Security measures aren’t keeping pace with the rate at which new technology is going to market. One of the fastest-growing segments of technology, the Internet of Things (IoT) — which includes webcams, smart thermostats, wearable health trackers, and other smart objects — is capturing the industry’s attention and growing rapidly. By 2030, the number of connected IoT devices is expected to grow to 40 billion.
Unlike traditional internet-connected devices such as laptops and servers, IoT devices operate with minimal software and resources. Many are often located in networks where updates are difficult, if not nearly impossible, making them vulnerable to cybersecurity threats.
IoT security is key to understanding and mitigating these risks. When you adopt IoT security, you ensure the protection of your IoT network and overall data. Let’s explore the challenges of IoT security and best practices for safeguarding your IoT system.
What are the challenges of IoT security?
While IoT devices face many of the same cybersecurity challenges as other systems, these are some unique to IoT.
- Embedded passwords: Many IoT devices come with embedded passwords to help remote support technicians troubleshoot and do large-scale IoT deployment. However, embedded passwords also make it easy for attackers to gain unauthorized access, which may lead to a potential IoT security breach. Without strong authentication measures, this poses a major security risk.
- Lack of device authentication: Allowing IoT devices access to the network without proper authentication opens the IoT ecosystem to unknown and unauthorized devices. Rogue devices can serve as an entry point for attacks, a source of attacks, and the compromise of sensitive data.
- Security patching and upgrading: Some IoT devices don’t provide a simple (or any) means to apply security patches or upgrade software. This leads to outdated IoT systems with vulnerabilities, making them easy targets for attackers and security threats.
- Physical hardening: Unlike cloud-based infrastructure, IoT devices can be physically accessed by attackers. Without proper security automation and physical safeguards, attackers can extract sensitive information, such as embedded passwords or encryption keys, by tampering with the device’s hardware.
- Outdated components: When vulnerabilities are discovered in hardware or software components of IoT devices, it can be difficult and expensive for manufacturers or users to update or replace them. As with security patches, many outdated IoT applications are vulnerable to attacks.
- Device monitoring and management: IoT devices don’t always have a unique identifier that facilitates asset tracking, monitoring, and management. IT personnel don’t necessarily consider IoT devices among the hosts they monitor and manage. Asset tracking systems sometimes neglect to include IoT devices, so they sit on the network without being managed or monitored.
Most of these challenges stem from security being an afterthought in the design and manufacturing of IoT devices. Even when developers consider IoT security requirements in the design process, limitations in processing power, memory, and data transfer speeds make implementation difficult. The security in these devices is often the best possible at the time, but exploits can develop after manufacturing and installation that expose these devices to new vulnerabilities and risks.
The first step in implementing security controls is to determine where those controls are needed, which is another challenge for protecting IoT devices. Because IoT devices are often not recognized as network devices, they get overlooked when inventorying or mapping the network and if you don’t know it’s there, you cannot protect it.
Fortunately, IoT manufacturers are beginning to address these issues, but organizations planning on or currently using IoT cannot wait for that to happen. Your organization should implement strong passwords, threat prevention, and other IoT security best practices to mitigate security risks.
Solutions to mitigate IoT security challenges
Manufacturers and implementers must implement IoT security best practices to mitigate security risks. To secure your IoT devices, follow these steps.
| Security challenge | Security solution |
| Embedded passwords | Do away with static/embedded passwords. Manufacturers should require users to create a strong password during device setup. |
| Lack of device authentication | Manufacturers should enforce directory integration (using LDAPs and SAML) with an enterprise password manager that injects and rotates credentials. |
| Security patching and upgrading | Manufacturers need to make it easy for devices to be upgraded or patched. Ideally, this would be an automatic or one-click process. |
| Physical hardening | IoT devices should be made tamper-proof. Devices should be monitored to detect time offline and inspected after unexpectedly dropping offline. |
| Outdated components | Vulnerable devices should be updated or replaced. This can be difficult to remedy, especially in environments that have many IoT devices in remote locations. In those cases, tighter security controls and more vigilant monitoring should be implemented. |
| Device monitoring and management | Ensure all IoT devices are included in asset tracking, monitoring, and management systems. Manufacturers should provide a unique identifier for each device. |
Many of these IoT security issues can only be resolved by the manufacturer. One critical area that your security, IT, and OT teams can address is device management.
If you’re responsible for planning or implementing an IoT deployment, IoT devices should be properly accounted for in asset management, systems monitoring, security monitoring, patch management, and incident response systems.
Examples of IoT security breaches and hacks
There are two broad categories of attacks involving IoT devices: those in which the IoT devices themselves are the end target of the attack and those that use IoT devices to attack other targets. Here’s an example of both types in action, two in a real-world incident and the other as a proof-of-concept security research:
- Akira ransomware exploit: The Akira ransomware group leveraged an unsecured Linux-based webcam to infiltrate a corporate network. The attackers exploited default or weak credentials to gain initial access to the device, encrypting network shares and causing widespread damage. Due to IoT devices lacking robust logging and monitoring capabilities, the attackers bypassed endpoint security measures designed to detect and prevent ransomware execution.
- The DDoS attack against Dyn: In October 2016, Dyn, a company that provides DNS services, suffered from a distributed denial of services, or a DDoS attack, which made much of the internet inaccessible. Major websites like X (formerly Twitter), Spotify, GitHub, Netflix, The New York Times, and PayPal were down for hours. The attack used the Mirai IoT Botnet, taking control of over 600,000 IoT devices to flood Dyn with traffic. The devices were mostly routers and IP cameras. IP cameras are frequently targeted IoT devices.
- Jeep Cherokee cyberattack demonstration: In a scary example of an attack where the IoT device was the target, the “device” was a car. Fortunately, this was a controlled demonstration by security researchers Charlie Miller and Chris Valasek, who demonstrated the attack for Wired writer Andy Greenberg, who was driving a Jeep Cherokee. Miller and Valasek, from miles away over a cellular internet connection, remotely turned on the A/C, radio, and windshield wipers. That was just the beginning. Next, they caused the Jeep to slow, remotely rendering the accelerator useless.
How to secure your IoT systems and devices
IoT attacks can have serious consequences. Securing IoT systems and devices must be done by both the manufacturers and the organizations using them. The key to securing your IoT ecosystem is knowing what devices are on your network and where they are in your network topology. Without that visibility, you’re flying blind because you can’t protect what you can’t see.
One way to identify IoT devices on your network is to require all hosts and devices to authenticate when joining the network. Any device that fails authentication can then be flagged and investigated. If it belongs to the IoT network, you can configure authentication for that device, and if it doesn’t, you’ve detected a rogue device.
Another way to secure your IoT devices is to do network segmentation. By dedicating a separate network segment to IoT devices, you can implement firewall rules and IoT-specific security policies to limit exposure. In the event of a potential IoT security breach, you can quickly block traffic from compromised devices and minimize the impact of an attack.
Once your IoT devices are authenticated, you can gain visibility into their activity using a cloud-native security monitoring and analytics platform like Sumo Logic. This solution helps you make data-driven decisions and reduces incident response times, allowing your team to focus on more critical activities.
For even greater visibility into security events, we bundle a built-in threat intelligence feed for up-to-date IOC data that can be quickly cross-correlated to identify a potential threat in your environment.
Try it out for yourself. Sign up for our free 30-day trial.
