IoT devices why they are prone to vulnerabilities and how to protect them
Devices connected in Internet of Things – IoT – are entering every aspect of our lives. In our homes, offices, cars and even our bodies. People use them in enterprises, healthcare applications, and industrial applications as they provide productivity benefits. With the rise of IPv6 and the widespread adoption of Wi-Fi networks, IoT is growing at a dangerously fast pace, and scientists estimate that by the end of 2020 the number of active wireless devices will exceed 40 billion.
This creates a completely new vector for the spread of cyber threats. From IP cameras and intelligent lifts to medical devices and industrial controllers, each of them can be turned against you with a specially crafted code. IoT devices almost always have security vulnerabilities – vulnerabilities that cannot be patched or mandatory usage of insecure communication protocols.
In addition, organizations have a variety of devices from different vendors and struggle with the ubiquitous Shadow IoT – unmanaged and network-connected without authorization. A recent Check Point survey highlighted these issues: 90% of respondents reported that their organizations had hidden IoT devices in their networks, and 44% said that at least half of their IoT devices were connected without the knowledge of IT or security teams. Only 11% of respondents said they have fully implemented an IoT security solution, and 52% have no IoT security implemented at all.
„The number of IoT devices connected to the Internet continues to grow and will reach 41.6 billion by 2025. Cybercriminals are attacking IoT devices in all industries, including medicine, heavy industry, smart construction, and smart office, so security is a priority for enterprises. Given the huge number and variety of IoT devices, organizations need an easy way to deploy security. “
Robyn Westervelt, IDC, Research Director, Security & Trust
While IoT environments become more and more complex, IT security solutions are dragging far behind, with limited visibility and no control over IoT devices, and limited IoT-specific risk control measures.
When it comes to securing these devices, the challenge lies in the huge variety of communication protocols, how they are implemented and the fact that they are inherently vulnerable for several reasons:
- They run on older operating systems.
- They have encrypted or weak passwords.
- Their firmware can be difficult to patch.
- Devices are physically available.
- There are incorrect operating system configurations.
- No built-in security by default.
Insecure communication protocols
Due to the above,a good security solution for IoT identifies each IoT device in the network and assesses its risk in terms of vulnerabilities and misconfigurations, prevents unauthorized access to IoT and OT devices and blocks targeted attacks using known signatures and behavioral analysis.
There are two main groups of IoT protection solutions:
Network IoT Security – These are mainly suitable for organizations that want to protect many different types of IoT devices connected to their networks. Most solutions in this area offer an agentless method of automatically discovering managed and unmanaged connected IoT devices and OT resources, marking them based on their attributes (e.g. device type, manufacturer, model, firmware version and MAC address), analyzing their behavior over time real to detect and mitigate anomalies.
- These activities are often performed by enforcing IoT-related security rules as part of the organization’s existing security solutions – NAC, Security Proxy, Next Generation Firewall, IPS.
- They mainly focus on identifying the resource in the protected network, passive analysis of the current traffic flow (e.g. through mirror ports) and learning what to consider normal network activity and protocols – and what an anomaly.
- The main advantage of using these solutions is that they are relatively easy to implement, cloud-based, and have minimal impact on protected resources and devices or an organizational network. The leading IoT discovery providers on this list include companies such as Armis, Ordr, Claroty, Tenable.OT (formerly Indegy), Medigate, CyberMDX, and ScadaFence.
Protection on the device – IoT Endpoint – the latest generation of IoT cyber protection deals directly with endpoint protection. These solutions require a thorough understanding of device behavior, offering protection against new and less known attack vectors than network solutions.
The main mechanisms offered by IoT endpoint protection are:
- Runtime protection: Analyzes device firmware, maps correct OS and device software behavior, and then monitors this behavior at run time. Most of the current solutions are based on the Control Flow Integrity (CFI) mechanism. Companies offering this solution include Check Point (after acquiring Cymplify Security), Karamba Security, and Vdoo. Runtime protection solutions focus on the behavior of the device as a computer machine that follows certain computational rules. Deviations from the expected behavior are recognized, such as unauthorized writes to certain parts of the file system or firmware, or rogue processes that should not start. Runtime protection goes even deeper to identify attempts to intercept the control flow of each protected process in memory on the device itself, constantly instrumenting their execution and ensuring that their flow is not diverted by any type of attack.
- Secure Boot – secure boot: A secure boot is the process by which operating system boot images and code are authenticated against a hardware trust root that can be executed during the boot process. The hardware must be previously configured to execute only cryptographically signed code using manufacturer credentials or other trusted credentials. Companies that offer this protection method include: ARM (using TrustZone technology), Samsung (using Knox on TrustZone), and Synopsys. Another approach is Nanolock Security by Design at the device level to protect IoT and connected edge devices from cyber attacks, using flash devices to create a trust source, and extending powerful flash-to-cloud protection that secures the entire chain of vulnerable devices – from deeply embedded endpoints in the device, to the cloud – with minimal computing power. This technology is considered an alternative to secure boot and can protect devices with low resources (CPU and energy).
- On-chip protection – on-chip: this approach is followed by larger software companies and hardware manufacturers, offering device-level security as part of a wider ecosystem. These companies (including Microsoft, ARM) offer secure hardware platforms along with software security suites, so vendors build their products on a secure platform, taking advantage of a broad technological ecosystem. The protection mechanisms on the chip usually support TPM (Trusted Programmable Module) to store encryption keys as well as enclaves (such as Intel SGX), ARM TEE (Trusted Execution Environment). All of them are then bundled on a hardware platform and offered by the vendor as an SDK. These platforms then develop products with an integrated security layer.
While there are no standards and regulations yet, it is clear that more secure devices are essential for all of us; consumers as well as businesses and even nations. New cybersecurity regulations for IoT will come into force in the next few years, but more importantly, the demand for secure devices is a growing need articulated by customers themselves. Additionally, as the 5G data transmission standard evolves, IoT devices will be able to interact with various devices directly or through small networks, without necessarily routing traffic through a secure telecommunications gateway. With the development of 5G networks, the need to find a better solution to protect these devices quickly arises.
Some key tips are:
- Change default passwords on devices.
- Update device firmware.
- Restrict access to IoT devices over local VPN.
- Buy more devices from companies that put more emphasis on security.
Companies and entities that implement on a large scale should remember about good practices
- Implement IoT security controls at the network level, including IoT discovery and risk analysis, zero-trust segmentation, and multi-tier IoT threat prevention.
- Ask manufacturers about firmware security measures so they can detect vulnerabilities in their devices, including in third-party components.
The ultimate goal of introducing IoT devices in many sectors is to create a fully integrated intelligent system – industrial, communication, etc. Thanks to this integration, each device used in the manufacturing industry can connect to others used by government agencies, medical facilities, companies, and even a home network. However, the legal area has not yet developed privacy laws that cover all the gaps in the various sectors. Hackers continue to exploit this vulnerability, leading to a loss of income already invested in the venture. There is no doubt that IoT is the future of our world.
However, regardless of your proactive cybersecurity foundation – relative peace of mind comes from implementing a security solution from a company that stands by its reputation for the security of your IoT network.