If you have asked Alexa a question, used a smart watch to track a workout, or streamed a show directly to your smart TV, you have used a device connected to the Internet of Things.
The Internet of Things (IoT) refers to the network of physical devices, vehicles, appliances, and other products that gather, store, and share data over the Internet. Common IoT devices include "smart home" appliances (e.g. smart thermostats and TVs), health tracking devices (smart watches), and voice-activated digital assistants that respond to voice commands (Amazon Echo and Google Home).
Why is IoT Security Important?
Many users and developers do not consider IoT devices as targets for cyber attacks, meaning that IoT devices often get overlooked when it comes to security controls. However, the IoT ecosystem is a high-risk environment with multiple opportunities for malicious actors to tamper with devices or manipulate the flow of information. Each IoT device can serve as an entry point to the network that the device is connected to, allowing cyber criminals access to information and resources they would not have had otherwise.
IoT devices have experienced exponential growth in recent years, due in part to COVID-19 and the resulting shift to more remote work. In 2020, IoT devices exceeded traditional devices (such as computers and laptops) for the first time, representing 54% of 21.7 billion active connected devices.
Common IoT Attacks
- Denial of Service (DoS) attacks - a device is used to overwhelm servers with traffic, preventing users from accessing common services
- Firmware exploits - "firmware" is software embedded into hardware devices that is responsible for how a device operates. On many IoT devices, flaws and vulnerabilities in firmware are overlooked and not patched, allowing for attackers to exploit these vulnerabilities.
- Credential exploits - Attackers are able to guess generic or default usernames and passwords to gain access to a device and its network.
- On-path attacks - 98% of all IoT device traffic is unencrypted, making devices especially vulnerable to attackers intercepting and manipulating data being transferred between devices.
Recommendations for IoT Security
The following actions can help secure your IoT devices. You may need to research the specific device to determine whether there is any guidance on how to enable these recommendations.
- Use strong, unique usernames and passwords. If a device has a default username/password, make sure to change this as soon as possible.
- Make sure your device is always up to date with the most recent patches and OS updates. This may include enabling auto-update features.
- Enable multi-factor authentication (MFA) when possible.
- Take inventory of your connected IoT devices and be aware of what data these devices are processing.
- Disconnect any devices that are not used regularly.
- Disable any unnecessary network connections or ports.
Sources
https://www.ibm.com/think/topics/internet-of-things
https://www.dhs.gov/sites/default/files/publications/Strategic_Principles_for_Securing_the_Internet_of_Things-2016-1115-FINAL_v2-dg11.pdf
https://www.crowdstrike.com/en-us/cybersecurity-101/exposure-management/internet-of-things-iot-security/
https://www.paloaltonetworks.com/cyberpedia/what-is-iot-security