IoT devices are the cat's meow of recent years. Yet, they are one of the leading technological innovations of the mobile world, and their adoption has skyrocketed. As a result, concerns have arisen about how secure they are and how to enforce robust security measures to keep them working seamlessly.
Ever since mobile applications took over the world–and our lives–by storm, our need for more dynamic, portable pieces of technology has skyrocketed to the point where, if our gadgets are tethered to something (think a desktop or a landline), we don’t want them.
Now, we have smaller but more efficient smartphones, smartwatches, smart cars, and even smart homes. However, until recently, having only one or a few of these gadgets it’s not enough. The craving for mobility has spawned the need for faster and better connectivity and interoperability between all the devices we own. And it’s no longer about smartwatch owners wanting to connect them to their phones or tablet owners wanting to airdrop photos to their laptops. Now, we demand connectivity between our home appliances, light bulbs, medical devices, sound systems, and even our cars. The developer universe heard us, and now we have a constellation of interconnected IT devices known as the internet of things (IoT).
IoT devices have transformed how we interact with our everyday gadgets and how we experience interconnectivity and interoperability in our homes, workplaces, shops, and entertainment venues. But IoT isn’t just about how you and I connect our fridges to the internet. Today, IoT is also tangibly helping numerous institutions and industries solve their most pressing issues and drive business processes to enhance how they reach consumers. However, despite their many advantages, IoT devices and their interconnectedness bring to the table substantial challenges and concerns regarding their security and how to enforce it. These concerns arise from the large amounts of sometimes unmonitored data they collect and share and how insecure IoT devices can be when connected to a network.
We at Foonkie Monkey decided to write this article with that in mind. We think it’s crucial to highlight the many risks akin to IoT devices and how to tackle and reduce them to fully reap the benefits of the IoT universe’s boundless network. Let’s begin.
What is the internet of things (IoT)?
The internet of things is a network of interconnected IT-powered devices–or things–that can communicate with each other via the internet using sensors or embedded software that allows them to share information with other devices in the same network. These devices can range anywhere from smartphones and tablets to large appliances, medical gadgets, and even sophisticated industrial machinery. Some of these IoT devices, namely refrigerators, light bulbs, or smart locks, usually have limited functionality and computing capacity. In contrast, others are more sophisticated and have the power to perform at higher levels of complexity. Therefore, the diversity of IoT devices is so high that we have countless ways to use them and apply them to different environments. Still, no matter how complex or simple they are, IoT devices are changing how both ordinary users and enterprises seamlessly collect, share, and analyze ample amounts of data for simple entertainment or insight gathering. The most common types of IoT devices are:
- Consumer IoT: IoT devices are highly accessible and not very complex for everyday users. They usually come in the form of simple gadgets such as tablets, smartphones, smartwatches, smart home appliances, and security systems, among others. Therefore, users can easily use and update them without excessive tech knowledge or sophisticated connectivity requirements.
- Enterprise-level IoT: Businesses have access to a broad range of IoT devices such as smart cameras, smart logistics vehicles and trackers, and intelligent industrial machinery. Companies can now gain fast insight into how their customers behave, what they need, and how to give it to them. Subsequently, IoT can help them improve their business practices, reduce operational costs, broaden the reach of their services, and enhance the overall customer experience.
- Governmental IoT: Governments worldwide have started to reap the benefits of IoT in the form of smart traffic cameras, smart official buildings, natural disaster monitors, wildlife monitoring, and connected city infrastructures.
Additionally, as artificial intelligence (AI), machine learning (ML), 5G, and other modern solutions keep creeping into our everyday technology-driven devices, the IoT cosmos advances and expands rapidly. And with almost 8 billion globally connected IoT devices today, and an anticipated growth of over $1,854 billion by 2028, we can safely conclude that the IoT universe has matured out of its gestational stage and has matured to become the ruler by which we measure the efficiency of the connectivity in our tech-driven lives.
IoT security concerns
As you can see, the internet of things is one of the most exciting and essential technological advancements of our century. It brings to the table elements such as increased connectivity, seamless data sharing, and efficient communication between humans and machines. They also provide a wide range of devices with different complexities and characteristics that can adapt to any type of user regardless of how tech-savvy they are. However, while this diversity is an invaluable asset in terms of reach and coverage, it is also one of the main reasons security concerns around the IoT cosmos have risen. Unfortunately, the rise of IoT devices hasn’t been met with an increase in security measures or approaches; there’s no organization or parameters that define IoT security standards. Moreover, no government or legal, regulatory measures oversee IoT device security; sure, institutions care about how your smart TV is safe to use and whether it’s environmentally friendly. But sadly, they don’t worry about how it protects your privacy.
Additionally, the number of connected IoT devices keeps rising, which only compounds security concerns and makes it increasingly challenging for enterprises to maintain security threats at bay. And what is more concerning, some of these devices function in healthcare and financial scenarios, where user information goes beyond simple names and phone numbers and can contain sensitive medical and banking data, which, if stolen, could have calamitous repercussions. Needless to say, this phenomenon is disturbing, especially when we consider that around 1.5 billion IoT cyber attacks were reported in the first six months of 2021 alone. Furthermore, Gartner reported that over 25% of all cyberattacks involve some type of IoT connection, figures that aren’t surprising considering that IoT devices and connections are often fraught with vulnerabilities.
So, whether you’re a regular user looking into introducing some IoT devices into your home or an enterprise wanting to adopt IoT solutions, the importance of securing your IoT connections is just as pressing. Here are the main security concerns that plague the IoT universe.
- Unpatched software: IoT connections can have unstable connectivity or other issues that may require users to download and install updates manually. Still, sometimes, they don’t or can’t download them, and IoT devices end up running on outdated software, which leaves them open to attacks and increases their level of vulnerability without the user even knowing it.
- Device diversity: IoT’s rise in use and diversity means that an increasing number of devices continue to connect indiscriminately to an IoT network. As a result, there is a dramatic increase in security openings that broaden the attack surface and reduce the integrity of the connections. On top of that, and considering that around 98% of the data shared by IoT devices is unencrypted, the portability of these devices only serves to increase the chances of bugs and hackers infecting the network.
- Weak authentication measures: Unlike your email or Netflix account, most IoT devices often do not require login credentials to access or use them. For instance, you don’t get prompted to enter a username and password every time you open your fridge or turn on your television. You usually use your connected IoT devices without any–or weak–authentication measures, meaning that they’re open to remote access. And without any access restrictions, these devices become easy prey for hackers.
- Unsecured APIs: Application Programming Interfaces (APIs) are key to integrating devices and allowing programs to communicate. Sadly, however, when APIs aren’t properly implemented, managed, and accessed, they can become the gateway for attacks and data leaks.
- IoT Botnets: Botnets are malware-infected networks of devices connected to an IoT net that control it and use them in distributed denial-of-service (DDoS) attacks. These attacks’ main goal is to hack into the everyday operations of a website or application and take them over. Since botnets are designed to infect as many devices as possible, IoT devices represent an opportunity too good to pass up.
How to enforce security in IoT devices
It goes unsaid, but we all know that cybercriminals will stop at nothing to get what they want: priceless data. This data must be protected at all costs. We must ensure that, within an IoT network, user information is protected so that the benefits of IoT devices can reach their maximum potential and not be overshadowed by their security flaws. So, to make sure manufacturers deliver secure IoT devices, here are some best practices and recommendations they should follow.
Enforce secure authentication practices
This is the first step and probably the most obvious one when securing your IoT devices and network. However, you’d be surprised at how often people use weak passwords, don’t change the preset passwords IoT devices usually come with, or don’t use any. Actually, poor or non-existent login credentials and lack of authentication protocols continue to fuel most hacking attacks on IoT devices, with over 1.5 billion data breaches happening in the first semester of 2021 alone. Concerning figures such as this one only highlights the importance for developers to help users maintain strong security protocols for all IoT endpoints by enforcing robust authentication protocols and prompting them to change their login credentials regularly. Remember, authentication is foundational for most devices with internet access. It is the primary method for access control. Without it, any unauthorized entity attempting to enter a system will quickly gain access and wreak havoc on the entire IoT ecosystem.
So, as developers, we are the gatekeepers of the IoT universe. As such, we must make sure we implement the proper authentication protocols to mitigate attacks and keep our users’ data safe. For that, implementing authentication protocols such as two-factor or multifactor authentication is crucial and is two very effective ways of blocking most attacks. However, keep in mind that IoT systems deal with both end-user communication and machine-to-machine communication protocols, and both require the same level of authentication. So, on the one hand, end-user authentication is pretty straightforward, and you can use your traditional username/password or two-factor authentication methods.
On the other hand, machine-to-machine authentication is a bit more tricky and that much more critical. To guarantee its security and integrity, you must use public key infrastructure (PKI) and certificates embedded on every device within the IoT system. Moreover, many IoT devices lack a console, meaning that there’s no way for the user to enter login credentials. So, you must bake the authentication protocol within the device and provide support for credential updating.
Use network segmentation
The vast majority of home and industrial IoT device networks and settings are based on traditional networks based on the principle of having the least amount of routers, a single point of entry, and minimal switches to reduce the system’s complexity save costs, and simplify the network’s maintenance. However, although it is a common practice for the development of most IoT devices and their networks, these “flat” or traditional network approaches are fundamentally risky, creating security threats that can lead to hacking events and hefty fines due to non-compliance with data protection regulations. As a result, both developers and users are at risk of suffering dire consequences that everyday users, enterprises, and startups can’t afford. Enter network segmentation.
Network segmentation is a very effective yet often underutilized approach to guarantee security in IoT devices that seeks to increase the complexity of the IoT network by reducing the attack surface. For this, network segmentation helps developers divide the IoT system into several subsections or sub-networks that act as their own mini-network. As a result, the system becomes more granular, granting users and developers more control over the traffic within the system, devices, and workloads. For example, in a flat network, the chances of a hacking event spreading laterally are more significant, increasing the probability of data breaches and credential theft. In contrast, when an IoT network is segmented, any unauthorized party within the system can’t spread threats laterally through the entire network, making it harder to exploit. Moreover, network segmentation allows developers, users, and security enforcers to quickly isolate incidents, target them, and stop them from entering the IoT network. For instance, if a laptop gets infected, the threat can be eliminated before it enters the IoT network where the computer is connected and infects the rest of the devices within said network.
Network segmentation isn’t commonplace or an enforced security approach in most development environments. However, it is an effective alternative worthy of consideration to increase the security level of IoT devices and networks.
Implement device discovery
As we touched on earlier, the number of IoT devices per household or enterprise keeps rising exponentially as these gadgets evolve and become more accessible. In fact, the average home has, on average, ten connected IoT devices, a number that will likely rise to fifty by 2025. Can you imagine monitoring and ensuring robust security protocols for fifty devices? It’s a mind-boggling thought, especially for IT-challenged users or some system admins, who may have some knowledge about the devices connected to their network but aren’t always aware of new devices trying to access their IoT system. Additionally, it isn’t always realistic to ask a user to manually be on top of and monitor every device that attempts to access their IoT space. And, if not careful, users may even accidentally grant access to unknown malicious devices. However, device discovery can help fix these issues.
It is crucial that users have visibility of how many IoT devices are connected to their network. Device discovery helps users gain said visibility and has a functionality that recognizes and identifies specific devices on an IoT network so they can be listed appropriately and profiled with the sole purpose of detecting suspicious activity. In addition, it details precisely which types of devices are connected to an IoT network, their model, activity, and login and logout times to help users keep a real-time inventory of all connected IoT elements. This way, device discovery allows users and admins to use this list of authorized and unauthorized devices to continuously analyze behaviors within the system and compare devices to pinpoint anomalous activity. As a result, device discovery is a very effective way of ensuring security in IoT devices, even when devices are inherently “insecure” or have no built-in firewalls, such as smartwatches, refrigerators, or smart light bulbs.
With the proper knowledge and tools, developers can quickly implement device discovery as modules in all routers, switches, gateways, or other devices that manage inbound and outbound traffic within an IoT universe.
Security in IoT devices: Final word
IoT devices are becoming the norm when talking about the modern way of living. Smart homes, smart cars, and smart workplaces, and even factories keep spreading and becoming commonplace in cities across the globe. Whether or not this phenomenon has a positive impact on our daily lives is debatable. However, the truth is that as the use of IoT devices grows, the amount of data they store and share also expands, creating an industry-wide concern regarding the security and integrity of the data-sharing process within these types of systems. Therefore, app developers must take these concerns at heart and respond to them by creating built-in security solutions that can guarantee data protection, enable threat spotting and elimination, or minimize the level of vulnerability inherent to IoT devices.
The solutions listed in this article or just the tip of the iceberg. As experienced app developers, we understand that the only way we can guarantee the integrity and security of modern IoT networks is by conducting more research, educating ourselves, and always being on top of the latest technological advances to ensure we implement robust solutions in all our products.