6 Myths About IoT Security
Here are common misconceptions about securing these devices - and tips for locking them down.
![](https://eu-images.contentstack.com/v3/assets/blt6d90778a997de1cd/blt0348ed2914a9de98/64f0d6d4c0315d14a2a31f23/CoverArtSlide1.jpg?width=700&auto=webp&quality=80&disable=upscale)
There's every reason to be concerned about the potential of an IoT system, sensor, or device being hacked in the enterprise or a user's home office.
These devices regularly are exposed for their vulnerabilities, and most are not built with security in mind. An attack via an IoT device can blindside an organization: Take the hotel in Las Vegas last year that lost data when a hacker made his way on to the network through a high-tech fish tank.
Over time, just about every household appliance and piece of office equipment will have an IP address, which means it will be potentially open to hackers.
Forrester's Merritt Maxim says 92% of global technology decision-makers with more than 1,000 employees say they have security policies in place for their firm's use of IoT devices and solutions. However, only 47% consider their security tools sufficient. A full 34% consider their security tools insufficient and another 10% say they do not have security tools to enforce their IoT security policies.
"I think the biggest misconception people have is that these type of hacks could not happen in real life," Maxim says. "People don’t think that their refrigerator, car, or office will be hacked, but the threat is real and the likelihood is that these threats will only increase."
Imposing though the threat has become, Suneil Sastri, director of product and content marketing at SOTI, adds that there are steps IT staffs can take to mitigate the threat.
"People need to understand that there are solutions," Sastri says. "IT people and consumers can change passwords, encrypt devices, and remotely patch devices. What we're concerned about is that people won't move forward with IoT because they are worried about security."
Jeff Wilbur, director of the Online Trust Alliance, says the good news is that some IoT vendors are fixing exposed vulnerabilities in their products, such as Fitbit, LG's Smart ThinQ dishwashers, and Samsung SmartThings.
Here are some common myths about securing IoT devices and systems.
Just because IoT devices are deployed in an expensive home network doesn't mean that hackers cannot break in. Most IoT systems run on embedded operating systems such as Linux and the same techniques hackers use to break into Linux servers can be used to hack into IoT devices. And many are not built with security features.
People may think it's far-fetched that their office or even their home theatre will be hacked, but it happens and will happen more in the future. A Las Vegas hotel reported that hackers stole company data by accessing the network through a high-tech fish tank. Security researchers are releasing information about vulnerable IoT products seemingly every day. People must come to grips that these hacks are real and that security people are serious when they recommend changing the default passwords on smart devices and home routers. Much the same way people had to focus in when PCs and smartphones became popularized, they will have to do the same with IoT devices. It will require an adjustment and a change in mindset, but it's doable, experts say.
A common misconception is that embedded systems can't support encryption. Forrester's Maxim says that's not the case. Even 8-bit controllers can support base-level encryption, he says, and it's also possible to encrypt the data stream while in transit. If the company deploys sensors that don't support software, many IT departments now put edge firewalls/routers near the sensors so all data transmitted by the sensors goes through the edge device.
IT departments can also segment the network so all the IoT traffic runs on a separate network segment. For example, if an office just installed ten new printers with built-in Wi-Fi, security managers can either set policies that restrict what the printers can do, or just run them on a separate segment.
In the first wave of IoT security, IT people told their managers and other consumers that all they needed to do was change the default user name and password. While changing the default password still makes sense, people forget that hackers can penetrate the network by going through an open router or server port. Be sure to lock down any sensor or device that has an IP address.
The same 50-inch smart TV you installed at home has the same security, or lack of security, as the one used in the office. IT people at companies need to check which network the TV accesses and/or segment the network the TVs run over so they know the TV is running over a secure connection. These devices - as well as surveillance cameras and Wi-Fi printers - must be constantly managed.
Check the firmware update polices of these devices before deploying. Some IoT devices have lifecycles of ten or even 20 years, so it's not realistic to expect that the manufacturer will support the device that long. The main point is to understand that the two-year lifecycle users have with smartphones and their frequent updates may not exist with many IoT devices. IoT manufacturers are getting better about this, though, so check their update policies and procedures before making any purchases.
Check the firmware update polices of these devices before deploying. Some IoT devices have lifecycles of ten or even 20 years, so it's not realistic to expect that the manufacturer will support the device that long. The main point is to understand that the two-year lifecycle users have with smartphones and their frequent updates may not exist with many IoT devices. IoT manufacturers are getting better about this, though, so check their update policies and procedures before making any purchases.
There's every reason to be concerned about the potential of an IoT system, sensor, or device being hacked in the enterprise or a user's home office.
These devices regularly are exposed for their vulnerabilities, and most are not built with security in mind. An attack via an IoT device can blindside an organization: Take the hotel in Las Vegas last year that lost data when a hacker made his way on to the network through a high-tech fish tank.
Over time, just about every household appliance and piece of office equipment will have an IP address, which means it will be potentially open to hackers.
Forrester's Merritt Maxim says 92% of global technology decision-makers with more than 1,000 employees say they have security policies in place for their firm's use of IoT devices and solutions. However, only 47% consider their security tools sufficient. A full 34% consider their security tools insufficient and another 10% say they do not have security tools to enforce their IoT security policies.
"I think the biggest misconception people have is that these type of hacks could not happen in real life," Maxim says. "People don’t think that their refrigerator, car, or office will be hacked, but the threat is real and the likelihood is that these threats will only increase."
Imposing though the threat has become, Suneil Sastri, director of product and content marketing at SOTI, adds that there are steps IT staffs can take to mitigate the threat.
"People need to understand that there are solutions," Sastri says. "IT people and consumers can change passwords, encrypt devices, and remotely patch devices. What we're concerned about is that people won't move forward with IoT because they are worried about security."
Jeff Wilbur, director of the Online Trust Alliance, says the good news is that some IoT vendors are fixing exposed vulnerabilities in their products, such as Fitbit, LG's Smart ThinQ dishwashers, and Samsung SmartThings.
Here are some common myths about securing IoT devices and systems.
About the Author(s)
You May Also Like
CISO Perspectives: How to make AI an Accelerator, Not a Blocker
August 20, 2024Securing Your Cloud Assets
August 27, 2024