​​Internet of Things – Risks and Mitigations

Introduction

Internet of Things (IoT) devices have reached near ubiquity both in Enterprises and at home. More and more devices are shipped with internet connectivity. This connectivity allows for convenience in being able to remotely control devices, but it can come at a cost. Frequently these devices are implemented independent of the Information Technology Department and securing them is often an afterthought. The risks presented by unsecured IoT devices can be as great as an unpatched laptop. However, by implementing security best practices your organization (and home) can implement Internet of Things devices safely and successfully.

What is an Internet of Things Device?

According to McKinsey, Internet of Things, “describes physical objects embedded with sensors and actuators that communicate with computing systems via wired or wireless networks.”

What IoT Devices are in an Enterprise?

Here are 7 examples of IoT devices found in an Enterprise.

1. Lighting – Smart lighting systems are being installed as energy-saving devices and often come with built-in networking modules.
2. HVAC – Smart thermostats and environmental systems have become the norm in Enterprises to allow for greater control and cost savings.
3. Security – Smart security systems that include cameras, sensors and alarm panels allow for remote monitoring and are increasingly commonplace.
4. Printers – Perhaps the original IoT device, nearly all organizations have networked printers. Many are managed by outside firms and to enable remote management, are subsequently internet connected.
5. Phones – Voice over IP (VoIP) phones and particularly conference room devices are all network connected and some are configured to communicate with cloud services making them exceptionally vulnerable.
6. Displays – Many enterprise offices have wall mounted, networked displays to pass along valuable information to employees and visitors.
7. IIoT – Admittedly, not a single device but Industrial Internet of Things are IoT devices that are found in industrial settings. These devices frequently have networking capabilities for remote configuration and monitoring.

This isn’t a comprehensive list but rather a sampling of the more commonly implemented enterprise Internet of Things devices.

What threats am I facing and how can I protect my network?

Here are the 5 most common IoT attacks and the accompanying mitigations for Enterprise IoT device implementations:

1. Botnet – The software, often firmware, built into IoT devices typically does not have security mechanisms like PC Operating Systems do. These devices are typically not monitored which makes them an ideal candidate for botnets. Once an IoT device is a part of a botnet it can be deployed in Distributed Denial-of-Service (DDoS) attacks.
2. Data Exfiltration – While most Internet of Things devices don’t store much data, they do produce valuable telemetry that could be used against your organization.
3. Ransomware – Despite not traditionally being a target of ransomware, an adversary could easily take over IoT devices and disrupt the function of the device. For instance, HVAC controls could be blocked making working conditions untenable for your office environment.
4. Hijacking – Typically, Internet of Things devices ship with default passwords, frequently these passwords are not changed when the devices are deployed. As a result, an adversary could easily take control of the device without setting off any alarms.
5. Lateral Movement – If your Internet of Things devices are on your primary subnet, an adversary could compromise the system and use it to gather reconnaissance data and eventually pivot to other internal hosts.

Here are 5 security best practices that serve as mitigations for the above attacks:

1. Updates – Keep the firmware on your IoT devices current.
2. Segmentation/Firewall – Your IoT devices should reside on a subnet of their own. If internet access isn’t required, don’t allow it and if it is, consider using an allow list of external sources.
3. Monitor – Monitor the traffic in and out of your IoT network.
4. Encryption – If possible, encrypt the data on your IoT devices.
5. Passwords – Change the default password on all IoT devices as soon as configuration begins.

What are the most common threats to my home network and how can I protect my information?

As more and more of our home appliances and gadgets feature internet connectivity, security must be considered. In fact, home networks have a larger variety of IoT devices than Enterprises. Here are three common threats and their mitigations.

1. Data Exfiltration – Whether it’s your family’s financial information, a device eavesdropping on your conversations, or worse, photos and videos being taken, your personal information has never been more at risk while at home.
2. Botnet – Just as above, your Internet of Things devices at home are targets for botnets.
3. Hijacking – Perhaps even more frequently than in Enterprises, home IoT devices are left with their default passwords. While the impact may be smaller, home HVAC, appliances and other devices could be manipulated to damage your home or your wallet.

The mitigations for home IoT are very similar to Enterprise with some modifications, subtractions and one addition.

1. Updates – Keep the firmware on your IoT devices current.
2. Segmentation – The home version of segmentation is using a multiple service set identifier (SSID)–in plain English, network names. Chances are your home Wi-Fi has a main network and the ability to create a guest network. Some offer the ability to create even more. Use either the guest network capability or another SSID to host your home Internet of Things devices. This has several advantages. First, your IoT devices will not have access to your primary network, keeping your financial information safe while you perform online banking and bill pay. Second, you may be able to assign how much of your bandwidth these devices are allowed to use which can mitigate some threats. Finally, using a separate network allows you to keep closer tabs on these devices as well as what is on your home network.
3. Passwords – As above, change the default passwords as soon as you deploy the device.
4. Location – If you deploy devices such as smart home assistants, (Amazon Echo, Google Nest, et al) consider placing them in areas that you do not have private conversations in. This goes for security cameras as well, don’t place a camera anywhere you wouldn’t want someone outside your family to see.

Conclusion

While the risks of deploying Internet of Things devices can seem great, so are the usefulness of these devices. To put it simply, they are not going away, so let’s deploy them in a smart and secure way to protect our information.

Interested in learning more about Cybersecurity? Udacity offers an array of courses from an Introduction to Cybersecurity to a more advanced Data Privacy course.