What are the Top Security Threats for IoT?
Christophe Fourtet, Chief Scientific Officer and Cofounder at Sigfox
The rapid acceleration in IoT devices installed and in use globally has analysts forecasting the number reaching 41.6 billion “things” generating 79.4 zettabytes of data by 2025. This figure includes a wide variety of devices, from smart car technology, smart watches and virtual assistants such as Alexa to GPS trackers, remote monitoring devices and sophisticated tools that are already being used in manufacturing and other industries.
As the use cases for IoT broaden, the amount of data being generated by these devices also continues to grow and, as emerging technologies have flourished in recent years, so too have cyber security threats. Security threats themselves have evolved from malware and viruses to more sophisticated, coordinated attacks, with IoT connectivity a new target for hackers. The security threat to IoT is different to the threats faced by internet and cellular telephone networks, for instance.
IoT provides a large variety of threat surfaces as the more devices there are, the more points there are on a network that need to be protected. This means that there are potentially a far greater number of available weaknesses for cyber criminals to target.
Attackers could infiltrate smart devices themselves, like remote sensors, smart car technology, smart watches used in business and even drone technology, focusing on traditional virus and internet-based attacks, targeting servers or disrupting the frequencies used to transmit data.
The common denominator for IoT security threats is of course, the internet – the web of connectivity powering IoT devices, with the security threats typically directed towards IoT devices falling into one, or more, of the following segments:
Radio Frequency Identification (RFID)
Physical mass attacks via this method of wireless connection of radio frequency waves to transfer data are not possible and any through air infiltration are near enough impossible. The direct threat here is minimal, but attackers could target these services, via server weaknesses, or a recipient RFID reader’s server link via internet-based attacks.
Low-power wide-area network (LPWAN)
LPWAN connections allow long-range communications at a low bit rate, which is perfect for connected objects like sensors on a battery. Similar to RFID, the direct threat risk in terms of physical or air-interface attacks of this method of connection is minimal. Device transactions using this technology are few and often via an uplink, which serves to limit the threat and it is the simplicity of these devices that protects them.
However, jamming them is still possible and internet-based attacks aimed at the devices these networks interact with are more common. More complex LPWAN devices that have higher traffic or use bidirectionality are prone to even greater risk, but solutions for those include dynamic scrambling of device transactions and the Advanced Encryption Standard AES-128.
Cellular and 5G connections are more common, and have a higher volume, with heavier protocols, so see more security threats over the air, with “Honey pot” cyber security solutions often deployed to detect, identify, predict and protect against potential attacks. Yet again, “backend” attacks are more frequent, as attacks target servers and app servers, and this requires daily security monitoring by both software and teams.
Personal Area Networks
PAN communication between personal devices themselves and the internet means there is a much higher traffic volume and a larger panel of protocol layers that are often stacked one on top of the other, causing security weaknesses. There are solutions but often there is negligence in protecting attack surfaces connected in this manner and that lack of protection often increases with the complexity or volume of surfaces within systems. In this way, large systems could be penetrated through simple smart Wi-Fi bulb or other such PAN sensors.
The impact and larger security risk of IoT threats
The growing trend of Industry 4.0 and smart manufacturing has enabled Industrial IoT (IIoT) connections to become an integral part of the business process across the entire industrial sector. IIoT connections are anticipated to reach 37 billion by 2025 and this rapid surge is being accompanied by the just as fast evolution of cybersecurity protection for industry.
Just like the need to protect networks and cloud computing users by deploying sophisticated cyber security systems, businesses now recognise the need to protect the multitude of network endpoints and surfaces where IoT is deployed.
While the spectrum of IoT threats has pushed more mature technology users to carefully and continuously analyse their whole systems, less mature players continue to have less sophisticated systems. So, third-parties, or connections, can be used to make more mature and protected users and businesses vulnerable to attacks. This is too often evidenced in cybersecurity breaches that make the news, where larger companies have fallen victim to attack via a third-party supplier or an employee.
As the physical attack surface, or number of connected endpoints, for businesses increase alongside the number of IoT and smart devices used, cyber protection is becoming tougher and more costly. Networks which carry large volumes of data with many multiple connections are growing, so too is the cost involved in protecting larger and busier networks.
Protecting IoT devices from security threats
Cyber protection is about “quality of service.” Mature technology users know this so most are already deploying comprehensive cyber security measures across all devices, treating each endpoint the same in terms of them all being a possible security risk.
Cybersecurity teams, software, data analytics, and artificial intelligence are all being employed to detect anomalies that can indicate threats, to predict potential threats and to protect against those threats.
Each IoT device in a network should be monitored directly or indirectly, via software and/or a human team overseeing things. Users should understand the typical behaviour of devices and cyber attackers to help them identify and protect against attacks.
In large networks, fast and efficient abnormal device and system behaviour detection “as a service” should be adopted, but this cybersecurity discipline takes time and is exponential along with device behaviour. The more devices communicate, the more unpredictable their interactions can be, making them more difficult to monitor and manage.
Cybersecurity solutions should not just be technology based. Adopting AES-1024 technology alone will not protect a poorly designed or analyzed system and even complex cybersecurity systems can leave vulnerabilities across large networks where users share complex security keys over those networks.
Prevention and protection start with educating every single user and encompassing systems so that all endpoints, human or otherwise, are well-informed so more protected. Usage characterizations and system considerations are the first stages of protecting against threats, but strengthen that with adding understanding to all system users and managers, from the top right down to the bottom. Then deploying the right technologies and encryptions, such as AES and AI algorithms, will be even more effective.
Over time, it will help if systems and networks become diverse, to reduce the complexity of endpoints and connections, while enabling simpler management. Threats in common systems will be similar, rather than varying from one design to another.
Overall, if IoT devices, their purpose and normal operations are characterized and analysed it will become easier and faster to detect anomalies and threats, using modern computing tools and technologies such as AI. Sharing existing and emerging threat vectors within the technology and cybersecurity communities is vital so that businesses are forewarned and can learn from each other, instead of becoming victims of the same types of attack.
With an increase in remote working, employee connections also become business risks. Cybersecurity should be systematic, and encompass both security by design and operational measures. Coupled with these characteristics, cybersecurity should encompass a strategy of cybersecurity awareness, for all network and device users and right from customer-facing employee through to board room director. Cybersecurity technology should focus on hardware and software, on devices and networks, and on risks via technological and human oriented attack vectors.