Practical approach to security in IoT

Tags: IoT
A picture of Mikk Lemberg
Written by
Mikk Lemberg

IoT devices and systems do not always have a good reputation when it comes to security. You might know the joke out there — the joke that the S in IoT stands for security.

In some cases, that is true. The IoT market has grown so fast that many companies have rushed to launch products with lax security measures. This can create a dangerous environment where the benefits of IoT are compromised by the risks they bring.

Of course, this doesn't mean that every single device on the market is insecure. Some tools and resources can make IoT deployments more secure. They are worth a look – and in this article, we'll try to understand the different risks for IoT devices and how to overcome them.

Think of this article as an all-around overview of security in IoT. If you want to dive deeper into how to ensure your IoT device’s security, then we suggest you read the articles listed here:

The vulnerabilities of IoT

The benefit of IoT revolves around connections. But the more connection points you have, the more opportunity hackers have to break in. What are the goals of IoT security, and how can we make sure that security does not trump the very purpose it exists for?

Securing IoT is a lot about understanding threats. You need to understand your infrastructure and identify where a hacker will gain access and what they might be able to do once they've gotten in.

These possible points of entry are called attack surfaces. The main weaknesses originate from engineering, design of the device and software update processes.

The layers of possible vulnerabilities in the IoT stack include

  • the SIM/eSIM (most standardised and secured for hacking yet still can be stolen and misused)

  • cellular module,

  • firmware updates,

  • wired and wireless interfaces,

  • server distributed denial-of-service (DDoS) attacks.

You would expect that every competent IoT project manager wants to ensure that their hardware and software are secured and monitored.

Now let's look at real-life examples where it hasn't been the case.

Examples

During the summer of 2021, Swedish Coop was forced close 500 of its supermarket stores because of a "colossal" cyber-attack.

Criminals were targeting several large software suppliers, but Coop's point-of-sale tills and self-service checkouts were the most affected.

Another example of multiple mess-ups comes from Amazon with its product called Ring. In recent years they have had two separate security incidents. Once for accidentally revealing user data to Facebook and Google via third party trackers embedded into their Android application.

And secondly, due to an IoT security breach, cybercriminals successfully hacked into several families' connected doorbell and home monitoring systems.

You might wonder how hackers got access?

By using a variety of weak, recycled and default passwords. Once they guessed the logins, hackers could access live feeds from the cameras around customers' homes. They could even communicate remotely using the devices' integrated microphones and speakers. The story is even scarier because 15 families reported that hackers were verbally harassing them.

According to Kaspersky, these are just a few examples, and the number of attacks on IoT devices doubled during the first six months of 2021.

What to do?

Apparent public backlash creates discussions around the politicians to standardise IoT security. IoT security risks put consumers at risk and raise concerns about data privacy; it could also affect the broader economy since some devices are part of critical infrastructure.

Past few years, there have been efforts to legislate IoT security standards. For example, in June 2020, the EU published standards for cybersecurity in consumer IoT devices (ETSI EN 303 645 V2.1.1). A few states (e.g. California) have enforced legislation to regulate the IoT security standards in the UK and the US.

While the efforts are good-hearted, there are many problems for IoT companies. Legislation about device security has been patchy geographically, which means that expanding business globally requires knowing the regulations through and through.

These laws require that companies establish IoT device security and data privacy standards. IoT device makers must also provide evidence of compliance with these laws.

The other side is that IoT security is difficult and complex because of the diversity of the market, which spans consumer devices, industrial automation systems and enterprise IT.

In addition, the IoT brings its own peculiar challenges. IoT devices are infinitely varied, with many being small and of limited memory. These simple devices are incapable of the complex processing needed to support cryptographic functionality. Their operating systems can not be updated to cope with new threats in many cases.

Fortunately, the mobile industry has extensive expertise in providing secure, reliable solutions. It is best placed to shape and carry out an appropriate security framework that meets these requirements. So maybe light-touch regulation and internal motivation to avoid brand damage secure the IoT connections. And encourages growth and successful development of the IoT.

IoT security blueprint

Let's bring the discussion back to what to do as an IoT device manufacturer or a company deploying IoT devices.

By its nature, IoT opens up networks to the possibility of hacking. It involves connecting many objects or "things" to the internet that did not previously link to a network.

So the first level is about being cyber risk-aware at all times. IoT devices make easy targets for tampering because of often being unsophisticated and in vulnerable locations.

The other thing is taking responsibility to embed security from the beginning, at every stage of the IoT value chain, to enable a secure and trusted market that all stakeholders can rely on. This is also something that the industry refers to as secure by design.

Above we outlined the possible surfaces of attacks. When designing, you can work backwards by starting to eliminate potential risks.

In the absence of universal standards, best practices for IoT security are your most robust defence against cyberattacks. These best practices include:

  • closing unnecessarily open ports and making sure no wrong person gets access to the device

  • disabling default passwords

  • using encryption properly

  • using layers of firewalls

  • restricting access between devices in the network (the principle of least privilege)

When a SIM card is stolen, you need a way to detect and stop its misuse. 1oT Terminal provides built-in features that allow you to set up custom rules to detect anomalies. With the Intelligent connectivity app, you can also benefit from 1oT Terminal's built-in smartness.

Conclusion

There are well-documented weaknesses of IoT security. There's minimal standardisation from a device perspective, making it difficult to force standardised legislation. The whole ecosystem is fragmented, and few companies own the complete value chain, making it challenging to have clear ownership of IoT security on multiple layers.

Even though it's rational to want to eliminate all risk from IoT deployments by following a specific checklist and relying on regulation to standardise the efforts. Then we have learned today that we can't solve all the problems but be aware and ready for cyberattacks.

And the best we can do is hedge the risks by following best practices.

THIS MONTH AT 1oT

Stay up-to-date with IoT cellular connectivity topics.

Subscribe to a once-a-month email newsletter. No spam.
This website uses cookies to ensure you get the best experience on our website. Learn more