While consumer internet of things (IoT) devices such as smart thermostats and fitness trackers have garnered much of the media’s attention, the internet of things has been quietly optimizing business operations around the world. In fact, according to a recent GSMA study, the number of internet of things endpoints used for business operations will surpass the consumer market by 2025.
Business IoT has shown promising results: A recent Gartner survey found that 80 percent of companies that have implemented IoT technology feel that their return on investment has been better than expected (report available to clients).
Unfortunately, the pace of IoT innovation has far exceeded that of IoT security. During the first half of 2018 alone, Kaspersky Lab found that the number of malware varieties targeting IoT devices was more than triple the number identified in all of 2017.
Small businesses considering IoT initiatives must plan for the associated security risks. In this article, we’ll cover several infamous IoT security breaches, discuss the lessons learned, and recommend security measures that must be taken by any small business investing in the IoT.
What is the internet of things?
To review, the internet of things (IoT) is a network made up of physical things embedded with sensors that transmit data about their status, state, or surrounding environment. IoT sensors come in countless varieties making it possible to measure everything from air pressure to chemical composition.
This process allows companies to interact with previously passive assets, such as shipping containers, and to automatically compile data that might otherwise be much more difficult—or impossible—to collect. Business value is derived by converting IoT data into actionable information that automates processes and improves decision-making.
Internet of things security is a hot topic
IoT security is a problem—so much so that Google autocomplete thinks you’re more interested in it than you are IoT solutions, software, or sensors.
And for good reason.
Attacks on the internet of things continually make headlines, running the gamut from hacked baby monitors to compromised nuclear facilities. Here, we explore a timeline of IoT security breaches and the lessons that can be learned from each.
Internet of things security breach timeline
January 2010: Stuxnet malware attack
Stuxnet was a virus that exploited a zero-day vulnerability in the Windows operating system. In early 2010, the virus was detected in computers that hosted programmable logic controllers (PLCs) connected to nuclear centrifuges in Iran. Before it could be contained, the virus had sabotaged hundreds of centrifuges.
Lesson learned: The stuxnet incident served as an early example regarding the vulnerability of industrial systems connected to the internet.
July 2015: Jeep hacked by researchers
Researchers revealed that they had found various ways of exploiting connected Jeep vehicle systems. Researchers found ways to exploit the onboard entertainment system’s Wi-Fi by brute forcing all possible combinations in its weak password generation system. This exploit eventually led them to gain remote access to critical systems such as steering and braking. The event led Fiat Chrysler to recall more than 1.4 million vehicles.
Lesson learned: Wi-Fi passwords must be complex and able to withstand brute force attacks. Best practice is to use long phrases that are difficult to guess yet easy to remember (e.g. Weate8$5applepies). This hack also shows the importance of separating IoT systems from those that host critical systems.
October 2016: Mirai botnet exploits IoT devices
The Mirai botnet used hundreds of thousands of malware-infected IoT devices such as security cameras, routers, and smart thermostats to launch massive DDoS attacks that took down major websites such as GitHub, Netflix, and Spotify.
The malware took advantage of out-of-date firmware and scanned the internet for devices with open ports using default—and widely known—credentials. The scheme has inspired numerous copycat IoT botnets, many of them using the Mirai source code which was leaked to the internet.
Lesson learned: IoT devices often ship with default credentials that are widely known to those interested in exploiting them. Bad actors use automated programs to scan the internet for vulnerable devices and infect them with malware to form botnets. These zombified armies of IoT devices can then be used to deliver DDoS attacks capable of taking down major websites. Make sure your device isn’t using one of the username and password combos coded into Mirai and botnets bases on its source code.
Credentials targeted by Mirai botnet malware
April 2017: BrickerBot malware
Like the Mirai botnet, BrickerBot malware infected thousands of devices with default credentials. However, instead of using devices to launch attacks, BrickerBot destroys the device—or “bricks” it—by corrupting its memory, disrupting connectivity, and blocking all ports needed to update its firmware.
Lesson learned: Firmware must be updated as soon as new versions are made available. Unfortunately, updates for IoT devices aren’t typically well publicized, meaning consumers and businesses must proactively stay up-to-date on IoT firmware availability.
May 2018: VPNFilter router attack
VPNFilter malware infected more than half a million devices—mostly consumer-grade routers—throughout the world. The malware monitored data transmitted through devices, stole passwords, and disabled devices. Some devices were salvageable after a reboot, but others were left inoperable.
Lesson learned: The VPNFilter episode serves as a warning to small businesses that use off-the-shelf consumer-grade network gear; these routers are far less secure than their commercial counterparts. Also, because malware is often stored in an IoT device’s RAM, it can sometimes be removed with a simple reboot: Thus, it’s good practice to switch them on and off every now and then.
June 2018: Ships found vulnerable to hacking
Researchers found that the navigation systems of many ships, from the smallest to the largest, are susceptible to attacks that could alter their GPS coordinates and knock them off course. They also found it possible to disable the navigation systems completely by remotely altering the firmware.
Lesson learned: IoT security is in its infancy, and some industry-specific applications might be more vulnerable than others. Buyers must engage IoT vendors and demand more secure IoT solutions.
- Gather data generated by or transmitted through the device
- Gain control of devices to launch other attacks
- Exploit device to gain access to more sensitive systems
- Disable devices in an attempt to disrupt operations
Small businesses seeking to invest in the IoT must guard against all of these schemes and employ all of the security measures mentioned above. However, there are additional steps you should take to better ensure network security, which we’ll get to below.
Why is IoT security so difficult to solve?
Securing a conventional network endpoint, such as a desktop computer, is like locking the front door of your house. Front doors are supposed to be the most secure entrance and exit in the house: They usually have the strongest lock and should be designed to withstand some force.
Conversely, IoT security is like locking and closing your windows: They’re all different shapes and sizes, the latches can be flimsy, and the glass is easier to break than wood or steel. A steel-reinforced door with handprint identification isn’t going to protect much if there’s an open window next to it.
IoT endpoints (e.g., motion sensors) lack the conventional interfaces and operating systems that are used to manage, update, and secure conventional computing resources (e.g., laptops and servers). To make matters worse, a lack of IoT industry standards has resulted in interoperability issues among device manufacturers and has complicated the development of cohesive IoT platforms.
Additionally, business units sometimes engage in IoT initiatives such as building automation without the involvement of IT, and employees commonly bring personal IoT devices into the office that add vulnerabilities to the network.
For these reasons and the vulnerabilities mentioned above, small businesses must segment IoT devices from IT networks that host sensitive business data.
What is network segmentation and why do I need it?
Network segmentation is that practice of logically segregating computer networks so that they are isolated from one another.
For example, employee laptops that need access to business applications will have different access needs than IoT humidity sensors in the warehouse. In this scenario, we will need at least two separate networks so that if someone hacks into the humidity sensor, they will not be able to tunnel their way over to sensitive business data.
In other words, a hacker might get some information, but network segmentation ensures they won’t get all of it.
Network segmentation also allows companies to minimize the impact of stolen credentials used to remotely access IoT devices such as security cameras. For example, the infamous Target data breach of 2013 was the result of remote access credentials stolen from an HVAC contractor.
The HVAC system in question had not been properly segmented from Target’s payment network and that eventually allowed hackers to find their way to 110 million customer accounts.
Similarly, a U.S. congressional oversight investigation blamed a lack of network segmentation for the massive 2017 Equifax data breach. The report described the event, which exposed the personal data of 145 million people, as “entirely preventable,” adding that the organization’s failure to implement network segmentation “allowed hackers to access and remove large amounts of data.”
All small businesses should practice network segmentation, not only because of the obvious security benefits but also because it costs very little money and can often be done with existing network infrastructure
Identify and inventory your IoT devices
To begin the segmentation process, you must first identify and inventory all IoT devices to determine what kinds of access they need, what types of data they collect, and how data is transmitted. Below are suggested components for an IoT inventory that will help to classify devices, build risk profiles, and develop a segmentation strategy.
Creating a device inventory is simple if you do it from the start, but it’s more difficult if you’re already drowning in sensors and smart bulbs. Device identification and network visibility becomes increasingly difficult with larger operational IoT implementations, which can benefit from comprehensive IoT discovery and monitoring software from companies such as Forescout.
Smaller-scale IoT initiatives and consumer IoT devices can often be managed with less complicated software that includes network monitoring and inventory features. Check out GetApp’s catalog of network monitoring tools for a full range of software that can help track devices and maintain visibility.
Another option is Shodan, the infamous internet of things search engine. Though it’s gained a reputation as the hacker’s search engine, Shodan can also be used by businesses to find vulnerable network devices. Companies can identify insecure IoT devices and those operating with default credentials by querying their own network IP addresses.
Search results for “default password” in IoT search engine Shodan (Source)
Create virtual local area networks (VLANs) to host IoT devices
According to Gartner, by 2021, more than 60 percent of all IoT devices on enterprise infrastructure will be “virtually segmented” from traditional business applications, up from less than 5 percent in 2018 (report available to clients). Large corporate enterprises likely require elaborate network segmentation techniques because of IoT edge computing and other processing done outside of the data center.
However, for most small businesses, the creation of a virtual local area network (VLAN) should suffice and improve network security dramatically. Rather than requiring a new switch for each LAN, VLANs allow one switch to logically segment multiple networks. This enables an administrator to set different permissions and security parameters for devices hosted on each VLAN.
Though basic VLANs are relatively easy to design using tutorials found throughout the web, things get more complicated when using tags to route traffic across VLANs. Also, if your business offers guest Wi-Fi, it’s a good idea to create a separate VLAN specifically for that traffic. For any of this to be possible, your hardware must support VLANs.
IoT devices and their components are developed by various companies around the world with few industry security standards or best practices. For this reason, running a secure IoT platform can be complicated for a small business.
Fortunately, IoT platforms such as Microsoft Azure IoT are becoming more affordable, and vendors are beginning to develop options suitable for small businesses. Additionally, endeavors such as Sprint’s IoT Factory are offering customizable options for small businesses that can be rented on a monthly basis or purchased outright.
The small-business IoT space is evolving rapidly. For now, when adopting any IoT technology, ensure that it is properly secured and segmented from sensitive business data so that you can focus on solutions instead of worrying about security.
This article is part of an ongoing series about the business value of IT
Note: The information contained in this article has been obtained from sources believed to be reliable. The applications selected are examples to show a feature in context and are not intended as endorsements or recommendations.