The Internet of Things (IoT) may not sound like something security folk should get worked up over, until you realize that it’s the unsecured Internet-of -Pacemakers, -Baby Monitors, -Wireless Gadgets and countless other “Things” that vendors are connecting to the internet.
If you’re wondering how many Internet-of-Things “things” it takes to be “countless,” there will be more than 20 billion connected devices by 2020, according to Gartner. An enterprise can easily have many thousands of IoT devices. And for every one of them that’s snuggled up against your invaluable, ever-increasing corporate data, its vulnerabilities become yours.
Yes, the IoT adds benefits to just about anything through remote access, telemetry (taking measures from a distance) and control. But criminal hackers like it, too, for its broad attack surface (because there are so many) and weak security. Most IoT devices are barely robust enough to send and receive sensor data, let alone protect themselves.
There are as many potential IoT attacks as there are devices. Cyberthugs are doing a lot more with the IoT than orchestrating distributed denial of service (DDoS) attacks to bring down major web properties and sites like yours. But you have to know the problem before you can worry about the solution. Here are some examples of how cybercriminals use and abuse the IoT for anything but the good of your networks, systems, data, organization and consumers.
Criminal hackers can eavesdrop on wireless transmissions close to IoT devices, using scanners that they position to abut your IoT hardware. With this method, they can capture the cryptographic keys to unlock the encryption that secures your IoT data. With keys in hand, cyberthugs can access and sift through data that the encryption was meant to protect.
With the unfettered access to IoT that follows, cyberthieves can steal consumer data that devices like digital signs and kiosks collect. Some digital signage includes Point-of-Sale (PoS) terminals where people make purchases, so payment card data is a target here, too. Any IoT that collects consumer data can share it with cybercrooks once they listen in on your wireless transmissions and crack your encoded information.
Consumers could reconsider doing business with you if they discover that a breach of your IoT compromised their payment cards or personal information. Meanwhile, the cyberhoodlums make off with records they can sell or manipulate for monetary gain.
Cybercriminals are entering your networks through third-party IoT devices and applications. When you, an employee or a third-party vendor installs a vulnerable, unsecured IoT device in your environment, it gives cybercrooks an opening.
They can enter the device via stolen credentials, weak passwords, broadly published default passwords and web-based attacks via browsers on computers that connect to the IoT. They can even search for vulnerable IoT devices using the search engine Shodan, which is designed to locate IoT devices connected to the internet. It then shares installed software with any known vulnerabilities that haven’t been patched by the organization using the IoT.
If you have not segmented the IoT network from the rest of the enterprise network, it’s only an IoT-device hop, lax-security skip, and network-router or -gateway jump from your IoT environment to your most prized data.
Cyberterror on Plants and Equipment
With goals other than money, nation-state hackers attack the Industrial IoT (IIoT). These devices can include industrial controls such as gauges, valves, pumps and actuators. They can also include smart sensors and different apparatuses in critical infrastructure sectors like manufacturing, energy, transportation systems and more than a dozen others that the Department of Homeland Security has identified.
Because companies connect IIoT to the internet for the benefits of new intelligence about industrial processes, cybermiscreants can reach those devices, as well. When criminals are controlling these sensor-laden gadgets, they can use them to send misleading commands and data to machines, systems and employees, triggering unanticipated reactions with disastrous results.
Their purpose is to set off major crises such as plant shutdowns, production shortfalls and financial losses in plants and equipment, loss of power production in the energy sector and life-threatening collisions in mass transportation, etc. Their ultimate goals may also include cyberterror and cyberwarfare.
There’s Nothing Simple About IoT
There are more examples that parallel these, illustrating a more profound problem. Bad-guy hackers can decrypt, read and steal any data that they find in your IoT devices. They can gain entrance into your network through any IoT device connection. They can disrupt, shut down and even destroy your critical infrastructure site that your organization counts on to stay alive. That’s a lot of trouble for a simple, wireless “thing.”