IoT Devices
Internet of Things (IoT) cyber security is a growing problem and IoT devices can be found in almost every environment. In 2022 the number of connected IoT devices was estimated to rise to 14.4 billion.
We’ve likely encountered them in our day-to-day lives, devices such as assistants, doorbell cameras, robot hoovers, smart devices for home automation like lightbulbs, switches and plugs, smoke alarms and CO2 sensors, homes appliances like fridges, cookers and washing machines, wearables and healthcare devices, toys and security specific devices. The list really does goes on.
These are primarily consumer products, but there are also commercial, industrial and military IoT devices. There are devices used to make whole cities smart.
So we’re aware of the prevalence of these devices and how they can assist us in our daily activities and digital needs. But how mindful are we of the impact that IoT devices have on our cyber security?
What can we do to ensure that the devices plugged into our home or enterprise networks take cyber security seriously? What can we do to ensure the data we entrust them to handle is protected? How many devices are bought for one purpose, and once they fulfill that purpose, are left for months, years without attention?
The primary focus of this article is to raise cyber security awareness and discuss the security impact these devices can have on our networks and infrastructure if left unattended. We’re going to discuss some steps we can take to make sure that these IoT devices that we use so regularly are setup securely, stay secured and protect our data to the best of their ability.
IoT Cyber Security
As we’ve discussed, there are a wealth of IoT devices available to us and due to the nature of them being actively connected to our networks and the internet, they may pose a significant risk to the security posture of the networks they are connected to. Whilst aimed at enterprise installations, the majority of these points will also apply to devices connected in home environments.
The following points are to be considered when using IoT devices and what we can do to help them, and us, and be as secure as possible. Now this won’t apply to all devices, for instance things like smart fridges may not provide a convenient way to interact with them, to install firmware updates or make any configuration changes, for example.
IoT Setup and Management
Many IoT devices are incredibly versatile and often run Linux-derived operating systems. Devices that require configuration during installation should be done so with security best practices in mind. We’ve listed some of the more likely features and configurations you may wish to consider:
- Passwords – Ensure that default passwords are changed and the use of a strong password is implemented. Devices often come configured with one user, which is likely an admin user that has access to all the device features and configurations. We want to restrict the ability of malicious actors accessing this account as much as possible.
- Encryption – Ensure that any connectivity to the device is performed over secure channels. For example, a device that is configured via a web application front-end should only be done over HTTPS. A lot of devices still support HTTP connections, which does not encrypt traffic to and from the device over the network. Suitably positioned malicious actors may be able to eavesdrop on this communication and potentially obtain the credentials used to administer the device.
- Services – It’s not unusual for a device to provide access over a number of different protocols, such as SNMP, Telnet, HTTP(S) and SSH. These protocols should be disabled whenever they are not in use to reduce the attack surface of the device. Allowing a malicious actor to probe a device over multiple protocols can lead to compromise. As previously mentioned, ensure the protocol offers encryption.
- User Accounts – Provide basic user level access where possible. Not everyone needs to have administrative access to these devices to perform the tasks they are required to do. Reducing the amount of administrator accounts on these devices can greatly reduce the chance of the device being fully compromised.
- Network Access – Some devices provide the ability to restrict access at the network level to allow only specific hosts to connect to them. Use these security features to help reduce the attack surface of IoT devices.
- Updates – Ensure that the device is up to date. Vendors often release firmware updates for their devices to patch known vulnerabilities or provide feature updates that can help increase the overall security of the device. Regularly check for device updates.
Additional Measures
Some actions that might be more applicable to enterprise environments are as follows.
- Monitoring – Actively monitor the device for any suspicious activity. This may consist of reviewing logs and metrics with the use of a SIEM (Security Information and Event Management) system. You may want to monitor network traffic with an IDS (Intrusion Detection System) which may highlight potential compromise of the device.
- Network Segmentation – Devices can be isolated on restricted networks which can help reduce the attack surface and also limit the ability to reach other, more critical business systems from any compromised IoT device.
- Asset Register – Keep an asset register of the IoT devices you use. As already stated, they are often used for a purpose and once satisfied, they can go unnoticed for long periods of time and therefore fail to recieve basic maintainence.
- Legacy Devices – Older devices that are no longer actively supported or maintained by the vendor (i.e. no longer provide firmware updates) should be removed where possible and upgraded to those that do provide support.
The majority of Internet of Things type devices lack any type of Anti-Virus software or mechanisms to help prevent cyber attacks against the device. This can make them an attractive target to malicious actors as they can compromise a network device in a critical environment without being noticed. This may provide them with the chance to pivot to additional hosts or gain persistence within the affected network.
IoT Device Standards
The National Institute of Standards and Technology (NIST) has provided a Cybersecurity for IoT Program that contains information for manufacturers and consumers described as;
“The development and application of standards, guidelines, and related tools to improve the cybersecurity of connected devices, products and the environments in which they are deployed. By collaborating with stakeholders across government, industry, international bodies, academia, and consumers, the program aims to cultivate trust and foster an environment that enables innovation on a global scale.”
How can Sentrium help?
As a CREST-approved penetration testing provider, our expert security consultants have a deep understanding of how hackers and cyber attackers operate. We use this knowledge to help businesses mitigate risks to their IT systems and networks.
We want to help you improve your security strategy to protect your brand reputation, value and property. Get in touch today to learn more about how we can help.