IoT endpoints have become prime targets for hackers.
In fact, Forrester Research concluded in its "The State of IoT Security, 2023" report that IoT devices were the most reported target for external attacks; they were attacked more than either mobile devices or computers.
That's not so surprising, given the challenges with securing an IoT ecosystem.
To start with, the IoT industry doesn't have one clear set of security standards for developers and manufacturers to build in consistent security. And IT admins often find it difficult to keep track of and update devices, which can remain in the field for many years.
Meanwhile, hackers scan networks for devices and known vulnerabilities and increasingly use nonstandard ports to get network access. Once they have device access, it's easier to avoid detection through fileless malware or software memory on the device.
As a result, there are many IoT security threats that IT admins must address in their IoT deployments and then implement strategies to prevent.
What is the IoT attack surface?
At its basic level, an attack surface is the total number of entry points for unauthorized system access. An IoT attack surface goes beyond entry points and includes all possible security vulnerabilities for IoT devices, connected software and network connections.
This article is part of
The growing concern around IoT device security includes the fact that threat actors can't only damage the network and software that supports IoT devices, but also the devices themselves. Furthermore, IoT device adoption is advancing at a rate faster than the processes and protocols that provide secure, reliable connections.
There are steps that organizations can take to secure the IoT attack surface, but these require the staff and technical expertise to set policies in place that can proactively detect threats and reactively apply measures to reduce the size of the attack surface.
Top IoT security risks to address
Here are six common IoT vulnerabilities and six external threats that pose the most significant risks.
1. An expanded -- and expanding -- attack surface
One of the biggest threats to an organization's ability to secure its IoT environment is the sheer scale of it. Estimates on the actual number of connected devices in the world vary from one researcher to the next, but they are consistently in the billions and growing. For example, in its "State of IoT -- Spring 2023" report, IoT Analytics put the number of active IoT endpoints in 2022 at 14.3 billion -- an 18% increase over the prior year's count. And IoT Analytics estimated that the global number of connected IoT devices will grow 16% in 2023 to hit 16.7 billion active endpoints.
Of course, an individual organization has far fewer devices to secure; still, the number adds up fast. One recent report, "Managing Risks and Costs at the Edge" conducted by the Ponemon Institute and sponsored by Adaptiva, found that the average organization manages approximately 135,000 endpoint devices. Additionally, IoT devices are generally on 24/7 with many -- although not all -- continuously connected.
2. Insecure hardware
An individual endpoint device itself can present a risk to the security of the entire IoT ecosystem -- and, ultimately, the organization's IT environment. Devices often lack built-in security controls due to their limitations, namely their small computational capacity and their low-power design. As a result, many devices can't support security features such as authentication, encryption and access control. And, even when endpoint devices do have some security controls, such as passwords, some organizations still deploy them without using or enabling those available security options.
3. Maintenance and update challenges
Challenges adequately maintaining endpoint devices and updating software create further security vulnerabilities. There are a few contributing factors here. First, updates, such as a security patch to address a vulnerability that hackers could exploit, might not be forthcoming from the device vendors, particularly if the endpoint device is an older model. Second, connectivity limitations, as well as a device's limited computation capacity and power supply, could make it impossible to update devices deployed in the field.
4. Poor asset management
Even when updates are possible, organizations might not know whether they have devices to update. The Ponemon Institute report found that most organizations don't have visibility into all their IoT endpoint deployments; in fact, its survey showed that an average of 48% of devices -- or nearly 65,000 per organization -- are at risk because they're either "no longer detected by the organization's IT department or the endpoints' operating systems have become outdated." The report further found that 63% of respondents believe that their "lack of visibility into their endpoints is the most significant barrier to achieving a strong security posture."
5. Shadow IoT
A related risk is shadow IoT -- that is, IoT endpoints deployed without IT's or the security department's official support or permission. These unsanctioned IoT devices could be personal items with an IP address, such as fitness trackers or digital assistants, but they could also be corporate and enterprise technologies, such as wireless printers. Either way, they create risks for the enterprise because they might not meet an organization's security standards, and even if they do, they might not be configured and deployed in ways that follow security best practices. Additionally, IT administrators and security teams generally lack knowledge of these deployments and, therefore, might not be monitoring them or their traffic, giving hackers a higher chance of successfully breaching them without being detected.
6. Unencrypted data transmissions
IoT devices collect reams of data as they measure and record everything from temperature readings to the speed of objects. They send much of that data to centralized locations -- usually in the cloud -- for processing, analysis and storage; they also often receive information back that frequently informs the devices on what actions to take. Studies have shown that much of that transmitted data is unencrypted; a 2020 report from Palo Alto Networks found that 98% of all IoT device traffic was unencrypted, "exposing personal and confidential data on the network and allowing attackers the ability to listen to unencrypted network traffic, collect personal or confidential information, then exploit that data for profit on the dark web."
7. IoT botnets
In addition to vulnerabilities, there are threats coming from outside the IoT environment. One such threat is the botnet. Enterprise IT and security leaders have consistently listed this as a top threat following the major botnet attacks, such as Mirai, that arose nearly a decade ago.
In these kinds of attacks, an attacker infects an IoT device with malware through an unprotected port or phishing scam and co-opts it into an IoT botnet used to initiate massive cyber attacks. Hackers can easily find malicious code on the internet that detects susceptible machines or hides code from detection before another code module signals devices to launch an attack or steal information.
IoT botnets are frequently used for DDoS attacks to overwhelm a target's network traffic. Botnet orchestrators find IoT devices an attractive target because of weak security configurations and the quantity of devices that can be consigned to a botnet used to target organizations. The 2023 "Nokia Threat Intelligence Report" found that the number of IoT bots engaged in botnet-driven DDoS attacks rose from approximately 200,000 to 1 million devices over the prior year.
8. DNS threats
Many organizations use IoT to collect data from older machines that don't have the most recent security standards. When organizations combine legacy devices with IoT, it can expose the network to older device vulnerabilities. IoT device connections often rely on DNS, a decentralized naming system from the 1980s, which might not handle the scale of IoT deployments that can grow to thousands of devices. Hackers can use DNS vulnerabilities in DDoS attacks and DNS tunneling to get data or introduce malware.
9. Malicious node injection
Hackers can also attack an IoT ecosystem by inserting or injecting fake nodes into the web of legitimate connecting nodes, thereby enabling hackers to alter and/or control the data flowing between the fake and legitimate nodes and, ultimately, all the nodes in the web.
10. IoT ransomware
As the number of insecure devices connected to corporate networks increases, so do IoT ransomware attacks. Hackers infect devices with malware to turn them into botnets that probe access points or search for valid credentials in device firmware that they can use to enter the network.
With network access through an IoT device, attackers can exfiltrate data to the cloud and threaten to keep, delete or make the data public unless paid a ransom. Sometimes, payment isn't enough for an organization to get all its data back, and the ransomware automatically deletes files regardless. Ransomware can affect businesses or essential organizations, such as governmental services or food suppliers.
11. Tampering with physical devices
Another risk is hackers tampering with physical devices. That could mean that attackers physically access an IoT device to steal data from it, tamper with the device as a way to install malware on it, or access its ports and inner circuits as a way to break into the organization's network.
12. Firmware exploits
Hackers can target known firmware vulnerabilities in IoT devices just as they target vulnerabilities in software deployed in an organization's IT environment.
How to defend against IoT security risks
IT teams must take a multilayered approach to IoT security risk mitigation. There are broader best practices and strategies that organizations can put in place, but admins should also have specific defenses in place for the differing types of IoT attacks.
IoT security is a combination of policy enforcement and software to detect and address any threats.
IT teams that oversee IoT devices should have strong password policies for any devices on the network and use threat detection software to anticipate any potential attacks.
They should also have a comprehensive asset detection and management program. The more visibility IT teams have into the endpoints deployed in their enterprise and what data is on their IoT devices, the easier it is to proactively detect security risks and threats.
Basic strategies IT administrators can use to prevent security attacks and enable resiliency include device vulnerability assessments, disablement of unneeded services, regular data backups, disaster recovery procedures, network segmentation and network monitoring tools.
IT administrators can ensure DNS vulnerabilities don't become a threat to IoT security with DNS Security Extensions (DNSSEC). These specifications secure DNS through digital signatures that ensure data is accurate and unmodified. When an IoT device connects to the network for a software update, DNSSEC checks that the update goes where it's supposed to without a malicious redirect. Organizations must upgrade protocol standards, including MQTT, and check the compatibility of protocol upgrades with the entire network. IT administrators can use multiple DNS services for continuity and an additional security layer.
Additionally, organizations should follow basic cybersecurity measures, such as authentication, regular updates and patches, and confirm that IoT devices meet security standards and protocols before they're added to the network.
Data protection strategies are another way to boost IoT security. IT teams can help ensure data security by using visibility tools, data classification systems, data encryption measures, data privacy measurements and log management systems.
For physical security measures, organizations should place devices in a tamper-resistant case and remove any device information that manufacturers might include on the parts, such as model numbers or passwords. IoT designers should bury conductors in the multilayer circuit board to prevent easy access by hackers. If a hacker does tamper with a device, it should have a disable function, such as short-circuiting when opened.