Cut Corners: The Weak Link in IoT Cybersecurity

Companies commonly overlook IoT risks. Many times they assume that they are being managed by a third party or don’t understand how IoT devices connect to their traditional network. But internet-connected devices could pose a major threat to your network’s security. They can be either a point of entry to your network or used to attack someone else’s system.

IoT devices can be particularly worrisome when you rely on employees to operate them securely. According to a 2017 Willis Towers Watson study, employee negligence is responsible for 66 percent of cyber breaches. Employees may not be malicious. But they could be careless. Their negligence could be your problem if your network is breached. Take these next two examples of how a lack of basic security best practices resulted in a massive exposure to risk—or worse, a massive attack.

IoT Entry Point Attacks

In 2015, researchers found that more than 5,000 U.S. gas stations were at risk of a breach because their automated tank gauges (ATGs) were on the public internet—without password protection. Trend Micro had also found examples of hackers attacking the devices, from simply modifying a gas tank’s product label to dangerously altering the tank’s behavior.

According to DarkReading, the problem has worsened, with 5,635 locations were found to be vulnerable in 2018. The exposed gas stations’ tank gauge data can be accessed by attackers as well as manipulated for fuel theft or other sabotage.

DDoS Attacks

Hackers used IoT devices infected with Mirai malware to launch a DDoS attack against DNS provider Dyn in 2016. According to Datafloq, the malware found and infected more than 500,000 IoT devices that were still using default passwords.  

Although attacks on IoT devices ranked just tenth among the chief concerns of the 580 respondents to the 2017 Black Hat Attendee Survey, 34 percent of those cybersecurity professionals indicated that IoT security would be their #1 concern within two years. “This makes sense as Gartner estimates that over 20 billion IoT devices will be connected by 2020, up from 8.4 billion in 2017,” said cybersecurity evangelist Ken Mafli.

To mitigate these attacks, you can improve your IoT security by watching for these common cut corners.

1. No Passwords

Alan English, the director of brand development at fuel management application provider Veeder-Root, told DarkReading that problems can occur with ATGs because users do not properly configure the devices with strong passwords and place them behind a firewall. “Users need to maintain proper network safeguards, as they would for any other Internet-connected device in order to prevent outside traffic. This includes the use of firewalls and strong passwords,” said English.

2. Weak Passwords

Using passwords that hackers can easily guess can be just as dangerous as no passwords at all. Unfortunately, employees tend to use easily searchable names or terms as passwords. They also often use the same password for multiple sites, meaning that their IoT devices could be breached if their passwords are compromised elsewhere.

Natasha Lane, writing for Datafloq, recommends implementing multi-factor authentication to prevent human errors in cyber security. Multi-factor authentication verifies who a person is based on at least two of three elements: what they know, what they have, and who they are.

3. Using Secure Technology

IOActive’s Lucas Lundgren found that more than 65,000 IoT servers using the Message Queuing Telemetry Transport (MQTT) protocol on the internet were not using any authentication or encrypted communication. He also developed a tool that could attack MQTT-based servers, see the data being sent and received, and control the devices.

Lundgren presented at Black Hat USA 2017 on taking over the world through MQTT and noted that he could view coordinates for airplanes, electrical meter readouts, and the status of home alarm and automation systems. He also was able to send messages and commands, issue firmware updates to devices, “and even open prison doors.”

Using unsecured technology could potentially expose your entire network to attack. You must deploy end-to-end encryption with strong asymmetric encryption for any communication with the IoT device. Preferably, you should also deploy 256-bit symmetric encryption for any sensitive data-at-rest. This will ensure that your IoT devices are hardened against likely attacks.

Moving Forward

Human error and cut corners will always remain a factor in cybersecurity. But you can protect against data breaches by using a SOC 2 audit to confirm that you handle customer data properly.

Aimed at companies that store sensitive information for other organizations, SOC 2 reports detail the controls of the systems used to process data and the security and privacy of that data. This includes looking at factors such as password policies and IoT technologies. You will find areas where you are vulnerable and learn ways to improve.

IoT cybersecurity will continue to grow in importance as more workplace devices are connected to the internet and hackers seek to exploit their vulnerability. Protect your network—and your company—by avoiding cutting corners and helping your employees operate their devices securely.