyberattacks. In their report, Quocirca highlighted that 60% of businesses located in France, Germany, the U.K., and the U.S. suffered a print-related data breach in 2019. The average cost of the resulting data loss was more than $400,000.
3. Amazon and Alexa Subdomains
A report from Check Point Security researchers revealed that several Amazon and Alexa subdomains were vulnerable to cyberattacks like Cross-Site Scripting (XSS) and Cross-Origin Resource Sharing (CORS) misconfigurations.
In this scenario, a threat actor can use XSS to acquire a Cross-Site Request Forgery (CSRF) token that provides access to smart home or office installations like smart security systems, sensors, printers, and more.
4. Smart Bulbs
Infrared-enabled smart bulbs’ functionality can be compromised by simply sending commands through an invisible light. This approach, coupled with security vulnerabilities, helps exploit other intelligent things connected to the same network.
Steps to Reduce the Risk of an IoT Security Breach
You can avoid similar events by taking the following steps to mitigate potential IoT security risks:
- Adopt a trusted execution environment
- Always take a zero-trust approach
- Change the default password on each device
- Encrypt anything and everything
- Perform regular security audits
- Reduce the attack surface
- Implement software and firmware updates and patches as soon as they are released
Other IoT security challenges include the vendor’s security posture, intrusion ignorance, inadequate privacy protocols, and physical security. But most often, IoT security issues usually have their roots in weak authentication, authorization, and profiling.
Whenever we fail to follow cybersecurity best practices, your security risk exposure grows exponentially. For example, researchers at SRLabs found that one command on Google Home allows the software to continue to spy or listen in long after performing the requested task.
The same occurs when using the horoscope skill for Alexa as the device continues to listen long after the “stop” command. Hackers can also manipulate these popular smart speakers to give fake error messages (and requests for the user’s password follow that).
As you might have guessed, ensuring robust IoT security can quickly become challenging without a Vulnerability Management Program (VMP).
What Is a Vulnerability Management Program?
A VM program is nothing new. It’s essentially another critical layer to your overall cybersecurity protocols and best practices. Vulnerability Management proactively addresses current cybersecurity challenges while providing the best method to mitigate them.
In this scenario, companies can resolve potential IoT security risks by establishing continuous and comprehensive processes to identify, classify, remediate, and mitigate vulnerabilities before hackers exploit them.
As such, regardless of whether it’s residential or industrial, IoT should never be overlooked or excluded when formulating security protocols and best practices. For example, you might have to run a parallel siloed network dedicated to IoT to improve security and de-risk.
It’s also more than the physical equipment itself. There can be vulnerabilities in the systems and the software that runs on them. As hackers leverage multipronged cyberattacks to breach enterprise networks, it’s critical for organizations to take steps to minimize their attack surface.
IoT security issues are here to stay. This makes it vital to establish a robust VM program that complements your cybersecurity and compliance strategies and best practices. By taking a security-first approach, enterprises can make it harder for threat actors to initiate a breach.
As such, you need to take a hands-on approach to IoT security. If you don’t know where to start with your Vulnerability Management program, Red8’s an excellent partner to have for your VMP or cybersecurity and compliance needs.
To learn more, schedule a commitment-free consultation with one of our in-house cybersecurity (& IoT security) experts.