The last twelve months has seen a spike in IT security threats. As with so many of the issues businesses are currently facing, the pandemic is partly to blame. Increasing use of insecure networks and unauthorised personal devices by remote workers has been named as a major contributor to data breaches and malware incidents. Of course, old-fashioned human error is usually another component.
The evacuation of offices and other centralised workplaces has accelerated the trends toward mobile computing, remote observation and control systems, automation and edge computing. All of these trends expose increasing numbers of IoT devices to cybercriminal exploits. The majority of smart connected devices lack security measures because the risks were not appreciated when they were designed.
Fortunately, experts are predicting that 2021 will begin to see real action to rectify the inherent vulnerabilities of IoT and edge computing devices.
Why the IoT is at risk
Certainly, for most companies the primary threats remain the traditional ones; phishing emails, brute force password crackers, SQL injection, malware and of course data theft. However, traditional human networks and IoT devices are connected, so a weakness or failure in one can compromise the other. With more employees (and employers) suddenly working remotely the “attack surface” is bigger and many of its users naïve to unfamiliar threats.
Some managers are still unaware that wifi controlled thermostats, smartphone microphones and CCTV systems are IoT connected devices, and as such might be a security concern. Office printers are a more obvious security concern if the documents sent to them are confidential.
By hacking into smartphone microphones, CCTV cameras, or smart TV sets the potential exists for damaging espionage. A hacker could potentially spend months observing or listening to everything taking place between employees and either acquire valuable information directly, or learn the means to log into additional systems.
Sabotage is another serious concern. There were 50% more ransomware attacks in the third quarter of 2020 (data from Check Point Research) and although most still target data repositories they can also sabotage shop-floor systems. Many IoT devices can be hijacked to launch Denial of Service attacks against a third party. In the Mirai botnet hack of 2016, 150,000 cameras were used to block internet access across much of North America. If you have sensitive connected equipment, such as a robotic assembly line or vital refrigeration systems, and a hacker threatens a meltdown, will you pay the ransom?
Routers, file servers and other network equipment are also connected “things”. Firmware backdoors, which may exist by design or omission, provide opportunities for intruders to penetrate networks quietly and pose an “advanced persistent threat”.
A whole range of devices collect personal information that could be used to support identity theft. Fitness wearables provide health information, satnavs provide location information. Both help the intruder build your profile. Voice activated devices like Alexa could be used to order goods in your name. Smart meters could tell them when you are not at home. A “deep fake” is an extreme form of identity theft in which your face or voice is used to impersonate you. If that sounds far-fetched, it already happened: in 2017, numerous pornographic videos appeared seemingly featuring celebrities.
Although edge-computing devices connect less with centralised systems, they accumulate more data locally – potentially making those too a juicy target for sophisticated exploits.
The good news
Donald Trump achieved at least one good thing: in December 2020 he signed the Internet of Things Cybersecurity Improvement Act into law. This sets high standards for IoT devices for federal institutions but is also seen as setting new standards for IoT devices in general. Meanwhile, the EU is introducing its own Cybersecurity Act which allows the European Union Agency for Network and Information Security to demand IoT security improvements from manufacturers and system builders. In the meantime, network segmentation can reduce the risks posed by IoT devices.