By: Christopher Kline on April 28th, 2020
Internet of Things (IoT) Security Risks and Challenges
As a business owner, you embrace new technologies that:
- Help your business grow.
- Keep your employees happy and motivated.
- Complete work better, faster, and cheaper.
All facets of our personal and business lives are becoming more digital. More tools and technologies are available than ever before, many of which help achieve the business goals above. They automate processes, provide data to inform better decisions, and support employees doing their best work.
We get instant answers from our personal assistants, automate our home or business temperature, and order products by simply asking for them out loud. All this technology keeps personal data about us, our habits, and our businesses. that information secure is paramount.
Over the past few years, we’ve seen an increasing number of attacks carried out against a wide range of connected devices, often called Internet of Things (IoT) devices. These can range from smart home devices to business security cameras.
There are steps to help mitigate and, in some cases, eliminate these threats. It all starts with understanding and evaluating the benefits and risks of each internet-connected device and making an educated decision about the necessity of that device.
In this article, we’ll help you find a balance between the convenience and business benefit of internet-connected devices, and the security of your personal information.
You’ll learn to ask questions like:
- Does the HVAC company truly need an internet-facing direct connection?
- Do security cameras really need an internet connection?
- Do I really need a wifi-enabled fish tank thermometer to regulate the water temperature?
Before we dive into the benefits and risks of Internet of Things (IoT) devices, let’s define the Internet of Things.
What is the Internet of Things (IoT)?
Internet of Things (IoT) is a catch-all phrase used to describe any fixed-function device with access to the internet. Fixed-function means the IoT device utilizes software to perform a specific action or actions, but it cannot be reprogrammed for a different purpose.
For example, your SmartTV (an IoT device) can run only streaming applications, and it cannot be reprogrammed to run Microsoft Office. Your computer, on the other hand, can be reprogrammed and can run applications that serve different purposes like streaming TV, doing your taxes, or ordering takeout
From Amazon’s Dash buttons for ordering products to your office HVAC system, each IoT device serves one specific purpose.
Benefits of Internet of Things (IoT) Devices
People have learned to love the Internet of Things because it can provide great convenience in our daily lives.
IoT devices are convenient and appealing to both individuals and businesses because they offer time savings, cost savings, or both.
With the IoT, you can do things like:
- Instantly obtain an answer to questions on your mind.
- Set appointments on your calendar verbally.
- Automatically turn on the heat or air-conditioning simply by opening the front door.
Risks of Internet of Things (IoT) Devices
To understand the risks of IoT devices, we must first have a clear understanding of the internet and the inherent risks of connecting to it.
How Does the Internet Work?
The internet is merely a big network of routers that pass 1s and 0s back and forth around the world.
All data, from written text to audio and video, is seen by your computer as a unique pattern of 1s and 0s. Sometimes, those 1s and 0s are stored locally on your device, or inside a private network within your office building. A connection to the internet allows you to send 1s and 0s from your computer or network to another computer anywhere else in the world (think email messages). Your computer can also receive 1s and 0s from another computer, or a public server (think websites).
These 1s and 0s are passed through routers as data packets. Packets contain the raw data of that email message or website image, as well as the location of the sender and receiver.
Think of packets as packages, and routers are the postal service employees that carry your packages from one post office to another, and ultimately to your front porch.
Risks of the Internet
Just like a criminal could send something dangerous through the mail that looks just like a birthday card from grandma, criminals attempt to send packets of data through the internet that contain patterns of 1s and 0s that will damage your computer or other local data. Additionally, packages sent through the mail can get intentionally or accidentally damaged, viewed, or stolen. These same things can happen to your packets of data as well.
Mitigating Risks of the Internet
Despite these risks, we still send packages back and forth through the mail. The convenience and cost savings of not personally delivering your niece’s birthday gift from Maryland to California outweighs the risk of something happening to it in the mail. Additionally, we put safeguards in place like a “handle with care” sticker in a fragile package, damage insurance, and general caution of unexpected, suspicious packages.
Traditional computers and networks employ similar safety practices to protect against the general risks of transmitting data over the internet. We put our local computers and servers behind a firewall that detects and stops dangerous data from making it to our computers. We encrypt sensitive data like credit card and social security numbers so that only the intended recipient can view it. And we install antivirus software on our devices to identify and remove harmful data that may have made it past the other safeguards.
Internet of Things Risks Compared to Traditional Computer Risks
The IoT devices introduce unique risks to our network and data security because they are not thought of in the same way as a traditional computer. We usually don’t think of our TVs and HVAC units as a computer. So, they are often not integrated into our secure home or office networks. Without additional precautions, your Smart TV or HVAC system could be sending and receiving data packets through a direct, unfiltered, unsecured connection to the internet.
Increasing Risks of The Internet of Things
So, now you understand how risks are introduced to your devices through the internet and why IoT devices often present a higher risk than traditional computers. Why are we seeing more and more security risks and breaches associated with IoT devices? A recent report from Zscaler highlights where most of IoT risks are present.
Increasing IoT Use in the Workplace
Compared to previous years, the number of employees bringing personal IoT devices into the workplace is on the rise. Employees have adopted IoT devices into their daily lives and are translating that into the workplace. Their FitBits are on your network, syncing their steps. They use Amazon Alexa to navigate music playlists, answer quick questions, and call specific contacts. And they use their phone to tell their coffee maker when to make their next cup. This can pose a significant risk as an unaccounted device can lead to security deficiencies in your entire network.
Most IoT Devices Transmit Data in Plain Text
Remember the package analogy and the possibility of a third party viewing the contents of your package as it’s passed between mail carriers? When a device sends data in plain text, anyone who gains access to the routers used to transmit the data can read it. An SSL channel encrypts the data so that it is not easily read by anyone who intercepts it during transmission. Only 17% of IoT devices use secured communication to the internet. If used for work purposes, this could lead to outside entities obtaining critical information such as login credentials or business plans.
IoT Devices Require Manual Security Updates
There’s been an influx of viruses targeting IoT devices. Assuming it’s appropriately configured and connected to the internet, your computer operating system automatically updates with security patches to protect the device from new security threats. Software manufacturers are continually identifying new threats and releasing updates to protect your device from them. Plus, your IT department or managed service provider can install software to monitor those traditional devices for patches and necessary security updates.
IoT devices, on the other hand, normally require manual updates, if they can even be updated at all, and can’t be monitored with a network monitoring solution. This makes them easy targets. Without an update to patch the flaw, the same threat remains persistent.
Steps to Mitigate the risks of the IoT
In the case where the threat can be eliminated by a security patch, the vendor selling the device needs to be invested in their product. Good vendors will supply updates to their products closing the security hole. Although this is the best outcome overall, there can still be a business expense incurred. In the case of security cameras, it might require support staff to climb up on a ladder to plug a USB device in to update each device.
In the worst-case other strategies will need to be employed to reduce the risks. Some best practices relevant even for devices receiving security patches is to make sure they can’t directly talk with the same network your client data is stored. The same principle might presently be employed at your place of business for guest wifi. You wouldn’t grant outside visitors the ability to freely connect to the network on which your important information is stored. You should apply that same logic to IoT devices.
Here are some basic steps you can employ to help mitigate the threat of IoT devices:
- Always change a device’s default password.
- Make sure smart devices don’t share the enterprise network (i.e., use a “guest” network separate from your internal network).
- Don’t allow a device to be internet addressable.
- Weigh the cost of security risks, with your ability to mitigate the risks, and the convenience and business results offered by the device.
- Purchase devices from reputable brands that regularly release software updates and security patches.
- Keep a list of all connected devices. Be sure to include all traditional and IoT devices in your security, compliance, and risk management plans.
Need to get started with your list of devices?
Is the Internet of Things Worth the Risk?
With the emergence of IoT devices aiming to make our lives more efficient, a discussion of convenience and business impact versus security should be had. Many IoT devices can be safely used if they are cordoned off from your business network. Like most technology use, security awareness is your best defense.
Before connecting any new device to your network, or granting it access to your personal or business information, be sure to:
- Clearly define the benefit the device offers.
- Have a clear understanding of the potential risks of the device.
- Have a plan for minimizing the risks as much as possible.
For home use, the decision is more personal. Consider how you want your personal life shared. Your thoughts, tastes, and interests are collected by many IoT devices and are presently shared with marketing firms and the government if requested.
Weigh the pros and cons of an individual and device level every time you consider adopting a new IoT device into your business or personal life.
Not sure where to start in identifying, tracking, and assessing all of the devices connected to your network?
About Christopher Kline
Chris Kline has worked in various tech support roles since 1997 including field service, helpdesk, bench tech and project roles. He has a Bachelor of Science degree in Systems and Network Administration from Bellevue University and is Microsoft Windows 7, Configuring Certified. He joined Innovative, Inc. in 2009 as a Systems Technician. He currently works on Innovative's Network Operations Center (NOC), where he monitors and troubleshoots critical network elements of Innovative's more than 150 managed customer networks.