11 May Why IoT Security Matters
The growth of the IoT (Internet of Things) is staggering and sobering. Gartner predicts that the number of world-wide Internet connected devices will grow to 11.4 billion by 2018. That’s a huge number of new devices connecting to the internet. Unfortunately, many of these new gadgets have very little, if any security.
A case in point. A few months ago, the Mirai botnet, which consisted of over 150,000 infected security cameras caused a crippling, distributed denial-of-service (DDoS) attack. The botnet flooded Dyn’s network, a major DNS provider, and ultimately shut down a number of sites across the U.S. and Europe. The attack was described by TheGuardian as the largest DDoS in history. But perhaps even more important, this was the first time compromised IoT devices have been used to carry out a large, well-coordinated cyberattack.
Another example is the recent attack on the San Francisco Municipal Transportation Authority. Cybercriminals inserted ransomware that disabled the rail system’s payment terminals over the Thanksgiving holiday. Train passengers received free rides all weekend long, amounting to more than a million dollars in lost revenue. The incident serves as another strong reminder that IoT security needs to be taken seriously.
Most IoT Devices Have Very Poor Security
Why are these devices so vulnerable to hacking? There are several contributing factors, but mainly because manufacturers have rushed to get products into the market. Under pressure to be competitive and meet stringent schedules, security has received very little attention. As a result, these new devices frequently suffer from:
- Numerous security vulnerabilities: Products are often designed by engineers who don’t have a security background, and software that’s hastily developed, or isn’t properly funded will have a lot of vulnerabilities.
- Poor authentication: Many IoT devices have weak passwords, many of which are easily guessed. Some of them are even hard-coded and unchangeable. In other cases, default passwords and login credentials are left in place, and a few have virtually no authentication requirements whatsoever.
- Weak or no encryption: Many IoT devices are completely void of encryption capabilities.
- Poor upgrade features: Inexpensive devices, like a number of IoT products, typically suffer from low profit margins. This makes it challenging or even impossible for manufacturers to be able to justify the expense of updating firmware or creating security patches.
- Lack of attention: Few organizations give any thought to securing IoT devices. Security staff is so overwhelmed with securing their traditional information systems that they just don’t have time to think about securing other devices.
It’s Time for Vendors and Organizations to Take IoT Security
Regrettably, the state of IoT security is so poor that it creates a real threat for all organizations. It’s time for the manufacturers of IoT devices, and for the enterprises that use them to take IoT security seriously. Corporations need to implement policies and tools that can monitor their networks and detect when abnormal behaviors occur. By investing in IoT security now, organizations will be much better prepared for the onslaught of insecure devices that will surely be connecting to their networks during the next few years.