The Internet of Insecurity: Addressing the Risks of IoT Devices

In the foreseeable future, almost every physical object, regardless of its size or type, is expected to be linked to the internet. According to Statista estimates, now there are about 15 billion such objects in use, and the forecast is that this number will double to 30 billion by 2030. This vast network of physical objects, including devices, vehicles, buildings, and other items equipped with software and sensors, and connected to the internet is described by the term "IoT", an abbreviation for the "Internet of Things". 

The Internet of Things is a transformative technology shaping the world into a smarter and more convenient place to live. IoT's potential applications and benefits are limitless, from smart home appliances and wearable fitness trackers to industrial sensors and autonomous vehicles. For instance, let's take an example of a smart security system installed in your home, connected to the internet, and using sensors, cameras, and motion detectors to monitor your home's security. Through a mobile app on your smartphone, you can view live videos remotely, receive alerts for suspicious activity, and control access to your home by locking and unlocking doors. Similarly, IoT technology allows homeowners to monitor and control their energy consumption using devices connected to the internet. For example, a smart thermostat can learn your household's energy usage patterns and adjust heating and cooling to optimize energy efficiency. Your car, connected to the internet, can provide real-time traffic updates and suggest alternative routes based on current road conditions. It can also send maintenance notifications to your smartphone, reminding you to schedule a service appointment when needed. Or, imagine having a wearable device that monitors your vital signs and is connected to the internet, sending data to your doctor, who can remotely monitor your health. The device can also send alerts to remind you to take your medication or notify your doctor in case of an emergency.

On a larger or industrial scale, IoT use cases are also numerous. In a smart city, traffic management systems connected to the internet use sensors and cameras to monitor traffic congestion. Traffic signals can be adjusted in real-time to optimize traffic flow based on current road conditions. In a manufacturing plant, IoT devices such as sensors, actuators, and controllers are used to monitor and optimize production processes. For example, sensors can detect machine failures in real time, and the data can be analyzed to predict maintenance needs and prevent costly downtime. Controllers can adjust production parameters to optimize energy usage and reduce waste, improving efficiency and cost savings. Farmers can use IoT devices to monitor and manage their crops and livestock. For example, soil sensors can measure moisture and nutrient levels in the soil, helping farmers make data-driven decisions about irrigation and fertilization. Livestock trackers can monitor the health and location of animals, allowing farmers to remotely manage their herds and prevent theft or loss.

These are just a few examples of how IoT transforms various industries, such as healthcare, manufacturing, transportation, and agriculture. The emergence of this technology, which integrates the physical and digital worlds, has led to improved decision-making, enhanced efficiency, and increased productivity. When combined with machine learning and AI, automation became much easier. The benefits of this connected world are numerous - from automating trivial tasks like turning on a coffee machine to potentially life-saving actions like automatically updating traffic lights for emergency vehicles.

However, with so many devices connected to the internet and sharing data, security concerns have risen significantly. These concerns stem from various factors, such as vast data collection, complexity, interconnected nature, legacy devices, and human factors, specifically: 

• Interconnected Nature: IoT devices are often interconnected and communicate with each other, exposing them to various types of cyber threats, such as hacking, data breaches, malware, ransomware, and other malicious activities.

• Weak Security Measures: IoT devices may have inadequate security measures, such as poor authentication and encryption mechanisms or a lack of regular software updates, making them more susceptible to cyberattacks.

• Privacy and Data Security Risks: IoT devices collect and transmit vast amounts of data, including personal and sensitive information. This data can be intercepted or accessed by unauthorized entities, leading to privacy breaches and data security risks.

• Complexity and Scale of IoT Networks: IoT networks can be complex, with many interconnected devices and systems. Managing security across such vast networks can be challenging, and identifying vulnerabilities and mitigating risks can be difficult and time-consuming. Additionally, the scale of IoT networks and the rapid pace of IoT device deployment can make it challenging to keep up with security updates.

• Legacy and Outdated Devices: Many IoT devices are designed to have long life cycles and may continue to be in use even after manufacturers no longer support them. These legacy devices may not receive regular security updates and patches, leaving them vulnerable to security risks. Additionally, outdated devices may lack modern security features and encryption mechanisms, making them easier targets for cyberattacks.

• Human Factors: Human factors, such as weak passwords, poor authentication practices, and lack of awareness about IoT security, can also contribute to security concerns. Many IoT devices are controlled by end-users who may not have the technical knowledge or understanding to properly secure their devices, leading to security vulnerabilities.

The Mirai attack is a striking example of, for now, the largest ever launched Distributed Denial of Service (DDoS) attack that specifically targeted IoT devices, such as routers, cameras, and others that were secured with default or weak passwords. In 2016, the malware responsible for the attack, known as Mirai, infected these vulnerable devices and turned them into a botnet, which then launched a massive flood of traffic to targeted websites and services, causing them to crash. This attack impacted numerous high-profile websites and services like Twitter, Spotify, Netflix, and Reddit, significantly disrupting internet traffic across the United States. The Mirai attack was notable for its scale, the types of devices targeted, and the fact that it was carried out by relatively simple malware. Many affected devices were susceptible to hacking due to outdated firmware and weak default passwords. It served as a wake-up call for the critical need to secure IoT devices, raising awareness of the importance of implementing more robust security measures to prevent similar attacks from happening again. 

Among the relatively recent events, we can highlight the Verkada hack, a cyberattack that occurred in March 2021 and affected a cloud-based video surveillance Silicon Valley start-up Verkada Inc. The attackers were able to access over 150,000 cameras used by various businesses, schools, and organizations in multiple countries, including the United States, Canada, and the United Kingdom. The breach exposed sensitive and private information, including live video footage from the cameras inside women's health clinics, schools, prisons, police departments, psychiatric hospitals, and the offices of Verkada itself. The hackers claimed to have gained access to Verkada's internal network through a "super admin" account that was not secured with a strong password. They were then able to view and download live camera feeds and access other sensitive data, including employees' personal information and Verkada's source code. The attack was notable for its scale, the level of access the hackers could obtain, and the potential privacy violations it raised.

Monthly number of Internet of Things (IoT) malware attacks worldwide from 2020 to 2022 (in millions)

The number of IoT attacks globally reached over 10.54 million in December 2022. The highest number of monthly attacks was detected in June 2022, with approximately 13 million attacks. According to the Bitdefender report, Denial of Service remains the number one attack type, with over 84% of all incidents recorded in 2022. 11% of all recorded incidents target sensitive data, while device exploitation accounts for 2% of all analyzed reports. Despite increasing awareness about IoT security, the  Unit 42 IoT Threat Report suggests there is still cause for concern. The report states that 98% of all IoT device traffic remains unencrypted, leaving devices vulnerable to attacks. Additionally, the report shows that 57% of IoT devices are at risk for medium to high-severity attacks. The most common exploits are through long-known vulnerabilities and default device passwords.

The significance of IoT security will only keep growing. We would like to highlight some security practices and trends worth to be considered by businesses and consumers to enhance the security and resilience of connected devices and protect themselves from the ever-increasing threat of cyber attacks. Hardware-Based Security, Identity and Access Management, and Artificial Intelligence/Machine Learning have been around for a while and are already commonly used in IoT security. 

Hardware-Based security involves incorporating security features into the physical components of IoT devices, such as the processor, memory, and storage. This approach can help to provide robust security by implementing encryption and secure booting, which are difficult to bypass or compromise. Encryption can be used to protect data at rest and in transit, while secure booting can ensure that only trusted firmware and software are loaded during the device startup process. 

Artificial intelligence (AI) and machine learning (ML) have emerged as critical tools for enhancing IoT safety. Anomaly intrusion detection systems (IDS) are capable of detecting attacks based on previously recorded normal behavior by comparing present real-time traffic to the usual real-time traffic. ML techniques like Linear Discriminant Analysis (LDA), Classification and Regression Trees (CART), and Random Forest can be applied to massive amounts of data, enabling machines to learn, remember, and enhance the capabilities of IoT systems. These techniques can identify and classify attacks with fewer false positives and detect new forms of attack that may have gone unnoticed otherwise. Even as hackers develop new methods, they often incorporate elements of older ones that can be detected in real-time using ML algorithms.

Identity and Access Management (IAM) is another approach that can help manage user identities and access to IoT devices. Robust authentication mechanisms, such as double-factor authentication, digital certifications, and biometrics, can be implemented to allow users to authenticate individual devices with various operating functions. In addition, IoT public key authentication methods such as digital Certificate X.509, cryptographic key, and lifecycle management capabilities can be used to establish a secure connection between an IoT system and an app. These methods involve creating, delivering, managing, and revoking public/private keys to establish a secure link.

Along with the effective practices mentioned above, there are also some recent security enhancement trends that are also gaining traction. They are the usage of eSIMs, Enterprise Network Operators (ENOs), and Blockchain-based security. eSIMs, or digital SIMs adoption is getting increasingly popular. eSIMS are soldered directly into the device, preventing tampering or fraudulent use, and can be updated over the air. Following Apple's lead, more companies are expected to adopt eSIM technology for security and cost savings in the supply chain. We expect to see more enterprises move towards eSIM in the coming year.

Private networks, specifically Enterprise Network Operators (ENOs), are the next emerging trend, providing enterprises with tailored network services and more secure IoT connectivity. ENOs combine the best features of Mobile Network Operators (MNOs) and Mobile Virtual Network Operators (MVNOs) to provide network owners with centralized control. 

Blockchain-based security is a security measure for IoT devices that involves using blockchain, a decentralized, immutable ledger typically used in cryptocurrencies like Bitcoin. In this method, data from IoT devices is encrypted and stored in the blockchain, making it tamper-proof and creating an audit trail of all data interactions. This approach ensures high levels of data integrity, confidentiality, and availability.

Along with these practices and emerging trends, governments worldwide are also taking steps to regulate the security of IoT devices to protect consumers and businesses from cyber threats. Some countries have implemented specific IoT security regulations, while others have included IoT security in broader cybersecurity laws. 

Thus, The IoT Security Law, also known as Senate Bill 327, was passed by the California legislature in September 2018 and went into effect on January 1, 2020. The law mandates that manufacturers of internet-connected devices must equip their products with "reasonable" security features to protect against unauthorized access, modification, and data breaches. Specifically, the law requires that IoT devices must have unique preprogrammed passwords or the ability to generate them for each device and that consumers must be given information about the device's security features and how to maintain them. The law applies to any manufacturer who sells or offers to sell a connected device in California. It does not provide specific security standards or protocols for manufacturers to follow but requires them to use "reasonable" security measures. It has been criticized by some experts who argue that the law is vaguely worded and lacks specific guidance on what constitutes "reasonable" security measures. Others have found it unnecessary as existing laws already require manufacturers to set up "reasonable privacy protections." Nevertheless, this law has been seen as a significant step forward in addressing the security risks posed by IoT devices.

In addition to the California IoT Security Law, the US government passed the IoT Cybersecurity Improvement Act in 2020, which requires IoT devices used by the federal government to meet minimum security standards. While the Act's primary focus is on IoT devices used by the federal government, it has far-reaching implications for the increasing use of these devices by corporations and private consumers.

The UK government has published a Code of Practice for Consumer IoT Security, which outlines 13 guidelines for manufacturers to follow to improve the security of their IoT devices. The UK Product Security and Telecommunications Infrastructure Act (PSTI Act) also became law in December 2022. The PSTI Act creates a new regulatory regime to make consumer IoT devices in the UK more secure. It outlines three minimum security standards for IoT devices, including a ban on universal default passwords and requiring manufacturers to provide a public point of contact for reporting vulnerabilities. IoT manufacturers are also obliged to provide transparency on the minimum length of time during which security updates will support their products.

The EU introduced the Cybersecurity Act, which established a European Cybersecurity Certification Framework that sets out harmonized standards and criteria for certifying the security of IoT devices and services. The certification scheme is voluntary, but companies that obtain certification will benefit from increased trust and market recognition. In addition, the ETSI EN 303 645 V2.1.1 cybersecurity standard, developed by the European Telecommunications Standards Institute (ETSI), was introduced specifically for consumer IoT devices to establish a baseline for their security. It includes 13 device security, software security, and data protection provisions. The European Commission also proposed the Cyber Resilience Act in September 2022, which aims to increase cybersecurity standards for IoT devices, requiring manufacturers to promptly notify authorities and customers of cyberattacks and can quickly address such incidents. This proposed regulation is the EU's first cybersecurity regulation for the IoT industry.

The Australian government has released a voluntary code of practice for IoT security, providing guidelines for manufacturers. Thirteen principles are outlined in the Code of Practice that communicate the Australian Government's expectations to manufacturers regarding the security of smart products. They have also established a national cybersecurity strategy to help achieve the Australian government's vision of making Australia the most cyber-secure nation in the world by 2030. 

In Asian countries, the Chinese government has implemented a cybersecurity law called the "Cybersecurity Law of the People's Republic of China". It was passed in 2016 and came into effect on June 1, 2017. It aims to regulate China's cyberspace and improve the country's cybersecurity measures, including the security of IoT devices. It requires companies to follow specific security standards when producing and selling IoT devices.

In Japan, the IoT Security Basic Policy was established in 2016, which outlines the government's strategy and approach to IoT security. In 2019, the Act on the Promotion of IoT Utilization was also passed, which includes provisions related to IoT security, such as the obligation for IoT device manufacturers to disclose information on the device's security features and to implement security measures to protect user data. Japan's IoT Security Certification System provides a certification process for IoT devices to ensure they meet specific security standards.

In Singapore, the Personal Data Protection Act (PDPA) was amended in 2020 to include provisions related to IoT devices, such as requiring organizations to implement reasonable security arrangements to protect personal data collected through IoT devices. Additionally, the Cybersecurity Act was enacted in 2018, which includes provisions related to protecting critical information infrastructure, including IoT devices. Singapore's Cybersecurity Labeling Scheme, which provides a labeling system to indicate the security level of IoT devices, is a voluntary program under the Cybersecurity Act. 

The various laws, codes of practice, and certifications mentioned above demonstrate that governments worldwide recognize the importance of regulating IoT security. While some of these measures are voluntary, others, such as the California IoT Security Law and the PSTI Act in the UK, are mandatory. The gradual shift from self-regulatory regimes to country-specific regulations mandating IoT security is a positive development showing that it is a global issue that requires attention. We can expect to see more countries following suit in the future. 

To sum up, in the early days of IoT, security was not given enough attention, leading to vulnerabilities that hackers could exploit. But now, there is a pressing need for the industry to address this issue. The significance of IoT security will only keep growing, with a primary driving force being the ongoing implementation of regulations. Whether you are purchasing devices or creating them yourself, IoT security should be at the forefront of any plans. 

Reading time 11 min 41 sec