It wasn't long ago that the Internet of Things seemed to be a fad and projections of billions of connected devices seemed like a gross exaggeration. But the technology is now beginning to become ubiquitous in the enterprise and industrial realm. Smart TVs are becoming a staple of boardrooms, and internet-connected HVAC, surveillance cameras and lighting systems are commonplace.
While the rise of IoT in the modern workplace may be novel, several of the most common security weaknesses plaguing IoT devices aren't exactly new. But addressing IoT security concerns is not the same as traditional IT security; it requires keeping track of an array of considerations, including the following 10 items:
Poor mobile security
"The common IoT vulnerabilities that I often see tie into poor security on mobile applications," said Deral Heiland, a veteran penetration tester (pictured below) who leads Rapid7's IoT security division. "One of my biggest gripes is data being stored on mobile apps." While saving data on iOS is likely less risky than on Android, storing sensitive data on any mobile device is less than ideal. What happens if a worker simply loses a smartphone with valuable data on it that isn't backed up elsewhere?
Storm clouds on the horizon
The cloud is often another weak link in IoT implementations. "Cloud APIs for IoT devices are probably worse than normal web APIs when it comes to security," Heiland explained. "I think part of the problem is that most of the developers look at the communications between IoT devices and the cloud APIs as machine-to-machine communication."
The threat of default credentials
And then there's the risk that IoT devices have not-so-secret backdoors that can be accessed using default usernames and passwords. "Companies should be asking: 'Are we doing proper authentication and encryption of our communications?'" Heiland advised. "You could have someone Telnet onto a nonstandard port and use a default password. Mirai kind of brought that risk to light."
Weaponized standard devices
One IoT security concern is that common devices such as smart TVs and printers can become threat vectors. "There are potentially significant security issues around multifunction printers," Heiland explained. "I consider the current printers to be very IoT-driven. We have used printers during assessment to gain access to organizations' networks and also to exfiltrate data."
The difficulty of loading agents onto IoT devices
"A big challenge we see is that you can't put agents [such as antivirus software] on many IoT devices," said Yevgeny Dibrov, CEO and co-founder of Armis Security (pictured below), an IoT-focused security startup. "So a lot of companies don't have the equivalent of endpoint security for every connected device whether they are printers or security cameras or something else. How do you know if one of these devices is doing something it shouldn't be doing?"
The threat of rogue IoT devices
Another IoT security concern is the growing prevalence of rogue connected devices hidden within enterprises secretly surveilling the network. "We are seeing this more and more," Dibrov said. "We are seeing rogue IoT devices, for instance, Raspberry Pi or Wi-Fi Pineapple devices. This is a popular attack vector because it is so easy. An attacker can take one of these devices and go to Midtown Manhattan and make hundreds of devices connect to a rogue device — including mobile devices belonging to financial institutions and other types of companies."
A lack of network awareness
A related problem is that many organizations aren't fully aware of what is on their network and thus can't judge if they have misconfigured IoT devices or rogue devices. It is often difficult to maintain a dashboard-like view of all the devices on the network. "In our experience, many organizations can only see about 60% of their connected devices in their environment," Dibrov explained. "We see this problem across organizations, whether they are in healthcare, manufacturing, the tech field or the financial sector."
Radio frequency concerns
Ultimately, the field of IoT security is a multifaceted, far-ranging discipline. Heiland recommended exploring the entire ecosystem, which includes all the above factors as well as considerations like vulnerabilities posed by specific radio frequency communications. Bluetooth 5, for instance, supports mesh networking, potentially enabling an attacker to target a single Bluetooth device and spread malware across the entire mesh network.
Armis recently discovered a Bluetooth-related vulnerability dubbed "Blueborne" that could potentially affect numerous IoT devices.
Manufacturers of IoT devices guarding intellectual property may want to consider protecting the firmware of their products. "For companies where IP is important, they don't want someone easily getting the firmware off the device," Heiland said. "That is something we often test."
Many manufacturers of IoT devices take a lackadaisical approach to protecting intellectual property, failing to use cryptography-based protection that is available on the hardware they use. "We have seen that oftentimes organizations don't use built-in protection that exists on some of their chipsets."
Staying realistic about IoT security risks
As a growing number of security researchers are beginning to focus on the Internet of Things, some of their findings pose more of a theoretical risk than an actual one — for now. "I have read some pieces on the concept of using smart lighting to exfiltrate data by compromising an internal network. Can we get a light in a room to fluctuate enough to transmit data?" Heiland asked. "In the test environment, it is very doable. In the real world, it has still not been proven yet — at least that we know."
While security researchers continue to uncover an array of IoT security concerns, Heiland stressed the importance of having a realistic perspective. "People ask me, ‘What should I do about all of these vulnerabilities that are coming out?’ And I say, 'All of these vulnerabilities are coming out because of people like me. We are not trying to find these vulnerabilities to ruin peoples' lives. We are out there trying to find them so we can get them fixed.'"