As IoT devices become common and enterprises are increasingly adopting them in their business processes, the security risks associated with them are also becoming more apparent. In the first half of 2021 alone, there have been more than 1.5 billion IoT-related security breaches. This presents huge security risks for organizations and individuals.
Estimates suggest that the total consumer spending on smart home systems in 2021 was 123 billion USD. The global spending on IoT is expected to reach 1.1 tr USD by 2023. In this situation, IoT developers have to consider security right from the start instead of as an afterthought. Security has to be baked into the devices right from the scratch.
In this article, we explore some of the common challenges of securing IoT devices.
Security challenges facing IoT devices
Default passwords and poor device management strategies
This may seem like something really simple, but this has created enough problems that governments have created legislation against them. When IoT devices first started becoming popular, most organizations lacked a proper strategy to secure the sheer number of devices. These devices often had default passwords which most users never bothered to change.
While most users set up passwords for their PCs or smartphones, they often perceive IoT devices as low risk. And reasonably so, the average person may not see what a hacker stands to gain by turning on their light bulbs.
But malicious actors took advantage of these to launch large-scale botnet attacks. These IoT networks became zombies in attacks launched against other targets. And as for the safety of the device’s owners, these devices offered access to their home networks.
But governments have started taking action, for example, the UK government introduced the Product Security and Telecommunications Infrastructure bill. The bill banned using default or easy to guess passwords and imposed fines for organizations not using unique passwords for their products.
Lack of security patches
Most consumer IoT devices rarely, if ever get security updates and patches. It may be that unlike smartphones there is simply too much variety in the devices; OEMs simply find it too expensive to roll out patches for their entire range of devices. Smartphone OS updates (other than iOS updates) are handled partly by Google, partly by the chip manufacturer, and partly by the device manufacturer and the process is somewhat streamlined, if delayed. And there are plenty of resources working on identifying bugs or security flaws.
With IoT devices, almost the entire process is handled by the device manufacturer. And in a competitive market, the goal is often to develop new devices and capture the audience, and there’s less focus on security updates.
In some IoT systems, the inherent characteristics of the device make updates complicated. Particularly in IIoT systems, some devices have small battery capacities and are often asleep most of the time. Some of them may not have high bandwidth connectivity, often relying on Bluetooth or BLE for sending small bursts of data every once in a while. This makes OTA updates complicated.
Device manufacturers have to develop an update management strategy as they build these devices. They need to invest in identifying security flaws and ensuring that they’re fixed on time, otherwise, they’ll leave end-users prone to cyber threats.
Open communication ports
This is a common security issue security experts have noticed among IoT devices. Device OEMs often leave communication ports and services from IoT devices open, even when not in use. These unused ports present a target to the malicious actors who can use them to steal data or gain access to the network.
This was one of the vulnerabilities that led to the Mirai botnet attack, which exploited default passwords and open ports to take control of thousands of IoT devices and used them as a zombie army. As far as enterprises are concerned, closing unused open ports is one of the first steps they can take to protect their IoT devices.
Lack of standards for securing IoT devices
While governments have certainly developed standards over the last couple of years, we’re yet to see the impact of these regulations. Most of the regulations have been around default passwords; the laws are yet to define minimum standards of security for IoT devices. For example, the California IoT Act demands that manufacturers develop reasonable security features according to the nature of the devices. OEMs are also mandated to protect the information collected by the devices, and stored in the device.
European Union’s ETSI standard is much more detailed; it covers software updates, secure boot process, secure storage, validating the input data, managing data telemetry, and more.
Possibility of physical access
It is possible to store most electronic devices safely. But the very nature of IoT devices and sensors means they are often in open locations where anyone can access them. This presents quite a challenge to OEMs. Building tougher cases can prevent physical tampering, but this also increases the manufacturing costs and restricts access to any maintenance. Another risk with physical access is that attackers can exploit any access points left open for troubleshooting or updating the firmware.
The better hand in this situation is that it’s not always feasible for attackers to physically gain access to the device, and it is not easy to target a large number of devices in this manner.
Either way, OEMs will have to come up with security measures to keep IoT devices from physical tampering.
IoT devices present Inherent privacy risks, and organizations must put security first when developing them.
IoT devices typically have a range of sensors that collect data from their environment. This could include anything from temperature and motion sensors to mics and cameras. Particularly in a consumer electronics situation, these devices present an inherent privacy risk. Anyone who gains access to them can spy on the users and collect sensitive information. OEMs have to develop robust security standards to roll out regular software patches and ensure the safety and security of their devices.
