Holistic IoT Security Can No Longer Be Overlooked


“A bad cyber actor may not be able to access your locked-down computer, but your unsecured TV may give an easy way in the backdoor through your router.”

This statement does not come from a cybersecurity leader or an Internet of Things (IoT) security expert, but from the FBI. The bureau has voiced its strong stance over the insufficient security in innovative IoT devices on several instances. And it’s not just smart TVs, but smart bulbs have also been hacked through commands sent via an infrared invisible light to the IoT device.

Meanwhile, a Slingshot malware was discovered hidden in routers for six years, gathering data, and the malware was used against targets in the Middle East and Africa. Perhaps, timely security updates, and a better detection tool could have avoided it?

IoT devices are extremely vulnerable. There are billions of them in the world, and they lack the essential built-in security controls that can keep threat actors at bay. Many IoT manufacturers disregard certain security features that can ultimately create easy gateways for hackers.

Consider the smart coffee machines that are connected to the internet using applications. It could be targeted by hackers to steal customer bank details. In 2019, a researcher from security giant Avast easily reverse engineered a smart coffee machine to a point where ransomware could easily be added.

Vince Steckler, chief executive of security, Avast said, “Coffee machines are not designed for security. TVs are not designed for security. What they are is additional vectors to get into your network. And you can’t protect them.”

Apart from weak passwords, insecure network services, and insufficient privacy protection, there are many other details that are overlooked and considered to be less of an issue. The real problem begins here.

With rapid advancements in technology, innovative IoT devices from coffee machines, headphones and smart TVs to smart bulbs are inevitable. And specific security protocols for IoT devices can no longer be an afterthought.

Smaller or less frequent attacks that avoid detection

In the IT sector, catastrophic damage can hit companies if smaller IoT breaches go undetected. Imagine if a User to Root attack escapes detection, the cybercriminal can obtain authorisation privileges and create havoc on the victim’s computer system.

While several advanced detection tools have been launched, there is always a high chance of new IoT botnets to evade detection. For instance, a BP algorithm evaluates the gradient of the IoT network’s error but for Artificial Neural Network (ANN)-based intrusion detection system (IDS), the training dataset for less-frequent attacks is pretty less, making it difficult for the ANN to understand the properties of the small attacks correctly.

ANN possesses the potential to add more protective layers and produce highly non-linear models that can capture complex bonds between input attributes and classification labels. Experts strongly recommend organisations to upgrade the detection precision for less frequent and micro attacks.

IoT botnets that aim at cryptocurrency

Blockchain is the talk of the town. The excitement around crypto mining along with the recent rise for cryptocurrency valuations and the craze for NFTs are tempting hackers. But blockchain is resistant to hacking is a myth.

According to Kaspersky, 2021 witnessed 1.5 billion smart device attacks, with hackers looking to not only steal data but to mine cryptocurrency. For instance, the Lemon Duck botnet targets computer resources to mine Monero. Moreover, it has self-propagating capabilities with which it can infect additional systems and make them part of the botnet too.

The ultimate goal of threat hackers is to aim an IoT botnet at crpytojacking. Social engineering to hack blockchain-based attacks is a major problem, and some hackers are even repurposing IP and video cameras to mine virtual currency.

Experts believe the main vulnerability is not the blockchain itself, but it’s the blockchain application development. They recommend organisations to invest in advanced monitoring and detection tools to prevent hacking.

The IoT Data Overflow

With billions of IoT devices popping up worldwide, IDC predicted that the data generated by them will hit 79.4 zettabytes by 2025. Moreover, it takes 1,000 data centres to hold one zettabyte – you do the math.

Many organisations believe the more data there is, the easier it gets to aggregate and analyse, causing little data wastage. Apart from the simple logic of inaccuracy, how does one evaluate the security model? Processing all this data is no easy task, and it would require a bigger budget and a stronger security system.

A major chunk of a company’s budget must go into data preparation, and the data flow from all IoT projects is excessive. Some organisations that do not invest in optimal tools and resources could invite security vulnerabilities. Moreover, delaying the addition of data into the warehouse can reduce the efficiency of analytic reports, which in turn can create loopholes in IoT strategies — an even bigger invitation to threat actors. They could easily hide volumes of malicious traffic in the new, unfamiliar data networks.

How many rounds of testing has the device been subjected to?

IoT gadgets are everywhere, but they come with a cost. With possibly over 27 billion connected IoT devices in the world by 2025, efficient handling of each product seems impossible.

Many IoT gadgets do not get updated regularly, and some don’t receive crucial security updatesl. Meanwhile, several types of IoT devices that are created in bulk, enter the market pretty early without going through multiple testing rounds for security assessment. IoT manufacturers need to understand the risk of taking security concerns lightly, and not just focus on immediate cash flow and revenue. Ultimately, the security vulnerabilities that cause privacy distress will put them in a customer’s blacklist.

Proper testing and regular security updates that cover connectivity, continuity, compliance, and cybersecurity are crucial.

The often-overlooked decommissioning process

IoT devices are expected to last for years, and so designing the IoT device lifecycle management plan is critical. While many companies focus on pre-commissioning, operations and end-to-end security, many do not give a second thought to decommissioning.

Sometimes, when a device malfunctions, it is sent to the bottom shelf to collect dust or altogether discarded. It’s time companies understand that the IoT management cannot end with trashing the device. Data about the physical and network assets, including proprietary information and user credentials is still inside the device and can be accessed by hackers long after its use.

Certificates should be revoked, and confidential, sensitive, rather all the available data should be deleted securely. Inventory software integrated into smart locker systems can help keep track of warranties and lifecycles. Warning emails should be sent when the IoT device judgment day approaches.

Meanwhile, for devices that are to be commissioned in another network, it is critical that the device be reset to its factory reconfiguration. Disconnecting the device from the server will require system notification for appropriate action and adaptability.

Some recent IoT security advancements

Addressing the myriad IoT security challenges requires innovative solutions and collaborations.

Crypto Quantique and Macronix are collaborating to strengthen the use of the former’s Quarklink IoT security management platform and the latter’s ArmorFlash ecosystem. Together, the QuarkLink platform could securely connect the ArmorFlash root-of-trust to edge or cloud-based services and applications. This partnership could provide customers with an end-to-end security solution.

In light of the recent discovery of Braktooth, a group of vulnerabilities in commercial Bluetooth chipsets impacting end-user devices, Keysight Technologies launched an IoT security assessment software solution. It enables IoT chip and device manufacturers as well as organisations deploying IoT devices to perform comprehensive, automated cybersecurity assessments. The software reveals security vulnerabilities across any network technology.

Additionally, Device Authority, an identity and access management platform for IoT, released KeyScaler Edge to help customers in the healthcare, retail, and transport sectors with their IoT edge deployments. It will address the complex end-to-end challenges of IoT security lifecycle management at the edge.

While cybercriminals work on exploiting IoT devices to turn them into botnets, here’s hoping that the security providers will come up with more innovative solutions to counterstrike. The IoT security market will be worth $40.3 billion by 2026, and we hope no stone is left unturned.

If you liked reading this, you might like our other stories

Internet of Things and Challenges
Is Ethical Hacking Our Last Defence?