IoT Devices

Internet of Things (IoT) in Cyber Security

James Drew

James Drew

IoT Devices

Internet of Things (IoT) cyber security is a growing problem and IoT devices can be found in almost every environment. In 2022 the number of connected IoT devices was estimated to rise to 14.4 billion.

We’ve likely encountered them in our day-to-day lives, devices such as assistants, doorbell cameras, robot hoovers, smart devices for home automation like lightbulbs, switches and plugs, smoke alarms and CO2 sensors, homes appliances like fridges, cookers and washing machines, wearables and healthcare devices, toys and security specific devices. The list really does goes on.

These are primarily consumer products, but there are also commercial, industrial and military IoT devices. There are devices used to make whole cities smart.

So we’re aware of the prevalence of these devices and how they can assist us in our daily activities and digital needs. But how mindful are we of the impact that IoT devices have on our cyber security?

What can we do to ensure that the devices plugged into our home or enterprise networks take cyber security seriously? What can we do to ensure the data we entrust them to handle is protected? How many devices are bought for one purpose, and once they fulfill that purpose, are left for months, years without attention?

The primary focus of this article is to raise cyber security awareness and discuss the security impact these devices can have on our networks and infrastructure if left unattended. We’re going to discuss some steps we can take to make sure that these IoT devices that we use so regularly are setup securely, stay secured and protect our data to the best of their ability.

IoT Cyber Security

As we’ve discussed, there are a wealth of IoT devices available to us and due to the nature of them being actively connected to our networks and the internet, they may pose a significant risk to the security posture of the networks they are connected to. Whilst aimed at enterprise installations, the majority of these points will also apply to devices connected in home environments.

The following points are to be considered when using IoT devices and what we can do to help them, and us, and be as secure as possible. Now this won’t apply to all devices, for instance things like smart fridges may not provide a convenient way to interact with them, to install firmware updates or make any configuration changes, for example.

IoT Setup and Management

Many IoT devices are incredibly versatile and often run Linux-derived operating systems. Devices that require configuration during installation should be done so with security best practices in mind. We’ve listed some of the more likely features and configurations you may wish to consider:

  • Passwords – Ensure that default passwords are changed and the use of a strong password is implemented. Devices often come configured with one user, which is likely an admin user that has access to all the device features and configurations. We want to restrict the ability of malicious actors accessing this account as much as possible.
  • Encryption – Ensure that any connectivity to the device is performed over secure channels. For example, a device that is configured via a web application front-end should only be done over HTTPS. A lot of devices still support HTTP connections, which does not encrypt traffic to and from the device over the network. Suitably positioned malicious actors may be able to eavesdrop on this communication and potentially obtain the credentials used to administer the device.
  • Services – It’s not unusual for a device to provide access over a number of different protocols, such as SNMP, Telnet, HTTP(S) and SSH. These protocols should be disabled whenever they are not in use to reduce the attack surface of the device. Allowing a malicious actor to probe a device over multiple protocols can lead to compromise. As previously mentioned, ensure the protocol offers encryption.
  • User Accounts – Provide basic user level access where possible. Not everyone needs to have administrative access to these devices to perform the tasks they are required to do. Reducing the amount of administrator accounts on these devices can greatly reduce the chance of the device being fully compromised.
  • Network Access – Some devices provide the ability to restrict access at the network level to allow only specific hosts to connect to them. Use these security features to help reduce the attack surface of IoT devices.
  • Updates – Ensure that the device is up to date. Vendors often release firmware updates for their devices to patch known vulnerabilities or provide feature updates that can help increase the overall security of the device. Regularly check for device updates.

Additional Measures

Some actions that might be more applicable to enterprise environments are as follows.

  • Monitoring – Actively monitor the device for any suspicious activity. This may consist of reviewing logs and metrics with the use of a SIEM (Security Information and Event Management) system. You may want to monitor network traffic with an IDS (Intrusion Detection System) which may highlight potential compromise of the device.
  • Network Segmentation – Devices can be isolated on restricted networks which can help reduce the attack surface and also limit the ability to reach other, more critical business systems from any compromised IoT device.
  • Asset Register – Keep an asset register of the IoT devices you use. As already stated, they are often used for a purpose and once satisfied, they can go unnoticed for long periods of time and therefore fail to recieve basic maintainence.
  • Legacy Devices – Older devices that are no longer actively supported or maintained by the vendor (i.e. no longer provide firmware updates) should be removed where possible and upgraded to those that do provide support.

The majority of Internet of Things type devices lack any type of Anti-Virus software or mechanisms to help prevent cyber attacks against the device. This can make them an attractive target to malicious actors as they can compromise a network device in a critical environment without being noticed. This may provide them with the chance to pivot to additional hosts or gain persistence within the affected network.

IoT Device Standards

The National Institute of Standards and Technology (NIST) has provided a Cybersecurity for IoT Program that contains information for manufacturers and consumers described as;

“The development and application of standards, guidelines, and related tools to improve the cybersecurity of connected devices, products and the environments in which they are deployed. By collaborating with stakeholders across government, industry, international bodies, academia, and consumers, the program aims to cultivate trust and foster an environment that enables innovation on a global scale.”

How can Sentrium help?

As a CREST-approved penetration testing provider, our expert security consultants have a deep understanding of how hackers and cyber attackers operate. We use this knowledge to help businesses mitigate risks to their IT systems and networks.

We want to help you improve your security strategy to protect your brand reputation, value and property. Get in touch today to learn more about how we can help.

Resources

  1. Automated vs manual penetration testing

    Automated vs manual penetration testing – which is best?

    Today’s online world is a little like a virtual battlefield, rife with threats and vulnerabilities. So, having a strong cybersecurity posture for your business is crucial. Penetration testing – either automated or manual – is an essential tool to protect sensitive data and systems from hackers. These two methods aim to make defences stronger against…

    Read more

  2. Mobile application penetration testing

    Safeguard your business with mobile app penetration testing

    Mobile applications have become an essential tool for businesses of all sizes to engage with customers, streamline operations and drive growth. However, the increasing reliance on mobile technology comes with a unique set of security challenges you can’t afford to overlook. Mobile applications introduce new attack surfaces and vulnerabilities that differ from traditional web-based applications.…

    Read more

  3. White box penetration testing

    Uncovering vulnerabilities with white box penetration testing

    As a business owner or IT professional, you understand the importance of protecting your company’s sensitive data, systems and reputation from cyber threats. One of the most effective ways to uncover vulnerabilities and strengthen your organisation’s security posture is through penetration testing, particularly white box penetration testing. White box penetration testing is a comprehensive approach…

    Read more

  4. API penetration testing

    Securing APIs through penetration testing

    APIs (Application Programming Interfaces) have become the backbone of many modern applications, and indeed the foundation of some businesses services. APIs enable seamless communication between applications, services and systems, allowing organisations to innovate, collaborate and deliver value to their customers. However, as reliance on APIs grows, so does the need for robust security measures to…

    Read more

  5. Password cracking: How to crack a password

    An introduction to password security: How to crack a password

    Online Password Cracking An online attack is performed in real-time, against live services or applications to compromise active user accounts. Such attacks typically occur when a malicious actor lacks direct access to the target system or application and aims to gain an initial foothold. The first step in conducting online password attacks involves establishing as…

    Read more

  6. The importance of a post-penetration test action plan

    The importance of a post-penetration test action plan

    As cyber threats continue to evolve and become more sophisticated, businesses must stay one step ahead in protecting their sensitive data and network infrastructure. Penetration testing is an essential tool in this ongoing battle. Penetration testing – also known as pen testing or ethical hacking – is a controlled approach to identifying vulnerabilities in an…

    Read more

Get in touch with our experts to discuss your needs

Get in touch