Cybersecurity and the Internet of Things – managing risks in unexpected places

Most of us are becoming used to using common security measures in our everyday lives, from concealing our PIN at the ATM to creating strong passwords. Organisations, too, are increasingly security-savvy. The rise of flexible working and BYOD policies has encouraged workplaces to secure their networks through regular patching and features such as multi-factor authentication. However, it’s no longer just our laptops or mobile phones that we need to worry about. As the Internet of Things (IoT) continues to expand its presence in homes and businesses, there is a rapidly growing list of unsecured items that are connected to sensitive networks, posing a risk to security.

Smart technology is creating new opportunities for organisations in a number of ways – opening doors to better sustainability, cost-efficiencies, and research capabilities. Organisations are making use of a multitude of smart devices, from everyday items such as lightbulbs, fridges, or TV screens, through to cutting-edge robotic technology in hospitals or university laboratory equipment – around 68% of medical devices used by the NHS are now connected to the internet.¹ Unfortunately, many of these devices also open doors to hackers.

Unexpected vulnerabilities

IoT vulnerabilities are nothing new, but the increasing number of devices across vital infrastructure means that more and more attacks are beginning to focus on them as a likely entry point into a secure network. There are a number of reasons these devices are so vulnerable, not least the lack of a formalised and widely-adopted process for keeping them updated. The average individual is reluctant enough to update their devices and software even when being reminded to do so on a daily basis; IoT devices are often invisible and silent on the network, and their patches all the more easily forgotten or ignored.

Even when users are diligent, many IoT devices are created by manufacturers used to producing goods without internet connectivity, and so are lacking experience in software development and device security. Car manufacturers are a prime example of this, as Gartner automotive industry analyst Pedro Pacheco recently told Dark Reading: “Automakers look at [cyber security] in a more reactive way than a proactive way, basically saying we’ll address the small number of customers affected and solve the issue and then everything goes back to normal.”² As a result, IoT devices will often become patched only when an exploit has been found and the manufacturer notified by a benevolent third party, by which point malicious actors could have been using the exploit for weeks or months.

This limited security support also extends beyond a lack of regular updates and patches. Data collected through these devices is often stored and uploaded to the cloud without encryption. Inbuilt features such as microphones, cameras, GPS, or Bluetooth capabilities can be easy to access from outside the network, or to reverse-engineer. Connected printers and scanners can store highly sensitive corporate information without any real protection in place. Ultimately, a network is only as secure as its most vulnerable entry point – and as institutions rightly invest in new technology to help them progress, develop, and expand, many are in fact leaving themselves exposed to attack.

Numerous cyber-attacks in recent years have been carried out through unconventional smart devices. In May 2019, vulnerabilities were discovered in a digital lock system created by Nortek, designed to enable workers to access buildings using access codes or biometrics, that could also allow hackers to take control of the devices – opening and locking doors remotely, installing malware in company networks, and launching Denial of Service (DoS) attacks.³ More recently, we’ve had news that a wide swathe of the world’s car manufacturers have been exposed by exploits in their vehicles and systems. These security flaws had the potential to give attackers access to a multitude of controls in affected vehicles from Kia, Honda, Nissan, Hyundai, and many more, up to and including engaging the locks and stopping the car’s engine.⁴ Perhaps most worrying was the revelation in 2017 that pacemakers manufactured by St Jude’s Medical contained vulnerabilities that could allow hackers to take control of the pacemaker, depleting the battery, adjusting the regulation, or administering shocks.⁵

Those are perhaps the flashier outcomes of an attack on IoT devices, but the more mundane possibilities pose no less of a threat to organisations. Along with the standard botnet distributed denial-of-service (DDoS) attacks commonly seen in the news, hackers can target IoT devices as a relatively easy entry point into a corporate network, and then use it as a kind of ‘beachhead’ from which to move laterally into the more sensitive and secure parts of the network. Similarly, the devices can be used as a more permanent base in order to attain a longer-term presence inside a network and conduct repeated attacks while remaining undetected – in some cases hiding for more than 18 months.⁶

Securing our networks for the future

With an estimated 14.4 billion active IoT devices in 2022 – expected to grow to 27 billion by 2025⁷ – it might feel like we are losing the battle against an adversary that has an ever-expanding threat landscape to work upon. However, it is possible to successfully manage the risk. As with other cyber threats, some of the most basic steps are the most effective: strong password management and ensuring devices are kept up to date will dramatically reduce the risk posed. Beyond that, a strong zero trust policy can help to limit both who has access to your IoT devices, and what those devices in turn can access on the wider network.⁸ Most of the vulnerabilities identified in this post have since been patched, and the loopholes closed. The task now is to ensure we are ahead of the curve, protecting our people and data with pre-emptive measures and robust systems.

Support is available. Cisco partner Cylera specialises in securing IoT devices in the healthcare industry, demonstrating the increased focus on IoT risks within the cybersecurity community. Similarly, our own security team at ITGL is providing vital help to organisations working to protect their people and data, through our Cyber Assist services – including support to secure IoT devices. At ITGL we often talk about realising the promise of technology, and the growing number of connected devices will help us to do just that. While there may be risk associated with new technology, the right investment is usually worth it – provided we also invest in the right security solutions to make it safe.