IoT market outgrows its own security. Hackers love it.


Imagine going to your local grocery store on the corner to grab a few snacks, only to receive a heartfelt sermon about the virtues of unionization from the receipt printer. Yes, the same one that urged you to subscribe to a youtube star a few years ago. It’s a very outspoken device, apparently.

The hijack security trend

As entertaining as such hijacks may be, they reveal what’s by now all too familiar — The IoT security trend (or rather lack thereof).

Businesses tend to be lax about protecting their connected devices, and this hands-off attitude has created the most significant blind spot in today’s security landscape.

The speed of threat surfaces

The speed of Internet of Things (IoT) proliferation means that most companies are building up vast threat surfaces — and usually turning a blind eye to them. As a result, the market is expanding quickly, with the number of connected devices expected to soar to over 27 billion by 2025.

About two-thirds of businesses globally are already using IoT productsso you can be sure the B2B market will account for a solid proportion of those devices.

Attack targets and entry points

More IoT means more targets and entry points to go after for hackers. According to Kaspersky, the number of attacks on connected devices doubled in the first half of 2021 compared to the previous six months.

Some security incidents are a joke

Granted, some IoT security incidents amount to nothing more than an innocuous joke — like the receipt printer rooting for a YouTube channel. Nevertheless, companies report these more minor incidents, get a headline or two, and the world moves on.

Too often, though, other incidents stay unreported — and take it from an insider, those attacks are anything but a joke.

But when the hack isn’t a joke

Here is a quick example from my own experience. Hackers going after a specific government body targeted a Smart TV in a conference room. After gaining access to the device, they could record several sensitive internal discussions before the attack was spotted.

Hijacking a connected device is like securing a beachhead for an offensive operation for a hacker.

A chain is as weak as its weakest link, and IoT devices, which often lack endpoint protection or monitoring, work as perfect entry points.

After compromising a smart printer, a surveillance camera, or another device, an attacker can infiltrate to corporate network to steal sensitive data, disrupt hospital surgeryor shut down to power plant or industrial facility.

Compromised IoT devices are great for storing malware, too. In addition, hackers often connect the “zombified” devices into botnets, which can flood a target network or server with connection requests, shutting it down.

The number of such attacks dreamed in 2021and botnets are the ideal tool for their execution.

Colossi on clay feet

It may be tempting to blame the entire IoT security situation on businesses that fail to change factory access credentials on smart devices. That said, the reality is more complex. It’s not just about the credentials.

Smart devices often have dozens of software vulnerabilities that users can do nothing about on their own. Such gaps are up to the manufacturer to catch and patch, and until they do so, their customers are sitting exposed. We obviously wouldn’t expect a grocery store to write up a firmware update for its preachy receipt printer.

Manufacturer patches come too late

All too often, though, manufacturer patches come out too late. As a result, the IoT market expands at breakneck speed, with more and more devices going online every day. But the problem is, its own security research and development are lagging behind.

Researchers and regulators alike are still figuring out the best standards and practices for the industry. Likewise, practitioners often struggle to secure the IoT infrastructure properly.

Legacy industries moving into the digital world

Another trend playing into this is the disconnect between the security protocols followed by established tech giants and the legacy industries moving into the digital world.

These companies watch for hackers

Hackers have long been part of the equation for enterprises like Apple and Google, a known threat to keep an eye on.

These companies traditionally don’t protect quickly enough

At the same time, a traditional home appliances company expanding its offering with smart lightbulbs is hardly up to date on all the latest in cybersecurity.

It’s no surprise that researchers have found a significant gap in how these two groups approach their security, with the former predictably way ahead of the latter.

The IoT security crisis at hand

The resulting mismatch in the industry is what underpins the IoT security crisis.

The IoT market is simply too fast and too lucrative for its own good, and the discrepancy between its growth and security research and solutions opens a gap for hackers to exploit.

Some of the companies joining this market lack the necessary cybersecurity experience or procedures.

Given how rare established, mature device security products are, these newcomers end up exacerbating the problem. As a result, the bad guys get more exploits to go after, while the victims are left waiting for patches.

Central Connected Devices

The problem becomes ever more acute given how central connected devices are to today’s tectonic shift in the business paradigm. Everyone, even legacy enterprises, from mining companies to agricultural businessesstrive to go smart. So they deploy arrays of sensors, drone fleets, and robots to do things better, faster, and with higher quality.

Going Smart is Dumb Without Security Features

But going smart is dangerous when you rely on ostensibly dumb devices to work as your infrastructure. And dumb they are, given how often they don’t have built-in security and observability features.

New Attack Surfaces

Without proper safeguards, companies going through a digital transformation expose whole new attack surfaces that would have been inconceivable just a decade ago. And the worst thing is, they don’t even know it.

Cybersecurity Is A Must For Everyone

When every device is smart, cybersecurity becomes a must for everyone. As more and more companies join the digital frayneither businesses deploying the device nor manufacturers developing it can turn a blind eye to it, even when it comes to securing the most innocuous tech.

The IoT newcomers must learn the ropes quickly. Otherwise, they risk ultimately undermining their own progress by opening the floodgates to a whole tsunami of cyber-incidents.

Image Credit: dan-cristian-pădureț; pexels; Thank you!

Natali Tshuva

Natali Tshuva

Natali Tshuva is the CEO of Sternum, a cybersecurity company that has developed a universal IoT security platform, and a veteran of Unit 8200 of Israel Defense Forces. She worked as a vulnerability researcher and an R&D team leader in Cellebrite before co-founding Sternum in 2018. She holds an MSc degree in Computer Science from Israel’s Bar-Ilan University and aspires to change the world for the better through technology.


readwrite.com

Leave a Reply

Your email address will not be published.