Security for IoT devices

Internet of Things (IoT) security is becoming increasingly important when it comes to the big picture of cybersecurity. While cybersecurity seeks to protect internet-connected systems from cyberthreats, IoT security is about protecting connected devices.

IoT refers to any system of physical devices or hardware that receives and transfers data over networks without any human intervention. A typical IoT system works by continuously sending, receiving, and analyzing data in a feedback loop. If you’ve heard something referred to as "smart," that generally implies IoT. Typical consumer use cases range from smartphones, smartwatches, smart homes, and even self-driving cars. IoT devices are also widely used in healthcare, supply chain management, and industrial use cases like energy and manufacturing, known as IIoT.  

Organizations have a strong incentive to use more IoT devices, because of their data gathering and measurement abilities. With benefits like edge computing and real-time insights and analytics, these devices are often associated with digital adoption and transformation. However, growing your digital profile could also grow your risk. 

The biggest reason why IoT security is so important is because an IoT device can be used to gain unauthorized access into your systems. The average person might not realize that an IoT device can be hacked, but it can. And every IoT device added to your network increases the potential attack surface.

Does someone really want to hack your printers, security cameras, or thermostat? Yes they do. Not because hacking an IoT device is their end game, but because your IoT device is step one in their larger plan to gain access to your network. They use your IoT device as a gateway to other systems that may be better protected from outside interference. Unfortunately, the same protections aren’t necessarily in place from the inside, so once an IoT device is compromised, there is an increased risk other systems will be compromised too.

Many IoT devices lack built-in security. The biggest security risk when it comes to IoT devices is that they are often designed and built without security as a priority or even a forethought. When IoT device vulnerabilities are made public, low awareness means connected devices can linger unprotected for months and even years. For example:

• To make set up easier, many devices ship with default passwords that aren’t required to change when placed on your network. 
• A manufacturer could unknowingly ship IoT devices with malware embedded in firmware because they didn’t properly scan source code used for development. 

IoT devices are always on with remote access. The 24/7 nature of IoT devices makes them equally desirable to those with good and bad intentions. It’s great that you can connect to an IoT device remotely, but that also means anyone can attempt to log in. Hackers use automation to search for and find devices that have publicly available IP addresses with passwords still set to default as a starting point for their attack.

The biggest challenges in managing IoT security are:

• Lack of awareness. Many people don’t realize that their IoT devices can even be hacked so they don’t take any steps to protect them.
• Managing sprawl. The more IoT devices you have, the bigger the attack surface. And the sheer number of connected devices any one organization may have could overwhelm its ability to keep up with security management. Scaling your ability to manage IoT devices is critical to protecting your network, data, and systems.

How and why might hackers exploit vulnerabilities in your IoT devices? 

Vulnerabilities are emergent and change over time, and the same can be said about a hacker’s motivation. Common cybersecurity vulnerabilities include ransomware, malware, phishing, and distributed denial of service (DDoS) attacks. Just a few examples of how these may be carried out through an IoT device are:

• Taking advantage of devices with passwords still set to the default.
• Finding IoT devices with known malware vulnerabilities that have not been patched.
• Recruiting an army of connected devices to create a botnet to perform a DDoS attack.
• Using an IoT device as a way into a network to spy and seek out sensitive information, possibly phishing from within your network.

There are four main things to keep in mind when thinking about the security of IoT devices. 

1. A single pane of glass: gain a level of visibility that shows all of the IoT devices on your network. 
2. Control access: only allow authorized IoT devices you know to join the network and limit those devices’ access. 
3. Monitor your network: have a good understanding of what "normal" activity looks like. This will allow you to monitor for strange behavior that merits further investigation. 
4. Automate your response time: minimize the amount of time you are exposed by using an automated response. If, through monitoring, you discover that a connected device is vulnerable, an automatic follow up to contain and repair the issue will greatly reduce the risk of being compromised.

5 things you can do to improve the security of IoT devices:

1. Never assume an IoT device is incapable of being hacked.
2. Use a different password for each device/service and never stick with the default password.
3. Keep your connected devices up to date with the latest firmware and software.
4. Turn off WiFi or Bluetooth if or when the connectivity features are not needed.
5. Put IoT devices on their own network separate from your most important systems. You can go one step further and group devices to have more than one IoT device network based on a security profile.

Everyone has a role to play in security. From end users to the security team, everyone should participate in maintaining security for your organization.

Security is a continuous process. Our focus is providing the tools you need to control, monitor, and remediate across your network, infrastructure, and applications. Red Hat offers fully integrated security measures throughout your organization’s IT infrastructure, development stack, and life cycle. Organizations can enhance their security posture by combining individual features and functions across our products and services.