Security for the Internet of Things means protecting internet devices and the networks they connect to from online threats and breaches. This is achieved by identifying, monitoring, and addressing potential security vulnerabilities across devices. At its simplest, IoT security is the practice that keeps IoT systems safe.
The IoT isn’t just about computers or smartphones – almost anything that has an on/off switch can potentially be connected to the internet, making it part of the Internet of Things. The sheer volume and diversity of 'things' that comprise the IoT mean that it contains a considerable amount of user data. All this data has the potential to be stolen or hacked by cybercriminals. The more connected devices, the more opportunities there are for cybercriminals to compromise your security. Read more about how the Internet of Things works here.
The consequences of IoT security breaches can be highly damaging. This is because the Internet of Things affects both virtual and physical systems. For example, think of a smart car connected to the internet – cybercriminals could hack it to disable certain safety features. As the IoT becomes more prevalent within industry – hence the term IIoT or Industrial Internet of Things – cyberattacks can unleash a series of potentially devastating consequences. Similarly, in healthcare – where the term IoMT or Internet of Medical Things is used – devices can expose sensitive patient data or even compromise patient safety. In smart homes, compromised devices could allow criminals to monitor people’s homes.
Challenges for IoT and key IoT security concerns include:
Lack of testing and development
Some IoT manufacturers have treated security as an afterthought in their haste to bring products to market. Device-related security risks may have been overlooked in the development process, and once launched, there may be a lack of security updates. However, as awareness of IoT security has grown, so too has device security.
Default passwords leading to brute-forcing
Many IoT devices come with default passwords and these are often weak. Customers who buy them may not realise they can (and should) change them. Weak passwords and login details leave IoT devices vulnerable to password hacking and brute-forcing.
IoT malware and ransomware
Given the considerable increase in IoT connected devices in recent years – which is forecast to continue – the risk of malware and ransomware to exploit them has increased. IoT botnet malware has been amongst the most commonly seen variants.
Data privacy concerns
IoT devices gather, transmit, store and process a vast array of user data. Often, this data can be shared with or sold to third parties. While users typically accept terms of service before using IoT devices, many people don’t read the terms – which means it's not always apparent to users how their data may be used.
Infected IoT devices can be used for distributed denial of service (DDoS) attacks. This is where hijacked devices are used as an attack base to infect more machines or conceal malicious activity. While DDoS attacks on IoT devices more commonly affect organizations, they can also target smart homes.
Common interface issues that affect IoT devices include weak or no encryption or insufficient data authentication.
The rise of remote working
Following the Covid-19 pandemic, remote working has increased around the world. While IoT devices have helped many users to work from home, often home networks can lack the security of organisational networks. The increased usage has highlighted IoT security vulnerabilities.
Research shows that in 2020, the average household in the US had access to 10 connected devices. All it takes is one overlooked security misconfiguration in one single device to put the whole household network at risk.
There have been high-profile examples of IoT devices being compromised by cybercriminals in recent years. These include:
2016: Mirai botnet attack
In 2016, hundreds of thousands of compromised connected devices were pulled into a botnet called Mirai. A botnet is a network of computers that have been intentionally infected by malware to carry out automated tasks on the internet without the permission or knowledge of the computers’ owners. As a result of the Mirai attack, major services and websites such as Spotify, Netflix, and PayPal were temporarily shut down.
2018: VPNFilter malware
In 2018, VPNFilter malware infected over half a million routers in over 50 countries. VPNFilter malware can install malware onto devices connected to your router, which collects information passing through, blocks network traffic, and steals passwords.
2020: Tesla Model X hacked
A cybersecurity expert hacked a Tesla Model X in less than two minutes by exploiting a Bluetooth vulnerability. Other cars which rely upon wireless keys to open and start have experienced similar attacks.
2021: Verkada camera feeds hacked
Verkada is a security camera firm. In 2021, Swiss hackers compromised 150,000 of its live camera feeds. These were cameras that monitored activity inside public sector buildings – such as schools, hospitals, prisons–and private corporate organizations.
To ensure IoT device security and IoT network security, here are some best practices to bear in mind:
Keep up to date with device and software updates
When buying an IoT device, check that the vendor provides updates and consistently apply them as soon as they become available. Software updates are an essential factor in IoT device security. Devices that use out-of-date IoT software are easier for hackers to compromise. Your IoT device may send you automatic updates, or you might have to visit the manufacturer’s website to check for them.
Change default passwords on IoT devices
Many people use the same login and password for every device they use. While it's easier for people to remember, it's also easier for cybercriminals to hack. Make sure every login is unique and always change the default password on new devices. Avoid using the same password across devices.
Use strong passwords for all devices and your Wi-Fi network
A strong password is long – made up of at least 12 characters and ideally more – and contains a mix of characters, such as upper- and lower-case letters plus symbols and numbers. Avoid the obvious – such as sequential numbers ("1234") or personal information that someone who knows you might guess, such as your date of birth or pet's name. A password manager can help you to keep track of your login credentials.
Change your router’s name
If you keep the router name given by the manufacturer, it could allow snoopers to identify the make or model. Instead, give your router a new name – but make sure that whatever you choose doesn’t disclose any personal identifiers such as your name or address.
Use a strong Wi-Fi encryption method
Using a strong encryption method for your router settings – i.e., WPA2 or later – will help to keep your network and communications secure. Older WPA and WEP versions are vulnerable to brute force attacks. You can read more about WPA versions here.
Set up a guest network
If your router gives you the option, consider creating a guest wireless network, also using WPA2 or later, and protected with a strong password. Use this guest network for visitors: friends and family may be using devices that have been compromised or infected with malware before using your network. A guest network helps to enhance your overall home network security.
Check the privacy settings for your IoT devices
Your IoT devices probably come with default privacy and security settings. It’s a good idea to read through these and change the settings where appropriate to ensure they are set to a level you are comfortable with. In a similar vein, it’s worth reviewing privacy policies to understand how the provider stores and uses your personal data.
Keep track of device available features and disable the unused features
Check the available features on your devices and switch off any that you don't use to reduce potential attack opportunities. For example, consider a smartwatch – its primary purpose is to tell the time. But it will probably also use Bluetooth, Near-Field Communication (NFC), or voice activation. If you are not using these features, they provide more ways for an IoT hacker to breach the device, with no added benefit for the user. Deactivating these features reduces the risk of cyberattacks.
Enable multi-factor authentication where possible
Multi-factor authentication (MFA) is an authentication method that asks users to provide two or more verification methods to access an online account. For example, instead of simply asking for a username or password, multi-factor authentication goes further by requesting additional information, such as an extra one-time password that the website's authentication servers send to the user's phone or email address. If your smart devices offer MFA, use it.
Understand what IoT devices are on your home network
Review all devices communicating across your network and understand what they do. Some of these devices may now be older models – consider whether upgrading to newer devices could offer greater IoT security features.
Be careful when using public Wi-Fi
You might want to manage your IoT devices through your mobile device when you're out and about – for example, in a coffee shop, shopping mall, or airport. It's essential to be aware of the security risks involved in using public Wi-Fi. One way you can mitigate these risks is by using a VPN.
By being mindful of IoT cyber security and following IoT security best practice, it is possible to minimize risks.