Internet of Things (IoT) devices can help your business and your employees be more productive. As with any technology, understanding the security implications are critical to maintaining cyber health.
Smart watches. Voice-controlled speakers. Home network security devices. All of these are examples of the Internet of Things (IoT). For small and mid-sized businesses, however, the IoT environment might look a bit different. Whether you’re looking to scale your business or seeking a more efficient way to assess inventory, most likely you’re researching IoT enablements. However, the more access points you add to your network, the more places hackers can enter your data environment. While IoT may be the next frontier of business enablement, cybersecurity for IoT remains in flux and increasingly puts your data at risk.
A short definition of IoT devices is that they are objects that normally don’t connect to the internet but that have technology embedded that allow them to do so. In other words, computers, tablets, and smartphones exist specifically to connect to the internet. Watches, thermostats, and speakers don’t need to connect to the internet but their ability to do so is intended to make people’s lives easier.
Yes, your employees’ wearables, like smartwatches, are IoT devices. However, businesses are also using these kinds of devices to efficiently solve problems.
Smart locks let you remotely lock and unlock doors. If you’re working from an office on one side of town, installing a smart lock means you don’t need to drive to a satellite office to let an employee into a generally restricted area. You can create and revoke individual employee access which means you don’t have to worry about employees losing keys or employees taking keys with them after terminating their employment.
If you’re looking to save on energy costs, you might be using these IoT devices to manage office environments. Since sensors will tell you whether the rooms are inhabited or empty, you don’t have to worry about employees remembering to turn off lights, heat, or air conditioning when they leave at night.
Yes, that Alexa, Google Home, or Siri-enabled voice assistant it considered an IoT device. If you’re using these voice assistants to connect to task management solutions or to create notes, you’re already using an IoT endpoint.
Healthcare practitioners and their patients increasingly use connected devices to monitor health. IoT insulin pumps and heart monitors currently dominate the health monitoring market, but research notes that more healthcare organizations will likely incorporate IoT in the next few years.
A lot of people know that IoT connects to the internet and other devices; however, the way they work still seems a bit muddled. IoT devices create connections in two different ways. To meaningfully address the security risks, you need to understand both ways and the risks inherent in both.
Most wearables use the BLE connection. This is a short-range radio connection between the IoT device and another device. The short-range connection means that the IoT device needs to stay within a specified range of the primary device to keep working. For example, with a Bluetooth headset, you can’t go too far from your phone or the connection drops.
Like your computer, many IoT devices connect to the internet. If you’ve ever set up a speaker, Alexa, Google Home, or Siri-device, you might remember having to work through a setup to connect to your in-home WiFi before using the device. As part of the setup, the device makes its own internet connection then “talks” to your internet service provider (ISP) connection which gives it a unique address on your network.
This is the kicker. IoT increasingly enables businesses, but the technology’s newness makes it difficult to protect. Explaining Internet of Things security concerns means working through some technical nitty-gritty details. However, IoT security challenges differ based on the type of connection used.
Since BLE uses a short-range communication, any information that travels between the IoT device and paired device can be at risk. Even though the distances are short, anything that’s in a public space might be intercepted. There are a few ways this can happen.
Because information travels between the IoT device and primary device, a third device can also accidentally “listen in.” The third device may have paired with one of the other device without you knowing it,.
When a hacker purposefully intercept these communications, it’s referred to as an MitM attack. The hacker disguises a third device as the other two to trick them into connecting to it. In doing so, the original devices have no idea that they’ve been compromised and continue to send data. Additionally, the MitM can now send fake information to the two original devices.
All devices, whether BLE or not, use a specific “name” to identify them when they talk to one another. Malicious actors can connect the BLE to a specific device identity and then track that device, and thus the individual, based on the connection.
IoT devices suffer from the same cybersecurity issues associated with traditional devices. However, IoT’s technology is not nearly as advanced which means the cybersecurity protections are not necessarily available.
Every device that connects to the internet needs a door that lets information in which is called a port. When IoT devices send information back and forth, it leaves open a door that hackers can use.
Encryption disguises information so that even if someone obtains it, they can’t understand it. Encryption can be used for information traveling from one device to another (in-transit) or on the device itself (at-rest). Many IoT devices do not enable encryption and no encryption standards exists for them. Thus, hackers can “read” information as it travels.
New malware such as Mirai can be installed on IoT devices because they connect to the internet. In the case of Mirai, the malware installed a botnet which led to a DDoS attack.
IoT devices last longer than traditional devices, particularly in manufacturing use cases. Since many IoT devices incorporate sensors, people can forget the devices exist. Moreover, it makes them difficult to update and upgrade. This invisibility means people stop managing them the same way they continually manage and upgrade larger devices.
Currently, no industry standards to address IoT security exist. User needs and wants have driven IoT innovation which means that the speed of development arising out of consumer demand has outpaced cybersecurity protections. Since many of the devices are small or were originally intended for homeowner use, many developers focused on creation but not on security. Unfortunately, as more customers demand IoT enablements, more IoT devices rush to market, and security remains an afterthought. Hackers have found ways of penetrating home networks through baby cams and smart thermostats. .
Help is on the way. The IoT Cybersecurity Alliance seeks to demystify IoT, educate users, and influence industry standards. Additionally, the IoT Cybersecurity Act of 2017 seeks to create standards through regulation and enforcement controls.
You can’t afford to ignore IoT, but you also can’t afford to ignore the risks. This is why you need be aware about the actions you can take to secure information and deploy IoT devices to enable your business.
While older BLE devices incorporate some protections, newer devices better authenticate between the IoT device and paired device. Older legacy connections for LE 4.0, 4.1, and 4.2 can include Just WorksTM which makes it easy for an attacker to eavesdrop and offer no way to verify the devices on either side of the connection. LE Secure Connections, however, fixed this particular issue. Moreover, you want to look for out of brand pairing, passkey controls, and numeric comparison problems.
Even if the IoT device itself isn’t encrypted, you can protect the information in-transit by making sure that you’re using appropriate encryption across your own network. Protections such as a Transport Layer Security (TLS) or VPN can help you protect information as it travels through your organization.
Vendors can be anything from cloud and mobile applications to network infrastructures. While it may seem silly at first to review a smartphone app’s security protocols, that review can save your data. For example, a smartwatch application may let you use natural language to set meetings in a calendar on your smartphone that also connects to your laptop. If that information is intercepted, anything that can be considered personally identifiable information might be at risk.
Hackers are always looking for new ways to steal information. A popular application that comes with a security vulnerability, even one as simple as calendar applications, can offer a wealth of information when aggregated across all users. If you’re not sure how the application protects information, don’t use is.
You need to make sure that your cybersecurity protections include IoT devices. Some ways to accomplish this:
We understand the complexity of needing technology but having limited resources for protecting information. One of Zeguro’s primary values is “transparency.” When it comes to IoT, that means:
Using IoT to better support your business matters to us because it matters to you. We’re here to help you learn the best way to use it while still protecting your data.