The number of connected endpoint devices continues to explode exponentially, expanding the risk for organizations that now must secure this vast expanse of hardware.
These devices are everywhere: homes, hospital rooms, connected vehicles, factory floors, office buildings and traffic control systems. The list is exhaustive.
IoT cyber attacks are also on the rise. In September 2021, there were 1.5 billion breaches of IoT devices in the first six months of the year, a significant jump from the 639 million during the prior half-year period, according to Kaspersky, the antivirus and security service provider.
Although cyber attacks targeting data have gotten the most attention in recent years, threats that can take out infrastructure, including IoT hardware, also pose a significant risk for organizations deploying connected devices.
"We have to treat the IoT sensors in the field like they'll be broken into. We should assume that, at some point, the hardware will be exploited," said Andrew Nelson, principal architect of cloud and data center transformation at Insight Enterprises.
Hardware vulnerabilities, security concerns
Connected devices have specific vulnerabilities that enterprise leaders must address as they build out their IoT ecosystems.
IoT hardware is often more physically accessible than traditional pieces of computer equipment. That means sensors and edge devices, such as gateways, can be displaced or damaged -- either accidentally or intentionally -- through physical actions.
Andrew NelsonPrincipal architect, Insight Enterprises
"With IoT in general, these devices aren't going to be locked up. It's not like a data center device behind armed guards. To be useful, they'll be in substations and retail and farms. They'll be in places you have access to it," Nelson said.
IT admins can't forget the security implications that stem from the devices themselves.
These endpoint devices have limited computational and power resources by design, meaning they don't support advanced security features.
"Sensors don't have a lot of horsepower or complexity; they're a simple embedded chip on a board, and you're not going to get a whole lot of functionality on that hardware," Nelson said.
Moreover, some device manufacturers don't require users to change the factory default logins and passwords to start them up. Devices often have insecure interfaces with other parts of the IoT ecosystem. They generally can't -- or can't easily -- be updated to address vulnerabilities. Users, for example, can't easily swap out chips on dozens, if not hundreds or thousands, of deployed sensors if a vulnerability is discovered.
"We absolutely see significant vulnerabilities on the devices themselves," said Christine Livingston, IoT managing director at consulting firm Protiviti. "As has been said many times before, an environment is only as secure as the weakest link, and IoT devices provide a very significant attack vector."
If exploited, hackers could take advantage of the vulnerabilities to tamper with the hardware's functionality and firmware, the class of software that instructs devices and tells them what to do with significant implications.
"These embedded IoT devices are [frequently] connected to crucial equipment. And, if [a hacker] can interact with a device in a way that can cause physical harm, that represents the most egregious of risks. Additionally, the firmware can be another threat factor; it could be a backdoor, expose information about updates or expose credentials stored on the device that the hacker can then use to pivot into the back-end infrastructure," said Caleb Davis, manager in Protiviti's IoT practice.
Understand the hardware threats
Attackers use four main threat types on IoT hardware:
- Brute-force attacks. A hacker uses the trial-and-error method to guess login and password information to gain access.
- Fuzzing attacks. Random data, or fuzz, is automatically sent to devices and then attackers watch for the outcome, such as a crashed device.
- Rowhammer attacks. A hacker "hammers" a row of memory cells to generate an electrical charge that changes an adjacent row of RAM, flipping ones to zeros and zeros to ones.
- Side-channel attacks. The hacker takes information -- such as acoustic, electromagnetic, power consumption or timing information -- and then exploits that information to gain access.
Security measures to protect IoT hardware
Attention to the security issues within IoT deployments and, more specifically, endpoint devices has fallen short in many organizations. Organizations often lack the required expertise, underestimate the threats and misjudge the risk.
The proliferation of endpoint devices, the growing IoT ecosystems and the prevalence of threats necessitate IT and security leaders to develop a comprehensive strategy to protect those endpoint devices and remediate risks that align with the organization's tolerance appetite.
"You have to think about the value of the data you're securing, the likelihood of the threats and the cost of implementing the security plan," said Adonya Ourshalimian, vice president of product management and client partner at software engineering company Theorem.
Securing IoT hardware, however, comes with some unique considerations:
- Organizations must seek hardware that has security embedded in it. After deployment, adding security to the hardware is difficult because endpoint devices may have low power and low compute capabilities that prohibit loading security software onto them.
- The endpoint device should have security features already programmed into it that can bar it from any network or port access other than those a user has approved. The device and network can rely on root of trust, a foundational security element that can provide functions such as secure boot, cryptography, data encryption and secure storage.
- Other security steps include deploying accelerometer- and GPS-like capabilities near the edge that detect if the device has been moved from its intended spot. If it has moved, it could lock itself up.
- IT administrators can also secure endpoint devices using security software, including software for the following:
- identifying and discovering endpoint devices;
- monitoring network traffic;
- watching for communication anomalies that could indicate compromised endpoint devices; and
- encrypting connections.
- Organizations must develop an IoT governance framework. Policies should require strong device logins and passwords, address protocols for implementing firmware updates and ensure a good device management program.
The best practice for securing any enterprise technology, including IoT devices, brings together multiple layers of protection -- in this case, a combination of hardware-based security, software and policies.
"You have to think about it from all those angles," Ourshalimian said, "because none of those approaches is comprehensive on its own."