The Internet of Things (IoT) has brought about large advancements in convenience for both personal and professional life. By enabling remote management and monitoring, IoT devices help improve quality of life in countless ways.
As a result, the demand for IoT is booming, with the market expected to reach $520 billion by 2021.
While IoT offers a number of benefits for both consumers and businesses, it has been plagued by poor security. As adoption of IoT grows, so does the number of high-profile hacks targeting or using IoT devices.
The value of these devices, and the costs of the hacks that they cause, makes IoT security an important priority.
🔎 Related Article: IoT Security Issues: Legacy Hardware and Software.
The IoT security paradox
IoT devices are widely deployed and blindly trusted.
Businesses regularly deploy industrial IoT (IIoT) devices to remotely monitor and manage critical systems. Internet-facing security cameras are frequently utilized to monitor business entryways or point-of-sale areas.
IoT devices often have access to extremely sensitive personal or business data, but their security is abysmal.
In the healthcare sector alone, there have been several cases in which internet-connected medical equipment has been hacked. This is even more concerning considering this sector is governed by strict data privacy laws and regulations, such as HIPAA.
How IoT gets hacked
As the name suggests, the Internet of Things refers to devices that are connected to the Internet, and this very connection is what makes IoT devices so vulnerable to compromises.
Hacks on IoT devices typically are not complicated. They usually take advantage of security misconfigurations or gaping holes, rather than relying on clever exploits or zero-day vulnerabilities.
The Mirai botnet, probably the most famous IoT attack, involved hundreds of thousands of hacked IoT devices. The Mirai hacker gained control of these devices through the use of default passwords, and the Mirai malware scanned for any device that had an open Telnet port and then attempted to authenticate to the IoT device using a list of 61 weak username/password combinations.
Since the IoT manufacturers used weak passwords and the end users did not change the default passwords, this brute-force attack was successful.
Unfortunately, this story isn’t unique. Following Mirai, there have been many other attacks on IoT devices. The poor security of IoT devices and their “always on” connection to the Internet make them easy targets for hackers.
🔎 Related Article: IoT Security: Hardware or Software?.
Protecting IoT devices
IoT devices differ from traditional computing devices (laptops, mobile devices, etc.) in two primary ways: the level of built-in security and how much security maintenance is received.
Most computer manufacturers ensure that their devices have a baseline level of security, but this is not generally the case with IoT manufacturers.
After-purchase security varies greatly too. For example, most people understand the importance of keeping software and antivirus up to date on their computer but don’t give a second thought to updating the security of personal IoT devices. In addition, the ability to patch security vulnerabilities relies on the patch actually being available.
When internal security isn’t an option, it’s important to take the necessary steps to secure IoT devices externally.
Most IoT devices are designed to be remotely deployed and managed from a central office via the Internet. This design isn’t new. For example, most telecommuting employees connect remotely to their organization’s network to do business. While telecommuting workers have access to VPNs and firewalls, IoT devices generally do not.
Most firewall and VPN technology is implemented as software installed on the device in question, and this often isn’t feasible for IoT devices, particularly where they are older and have legacy operating systems.
GoSilent Cube is a physical VPN and firewall device the size of a Tic Tac container. It is designed to provide comprehensive protection in an easy-to-use package and deploys easily with plug-and-play functionality.
Using GoSilent, an organization can immediately secure any IoT device’s internet connection with an IPSec tunnel connected to a VPN server located within the organization’s network. This provides the IoT device with the same protections it would have if located on the organization’s enterprise network and renders it completely unreachable from the Internet.