A growing number of household and business objects are now equipped with sensors, software, and processors, and can interact with each other and exchange data over networks or the internet. We use these objects and devices every day. They have become a mainstream part of our day-to-day lives and operations in the smart home.
Connected devices have grown exponentially since the advent of global 5G networks. It has become commonplace for offices, workshops, laboratories, hospitals, and homes to have voice-activated lighting and entertainment, city infrastructure sensors, wearable biometrics, residential appliances, family vehicles, building heating, building security, and smart pacemakers. Approximately 41.6 billion connected IoT devices are predicted to exist by 2025 (IDC).
Their IP addresses are generated automatically using a Dynamic Host Configuration Protocol (DHCP) server. They have integrated CPUs, network adapters, and firmware. In addition to adding functionality and integration to our devices, this also adds vulnerability.
With great power…
Manufacturers now have a responsibility to provide adequate security for their customers throughout their products’ lifetime. A cybersecurity compromise represents a completely different way of thinking for many producers, and they haven’t had to consider its consequences before. For some countries, where manufacturing costs are inherently cheaper and development is more ad-hoc, this is an entirely new concept.
Despite the fact that black hat hackers target our old printers, smart water bottles, refrigerators, or toothbrushes, these are sometimes nodes on a network that can later be used to access more vital devices. Having access to other devices also means having access to other systems and thus critical infrastructure and data Alternatively they can also be used as part of a botnet farm of internet-connected devices exploited to launch DDoS attacks, pinging other devices as part of a larger attack. IoT devices can be switched off, on, or put in other operational configurations. However, an old printer in the corner could potentially consume resources, or an outdated IP camera could spy on your network.
Critical longevity
Having hackers attack our streetlights, medical equipment, mobile communication devices, or autonomous vehicles would be more concerning. The results of not protecting ourselves now may have serious repercussions in the future. Millions of connected devices are already available, and many of them need to be safer, future-proofed or supported with patches and security updates. A cybersecurity breach could potentially result in a legal claim for negligence if each object is vulnerable.
IoT (Internet of Things) products must be able to accommodate future changes in the security landscape. The continued growth of AI/machine learning and an increase in computing power will be major disruptors in the coming years. Intelligent systems must be able to update themselves as problems arise while remaining secure once released. The product life expectancy of any product must be greater than its security level. Some products, like white goods or commercial vehicles, have a life expectancy measured in decades.
The International Organization for Standardization (ISO) may announce a comprehensive cybersafety standard in the next few years, ensuring all necessary cybersafety precautions have been followed for any brand-new smart device, and it may become a major part of the public’s purchase decision process as soon as the public becomes aware of it.
Future-proofing
The user education process will be critical. Device users will need to adopt security best practices like changing default security passwords and blocking remote access that is not required to run a device. Alternatively, manufacturers may implement multi-factor authentication (MFA) or a smart password management policy on devices to facilitate password changes.
Using Web Application Firewalls (WAF) to safeguard other connected systems, and providing at-the-edge filtering, preventing authenticated and authorized requests from getting any further, will be crucial for protecting command and from compromise attempts and DDoS attacks against control (C&C) server centers. Additionally, runtime protection should be used to intercept any additional calls from applications (and associated devices) to external systems, validate data requests within the app, and ensure they are secure regardless of other security practices or the origins of the development code. Furthermore, RASP prevents zero-day attacks by letting apps defend themselves without patches or signatures.
As part of any WAF solution and DDoS mitigation solution, load balancing and failover features must be included to prevent traffic spikes associated with new firmware patches.
As well as considering IoT network security, producers must also think about IoT encryption (masking the data traveling between edge devices and back-end systems and protecting the same data at rest) and IoT authentication (taking into account multiple device users and providing authentication methods such as static passwords, multifactor authentication, biometrics, etc.).
As well, manufacturers will need to notify users if their devices are running outdated software and prompt them to update. As well as removing remote device access as standard, except for essential device functionality, and implementing strict API authorization and authentication policies to support best practices, remote device access should also be eliminated.
IoT device manufacturers and producers need to think about how they may be used and exploited in the future in order to prevent catastrophes a few years from now. Learn more about future-proofing IoT devices by checking out our IoT security overview, and don’t forget to reach out to us if you’d like to talk more about IoT or device security in the future. Keeping the Internet free of compromised information is in everyone’s best interest.
