The Internet of Things (IoT) refers to the network of physical everyday objects across the world that are embedded with sensors, software and other technologies, and that can be connected to the internet. These devices collect and share data about the way they are being used, and about the environment they find themselves in.

IoT is considered one of the most important technological developments of the 21st century, as it allows to increase efficiency by detecting patterns, automating tasks, making suggestions, and detecting malfunctions in the consumer, corporate and industrial world. IoT devices are now ingrained into everyday life, from light switches, thermostats and robot vacuums that can be controlled through smartphones, to voice-controlled virtual assistants, smartwatches, children’s toys, driverless cars, and even smart cities.

The term Internet of Things was first coined in 1999 by Kevin Ashton, but it took another decade for the technology to be ready to be built into this extensive network. In 2021, 22 years after the term was coined, there are over 10 billion IoT devices throughout the world.

IoT devices’ vulnerabilities

The growing number of IoT devices, set to reach 30 billion in 2025, offers many advantages, but also raises concerns over the possibility of cybersecurity risks. As IoT devices collect, store and transmit large quantities of data every day, they have become appealing targets to cybercriminals. In addition, the companies that offer these gadgets are typically more focused on the design, appeal and ease of use of the products, rather than on the security aspect. This means that IoT devices often lack the built-in security necessary to protect the gadgets and their users from cyberthreats.

IoT devices are typically much smaller in size compared to laptops and smartphones, and have much less computational power, making it difficult to include cybersecurity measures.

While users can install third-party software on their laptops, tablets and smartphones to add an extra layer of protection and make the device more resistant to cyberattacks, this is not possible on small gadgets. In addition, IoT devices are typically secure at the time they are purchased, but they can become vulnerable over time as cybercriminals find new bugs to exploit and new techniques to hack into systems.

As the cyberthreat landscape evolves continuously, manufacturers should address new security issues by deploying software patches and updates. While this is usually done on a regular basis for larger and more sophisticated devices like laptops and smartphones, it is often not the case for IoT devices. The lack of regular updates and patches means that IoT devices can be left vulnerable to cyberattacks by hackers exploiting known security issues and deploying malware.

One of the most frequent vulnerabilities that cybercriminals exploit in order to hack into IoT devices is hardcoded passwords. Also known as embedded credentials, these are passwords in plain text, so not protected by encryption, that are embedded in the source code, and that can be typically found in IoT devices. The same hardcoded passwords can be used across numerous devices. Hardcoded passwords can be helpful to developers, as it makes their workflow easier, and it prevents users from tampering with the code or the product. However, hardcoded passwords are also extremely helpful to cybercriminals, making it easier for them to guess the password, and take control of not only one device, but of other devices with the same hardcoded password. In 2016, one of the largest DDoS attacks in history was carried out through a botnet made up of over 100,000 IoT devices, including routers, digital cameras and DVRs. All these devices were infected by the Mirai malware, which scanned the Internet to find IoT devices with easy-to-hack hardcoded passwords or default credentials. The DDoS attack launched by the Mirai botnet targeted and managed to disrupt the operations of GitHub, Netflix, Twitter and Airbnb.

When it comes to the IoT, there is also a privacy challenge to consider, as these devices record, store and transmit very large quantities of data, but often do not meet the security standards to protect this information. If an IoT device is compromised, this could lead to confidential and sensitive information being accessed by cybercriminals, including information on what people do and say in their homes. This is even more so the case as the data that is being stored and transmitted by IoT devices is rarely encrypted, leaving it vulnerable to the eyes of cybercriminals in the event of unauthorised access.

It is estimated that 98% of all IoT device data traffic is not encrypted. To preserve the confidentiality and privacy of users’ information, this data should be protected by encryption and by network segmentation, to keep potential attacks in one section of the system and limit how far they can spread. It appears that cybercriminals were able to hack into the systems of a casino by compromising a smart thermometer used to control the temperature of an aquarium in the casino’s lobby. The hackers were then able to access a database with information on ‘high-rollers’, customers who consistently gamble for large sums of money. In a more disturbing attack on Ring, the Amazon-owned doorbell company, cybercriminals were able to hack into users’ in-home cameras and communicate with them, by compromising weak and default passwords. The affected users disclosed being subjected to death threats, racial slurs and blackmail, and decided to sue the company following the severe invasion of privacy. With so many IoT devices having cameras and microphones, the risk that cybercriminals could manage to hack into poorly-secured systems and eavesdrop and spy on users raises serious concerns.

IoT devices typically interact with various interfaces to communicate data, including web and mobile interfaces, apps, back-end APIs and the cloud. If any of these interfaces have security vulnerabilities, it could allow cybercriminals to hack into users’ devices and compromise the data being stored. A common security issue found in IoT devices’ interfaces is the lack of proper device authentication, which should be in place to control access and protect data, and in particular to prevent hackers from pretending to be IoT devices with the aim of accessing private information stored in servers.

Implications for IoT users

IoT devices are considered the weak link in both home and work networks due to the vulnerabilities mentioned above. Cybercriminals, therefore, can launch attacks against IoT devices, for instance smart refrigerators, with the aim of then compromising other devices connected to the same network, like laptops or computers. Through lateral network movement, cybercriminals can move deeper into the network to steal sensitive information or distribute malware. Especially in the case of smart homes, where all devices are connected to the same network, once one device is compromised, all other devices are compromised as well. Compromised devices could also be used by hackers to build botnets and carry out DDoS attacks, and send spam emails without the owner's knowledge. It is estimated that around 40% of appliances found in smart homes are being used to launch botnet attacks.

Attackers can also hack into IoT devices to eavesdrop and collect information on live video and audio streams and take control of devices like webcams and baby monitors. In 2017, the German Federal Network Agency issued a warning on children’s talking doll Cayla, as it was discovered that an unsecured Bluetooth device in the toy could allow hackers to listen and talk to the children through the doll, posing a severe risk to children's safety and privacy.

For users who possess or are looking to buy IoT devices, it is essential to understand the risks tied to it. When purchasing an IoT device, users should ensure they select a product from a reputable brand, and should take some time to familiarise themselves with the security section of the product’s manual. It is important for users to change the default credentials and substitute them with unique and strong passwords for each device. If possible, users should ensure they run their IoT devices on the latest software version. Users are also recommended to adequately protect laptops, smartphones and all other devices that are connected to the same network as IoT devices.

It is manufacturers, however, who have to begin addressing the security issues in the IoT devices they produce. Cybersecurity measures should be at the forefront of the product creation process, and not an afterthought. Addressing known vulnerabilities, updating software and releasing patches should become regular practice in all IoT devices. In addition, manufacturers should consider implementing simple strategies like the use of data encryption, to ensure that all users’ data is protected both in transit and at rest. Governments are now increasing pressure on IoT developers to secure IoT devices and reduce the security risks associated to them.

The information contained in this article is provided by White Blue Ocean, part of CRIF Group, a global company specializing in credit & business information systems, analytics, outsourcing and processing services, as well as advanced digital solutions for business development and open banking.

Reference List

• https://www.bbc.co.uk/news/world-europe-39002142
  https://www.conosco.com/blog/iot-security-breaches-4-real-world-examples/
  https://www.ibm.com/blogs/internet-of-things/what-is-the-iot/
  https://www.forbes.com/sites/forbestechcouncil/2020/03/31/iot-threats-and-what-to-do-about-them/?sh=4de25f4c5b50
  https://www.fortinet.com/resources/cyberglossary/iot-device-vulnerabilities
  https://www.mcafee.com/blogs/mobile-security/is-your-smart-home-vulnerable-to-a-hack-attack/
  https://medium.com/hackernoon/hackers-are-sneaking-into-our-homes-through-appliances-and-childrens-toys-c80a3c5310fc
  https://www.nbcnews.com/tech/security/fbi-warns-parents-privacy-risks-internet-connected-toys-n784126
  https://www.techtarget.com/searchsecurity/news/450420425/Hardcoded-passwords-could-cause-full-IoT-camera-compromise
  https://www.thalesgroup.com/en/markets/digital-identity-and-security/iot/magazine/internet-threats https://www.theguardian.com/technology/2020/dec/23/amazon-ring-camera-hack-lawsuit-threats
  https://www.theguardian.com/technology/2016/oct/26/ddos-attack-dyn-mirai-botnet
  https://www.wired.co.uk/article/internet-of-things-what-is-explained-iot
  https://www.zdnet.com/article/what-is-the-internet-of-things-everything-you-need-to-know-about-the-iot-right-now/

The information contained in this article is provided for informational purposes only and does not constitute professional advice and is not guaranteed to be accurate, complete, reliable, current or error-free.