Internet of Things (IoT) technologies have significantly impacted the business world, transforming how people work and interact. But these devices have become a mounting problem for organizations as cyber-criminals increasingly seek to exploit security vulnerabilities. Cyber-criminals can install malware or penetrate a company’s cyber defenses using internet of things attacks.
Knowing this, how can you protect your company against cyber-attacks on IoT devices? Let’s discuss.
What Are IoT Devices?
The Internet of Things refers to the physical devices connected to the internet, collecting and sharing data. Often dubbed “smart devices,” these represent a constellation of internet-connected tools and gadgets meant to collect, exchange, and process data, providing users with convenient access to needed information and helpful services. An IoT device could be anything from an Apple Watch to a Hue Lightbulb to a Bluetooth-enabled printer.
While these can create conveniences and optimize workflows, they also expose an organization to new lines of attack. As the United States Department of Justice (DOJ) notes:
“Unfortunately, IoT devices have also become an increasingly attractive target for criminals. To attack IoT devices, cybercriminals often probe the devices for security vulnerabilities and then install malicious software (“malware”) to surreptitiously control the device, damage the device, gain unauthorized access to the data on the device, and otherwise affect the device’s operation without permission. Installed malware may not only compromise the operation and information security of the infected IoT device. Still, it can also provide hackers a conduit for penetrating other electronic devices on the same network.”
And these threats are only increasing as IoT technology becomes more pervasive throughout businesses. A SonicWall study recorded 32.7 million IoT attacks in 2018, a 215.7 percent year-over-year increase. Halfway through 2019, that number had increased by another 55 percent, with no slowdown in sight.
What Are Common Internet of Things Cyber-Attacks?
To guard against IoT cyber-attacks, you must first understand the threat landscape and identify the most urgent sources of concern. Currently, there are ten significant threats you need to prepare for:
- Physical attacks – occur when IoT devices are accessed by someone other than the owner, often due to loss, theft, or lax protection.
- Denial of Service (DoS) – occurs when DoS when an outside threat forces a service like a website to become unavailable.
- Encryption attacks – occur when hackers find an unencrypted device, penetrate its perimeter, then capture its data while installing their own programs to control the system.
- Man-in-the-middle – occurs when hackers intercept communications between two separate IoT devices and then trick the recipient into believing they are receiving a legitimate message.
- Firmware hacking – occurs when IoT firmware is out of date, which allows hackers to exploit vulnerabilities, penetrate the device, and then download malware.
- Botnets – occur when IoT devices are commandeered by botnets to transfer private and sensitive corporate data. Mirai IoT botnet took down large sections of the internet in 2016 and remains active, targeting devices with hardcoded credentials.
- Privilege escalation – occurs when hackers find IoT bugs and weaknesses to access the resources protected by the application or profile. Using these new security privileges, a hacker can then install malware or steal private data.
- Ransomware – occurs when hackers install malware which encrypts and locks down access to critical files. Attackers then threaten to delete or sell the data unless the original owner pays a hefty ransom.
- Eavesdropping – occurs when hackers intercept network traffic and weaken the connection between the device and the server, allowing them to steal sensitive data.
- Brute force password attack – occurs when hackers use algorithms to submit a series of passwords or phrases in order to gain access to a device. Once achieved, they can then install malware or steal data.
How To Prevent Cyber-Attacks on IoT Devices
With IoT cyber-threats constantly evolving, you can never eliminate the risk of an IoT attack unless you forbid such devices within your workplace. There are simply too many unique threats to prevent them all. However, you can install measures to mitigate the most significant threats and significantly reduce your overall risk profile. These include:
- Conduct research – If your organization does decide to allow IoT devices in the office, create a list of pre-approved devices. Limit these to technologies whose manufacturers are serious about cybersecurity. Evaluate the security at each layer of the IoT stack. This includes the devices themselves, their embedded software, the WiFi network, the cloud platform, and the native applications. Devices should also ideally have customizable passwords, regular security updates, and automated configurations.
- Set System-Wide Protections – Businesses that use IoT devices heavily should install systems specifically designed to protect IoT devices. These systems should understand standard IoT device behavior and know the patterns of potential threats. Once threats are identified, these systems must block them, and then prevent similar threats in the future.
- Add strong passwords – One of the best ways to prevent both a cyber-attack is by adding strong and unique passwords for all device accounts, connected devices, and WiFi networks. A strong password will be more than ten characters and include a combination of symbols, numbers, and capital letters to make it difficult for even a computer to guess. From there, multi-factor authentication (MFA) can provide additional security measures outside of a complex password.
- Protect against physical tampering – From device theft or loss to interrupting the device’s power or connecting to exposed ports like USB, SD Cards, or Ethernet, physical tampering must be hedged against. To prevent a physical attack, consider the following actions:
- Make sure that the product has no exposed ports or connectors that are easily accessible to non-employees.
- Set locks or access restrictions on devices.
- Keep IoT devices in secure spaces.
- Do not leave portable IoT devices unattended.
- Use a VPN – If possible, your business should use a virtual private network (VPN) to help secure all data transmitted from the WiFi network. That said, this measure is essential for employees who work remotely since public WiFi is far more vulnerable to cyber-threats.
- Create network segmentation and firewalls – IoT devices should not have access to your entire system. Otherwise, they can be used as exploitable gateways. By segmenting the systems, you can even prevent a successful hack from going any deeper.
- Create a “guest” network – By creating a guest network for your devices, an attacker will not be able to use the device as a gateway to other technologies such as your phone, computer, or network.
- Turn off social sharing features – Social sharing features can potentially expose your activities and location. For instance, a hacker may be able to use that information to discover when away from your office or home.
- Protect computers, tablets, and mobile devices – Although they aren’t considered IoT, viruses, malware, and other cyber-threats can bleed through IoT devices and then infect your most important technologies. By installing high-quality security software on all of these devices, you can safeguard sensitive data.
Guarding Your IoT Network Against Cyber-Attacks
IoT devices are increasingly becoming a fixture of the modern business environment. As such, Internet of Things attacks will not go away any time soon. Rather, it will likely only increase alongside the number of devices on the market. To mitigate this ever-present threat, you must take all of the necessary precautions to secure these devices.
Does your business need help with that?
At RSI Security, we have the experience and solutions you need to take stock of your IoT landscape, identify major threats, and then prepare accordingly. Whether you need training, managed security, or assistance with your cyber defenses, we’re confident we can help your organization achieve cybersecurity risk-management success.
Get A Free Cyber Risk Report
Hackers don’t rest, neither should you. Identify your organization’s cybersecurity weaknesses before hackers do. Upon filling out this brief form you will be contacted by one of our representatives to generate a tailored report.