olly - stock.adobe.com
IoT devices might seem too small or specialized to pose a risk to enterprises, but that couldn't be further from the truth.
IoT devices are network-connected, general-purpose computers that can be hacked and hijacked by criminals, leading to problems beyond IoT security.
Even if an organization has locked down the physical devices and enacted basic IoT security measures, systems remain vulnerable. Many cybersecurity experts forget IoT application security when designing a security strategy.
Gartner estimates there will be approximately 25 billion IoT connections by 2025, making each IoT sensor, endpoint, connection, network layer and UI a vulnerability for enterprises using them. The IoT application security presents a massive area of vulnerability and one in which organizations should consider making equal investments from now on.
Vulnerabilities of IoT applications
IoT applications suffer from various vulnerabilities that put them at risk of being compromised, including:
- Weak or hardcoded passwords. Many passwords are easy to guess, publicly available or can't be changed. Some IT staff don't bother changing the default password that shipped with the device or software.
- Lack of an update process or mechanism. IT admins unintentionally exclude many IoT apps and devices from updates because they are invisible on the network. Also, IoT devices may not even have an update mechanism incorporated into them due to age or purpose, meaning admins can't update the firmware regularly.
- Unsecured network services and ecosystem interfaces. Each IoT app connection has the potential to be compromised, either through an inherent vulnerability in the components themselves or because they're not secured from attack. That includes any gateway, router, modem, external web app, API or cloud service connected to an IoT app.
- Outdated or unsecured IoT app components. Many IoT applications use third-party frameworks and libraries when built. If they're obsolete or have known vulnerabilities and aren't validated when installed in a network, they could pose security risks.
- Unsecured data storage and transfer. Different data types may be stored and transmitted between IoT applications and other connected devices and systems. All must be properly secured via Transport Layer Security or other protocols and encrypted as needed.
Threats to IoT applications
Threats to IoT applications fall into several general categories: spoofing, information disclosure, distributed denial of service (DDoS), tampering and elevation of service. Attackers typically use these threats as an entry point to a network and then move on to other areas to cause problems, such as stealing data, blocking connections or releasing ransomware.
Spoofing threats. Attackers intercept or partially override the data stream of an IoT device and spoof the originating device or system, which is also known as a man-in-the-middle attack. They intercept shared key information, control devices or observe sent data.
Information disclosure threats. Attackers eavesdrop on broadcasts to obtain information without authorization, jam the signal to deny information distribution or partially override the broadcast and replace it with false information. They then threaten to release or sell the data.
Tampering threats. Attackers can gain access to the firmware or OSes of the devices running an IoT app and then partially or completely replace it on the device. They then use the genuine device and application identities to access the network and other connected services. For example, SQL or XML injection attacks and DDoS attacks are tampering threats for IoT apps.
Elevation of privilege threats. Attackers use unsecured IoT apps to change the access control rules of the application to cause damage. For example, in an industrial or manufacturing environment, an attacker could force a valve to open all the way that should only open halfway in a production system and cause damage to the system or employees.
How to protect IoT applications
Protecting IoT applications isn't a one-and-done activity. It requires planning, action and regular monitoring. Get started with these nine ways.
1. Learn the most likely threats
Threat modeling can identify, assess and prioritize the potential IoT app vulnerabilities. A model can suggest security activities that will ensure IT admins include IoT apps in overall security strategies. The model should continue to evolve and grow to reflect the state of the IoT app accurately.
2. Understand the risks
Not all risks are the same when it comes to IoT apps and an organization. Prioritize risks in order of concern and act accordingly. Many tech teams forget to align the risk with business scenarios and outcomes. A failure or breach in one IoT app may seem innocuous to IT but have serious financial implications for the company.
3. Update apps regularly
IT admins must deploy updates to IoT apps as quickly as possible to ensure the safety of the entire network. Use only approved and authenticated updates and, if updating apps over the air, use a VPN to encrypt all update data streams. Secure public key infrastructures (PKIs) can also authenticate devices and systems.
4. Secure the network
Firewalls, encryption and secure communication protocols protect IoT apps from unauthorized access. Regularly review the various standards, devices and communication protocols used on the network to ensure adequate security. Add IoT apps to any application security testing.
5. Enable strong authorization
Strong password protection is essential for IoT applications and that includes developing a secure password process for those creating passwords. Change the default passwords on IoT devices and apps and ensure they're changed regularly. Deploying a two- or three-way authentication model with TLS communication protocols reduces the chances that authentication data can be compromised at any point.
6. Secure communication
Encrypting data between IoT devices, apps and back-end systems keeps data safe from attackers. That includes encrypting data at rest and in transit and adopting PKI security models to ensure both senders and receivers get authenticated on the system before transmitting.
7. Secure control applications
Applications and systems that have access to IoT apps should also be secured. When they are secure, it stops the client IoT system from being compromised by outside attacks and prevents it from propagating attacks downstream.
8. Secure API integrations
APIs are often used to push and pull data between applications and systems. They are another way for attackers to connect to IoT apps and cause problems. Only authorized devices and applications must communicate with APIs, making it easier to detect threats and attacks immediately. IT admins must also use API version management with old or redundant versions identified and removed regularly.
9. Monitor IoT apps
Monitoring IoT apps is the final step in protecting them. Ensure they're tested and scanned like the rest of the network to get alerts and address IoT security issues quickly.
IoT devices and applications pose a significant risk to organizations today. With hundreds or even thousands of devices connected to an enterprise network, not applying the same level of security measures to each component of IoT deployments can lead to problems beyond the individual device or application.