IoT Security: What you need to know

IoT Security: What you need to know

Simply put, the Internet of Things, or IoT, connects devices to the internet. These devices may have consumer or commercial applications. IoT is all about ensuring devices can send and receive data to enhance their functionality.

Whilst consumer IoT devices, such as smart TVs or baby monitors, tend to receive more publicity, the commercial application of IoT offers enormous potential. Every industry is being impacted by its spread. IoT enables factories to manage their inventory and supply chains with great accuracy. Hospitals can monitor the health of patients as never before. IoT can be used to monitor traffic flows that allow urban planners to determine long-term infrastructure requirements.

All industries, including health care, manufacturing, retail, energy, agriculture and many more, stand to benefit from IoT devices. The technology allows organisations to gain valuable insights that drive greater efficiencies. With real-time data and analytics, organisations can automate many tasks, enabling them to be more innovative and to focus on growing their business.

However, as more devices than ever are networked and connected to the internet, and the data flowing back and forth grows exponentially, it is imperative that security controls are in place that secure that highly-valuable information.

IoT and Security

Numerous recent cases have highlighted the potential ways IoT devices can be exploited by cyber-attackers. Such exploitation can allow attackers to gain unauthorised access to private networks and compromise corporate data and personally identifiable information (PII). The interconnected nature of IoT devices also means that exploitation can have widespread consequences.

Much work remains to be done to raise general awareness levels of the potential security risks associated with many of the IoT devices currently available on the market. Unfortunately, we have seen numerous cases where IoT security vulnerabilities were reported to the device manufacturers, but these problems did not lead to prompt remediation.

Users of IoT devices must ensure they do their research and only use products developed and manufactured by reputable suppliers who have a track-record of promptly fixing vulnerabilities.

Whilst only working with reputable suppliers is a good start, to truly secure IoT devices, there also needs to be a strong focus on the infrastructure upon which your IoT devices operate and the protocols in use by IoT devices.


IoT Ecosystems

IoT EcosystemsIoT devices are not stand-alone systems. They form part of a comprehensive ecosystem that includes infrastructure and applications. This essential fact needs to be taken into consideration when your organisation is developing a strategy for implementing IoT devices.

The infrastructure that underpins IoT devices, allowing them to function, can be open to exploitation. By their very nature, IoT devices need to communicate with infrastructure that is connected to the internet. Even when a device is secure, vulnerabilities that exist in the underlying infrastructure can put your organisation at risk.

Particularly concerning is the common misconfiguration of Message Queuing Telemetry Transport or the MQTT protocol. The MQTT protocol is used by many IoT devices to communicate with a central broker or server. When configured correctly, MQTT protocols and the associated software on the central broker, are able to be secured.

However, there have been many cases in which IoT devices, and their associated infrastructure have not been configured correctly, leaving them publicly visible and open to exploitation. Many IoT manufacturers also use open-source components that by default may allow access by unauthenticated users.

There have been numerous cases of the MQTT protocol being used without proper authorisation controls. Due to the interconnected nature of IoT devices, once an attacker gains access to a single device or its server, many other IoT devices reliant on the same infrastructure may subsequently be vulnerable to compromise.

It is this interconnectedness that represents a significant challenge when it comes to IoT security.


Security Auditing and Testing

Security Auditing and TestingTo strengthen IoT security, it is recommended to regularly audit and test your devices, reliant applications, and the infrastructure on which they operate. 

It is extremely important that your testing extends to your entire IoT ecosystem.

Beyond the device itself, auditing and testing should be conducted against communication protocols, servers and any applications, software or firmware that the devices rely on.

The applications, software and firmware that run IoT devices should be developed in accordance with the Secure Software Development Lifecycle principles. Secure code reviews and regular penetration testing should form part of this process. 

At a minimum, when adopting IoT devices and the associated infrastructure, you should factor in security as a central consideration. All devices should incorporate appropriate encryption, authentication and authorisation controls.


Essential IoT Principles

Some of the essential principles you need to consider when adopting IoT technologies are:


When selecting an IoT device, make sure you can update the passwords. Never use the manufacturer’s default passwords and ensure the passwords you select are strong.


Always ensure you regularly update IoT device software to protect your organisation. Software updates should roll-out patches and fixes to vulnerabilities. If left unfixed, these vulnerabilities could put you at risk of data breaches.


As an IoT user, you should be able to know exactly what data is being transmitted from the device to the internet and have the ability to easily disable the function when you wish.


How Shearwater Can Help

Speak to Shearwater for advice on implementing IoT devices in your organisation. We can provide expert guidance on the infrastructure and policies you need to gain all the benefits of IoT devices, without risking the compromise of your valuable data.