How to Manage New Threats Unleashed by the Internet of Things
8 minutes read
From TVs to fridges to energy meters, more and more of the items we use every day are now smart devices. 87% of US households have at least one smart TV, up from 50% in 2014. And with ownership of smart speakers, thermostats, lights, and security systems also on the rise, it’s expected that smart homes will soon become the norm.
This ever-expanding network of smart devices is known as the Internet of Things (IoT). These internet-connected appliances and devices have made homes and offices more convenient, accessible, and adaptable than ever.
But the more devices you use, the greater the security risk. Cyber-criminals can hack any internet-connected device to access video streams, recordings, and other sensitive data stored on your network — compromising your personal and business security.
So what threats are you exposed to via your smart devices? And how can you protect your IoT network from cyber-criminals?
What is the Internet of Things?
The Internet of Things is the collective name for household devices that can be connected to the internet and controlled by your voice and/or smartphone. It includes everything from smart fridges and smart meters to drones, security cameras, and doorbells. It usually excludes devices that are designed for browsing, such as phones and tablets.
The IoT is designed to make everyday life safer and more convenient. But a lack of standardization and regulation across the IoT manufacturing sector make these devices prone to security flaws, putting IoT users at risk of hacking and other cyber threats.
It’s not just individual users who are vulnerable. Companies increasingly rely on smart technology to operate — especially with the rise of remote working. Unsecured devices expose your staff, customers, and business to data theft, fraud, and unwanted surveillance.
As cyber-threats become more advanced, IoT devices are more vulnerable than ever. So why do criminals target IoT devices, and what’s the impact of IoT device exploitation for businesses?
Why do criminals target IoT devices?
IoT devices are ideal targets for cyber-criminals. Hackers attack IoT devices for many reasons:
- IoT devices can easily spread malware, spyware, and other malicious programs across networks without detection by humans
- Valuable data is stored on IoT devices, which can be sold on the dark web or held to ransom
- IoT devices can become part of a botnet, which are used to launch widespread cyberattacks.
As more people introduce smart devices into their homes and offices, there are more ways for cybercriminals to infiltrate your network. Most IoT devices don’t have the same security as phones and laptops, making them even more vulnerable. This is aggravated by the fact that most people don’t change the default login credentials of their smart devices, making them easy to hack.
Criminals also use bots to automate hacking attempts, launching large-scale credential stuffing attacks that can easily compromise unsecured devices.
The impact of IoT attacks for businesses
A 2019 survey found that the key IoT security concerns for businesses are:
- Attacks on IoT devices that may impact critical operations (33%)
- Lack of skilled personnel to implement IoT security (32%)
- Protecting sensitive data generated by an IoT device (31%)
- Identifying or discovering sensitive data generated by an IoT device (27%)
- Loss or theft of IoT devices (27%).
These threats pose significant problems for businesses. Estimates suggest that critical operations stopped or slowed by downtime can cost as much as $5,600 per minute. That’s equivalent to a US employee’s average annual salary every ten minutes.
And then there are data breach fines to consider. Under the California Consumer Privacy Act (CCPA), businesses can be fined up to $2,500 for every unintentional instance of data theft. In the EU, data protection authorities can impose fines under GDPR for up to €20 million, or 4% of worldwide turnover for the preceding financial year (whichever is higher). So if hackers manage to steal large amounts of data from your unsecured smart devices, your business can quickly rack up substantial fines.
Real-world examples of IoT threats and cyber-attacks
Some of the world’s biggest companies have fallen victim to IoT threats. Ring, a smart doorbell and camera company owned by Amazon, has fallen victim to a series of recent cybersecurity incidents.
In 2019, hackers stole the data of more than 3,600 Ring users through a credential stuffing attack. While Ring claimed no data breach had taken place, customer addresses, phone numbers, and payment details were leaked and made available online.
In a more sinister incident, a man hacked a Ring security camera that had been installed in the bedroom of an eight-year-old girl. The man spoke to the girl, allegedly telling her he was Santa Claus, and instructing her to damage her belongings.
But the risks don’t stop at data theft and personal security threats. Last year, a UK court levied a £100,000 fine against a man for using his Ring doorbell as a surveillance device after a neighbor complained that the security device breached her GDPR rights. The court also ruled that the device’s ability to record conversations up to 20 meters away was excessive.
This sets an unsettling precedent for smart security camera users in the UK. Devices that are supposed to keep people safe are now putting them at risk of huge financial penalties. And because there are few laws and regulations around these devices, people must use their own judgment to balance personal security with data protection.
Ring isn’t the only company with a poor IoT security record. Researchers have exposed security flaws in other devices, which can have serious repercussions if they’re exploited:
- Internet-connected heart monitors are vulnerable to hacking, putting individuals' lives at risk
- Hackable smart sex toys can lead to sexual assault if unknown hackers take control of them
- Streams from smart cameras in your home or office can be easily viewed on IoT search engines, threatening individuals’ privacy.
What standards and protections are in place to keep our devices safe?
Unfortunately, as with most online regulation, governments are leagues behind technology when it comes to protecting citizens and businesses from cybercrime. But European regulators have now started to create standards to promote built-in security for smart devices:
- The European Telecommunications Standards Institute (ETSI) has issued standard ETSI EN 303 645: Cyber Security for Consumer Internet of Things. This standard outlines the minimum requirements for manufacturing IoT devices in Europe
- In the EU, connected medical device manufacturers are now required to comply with the EU Medical Device Regulation, which accounts for software-based and internet-connected medical devices
- The Civil Aviation Authority (CAA) recently introduced new guidance for the manufacture and operation of drones, clarifying guidance around drone data and security
The Federal Trade Commission has acknowledged the risks of inadequate privacy standards for IoT devices. But the US still has a lot of work to do to meet even basic IoT security requirements.
While the IoT Cybersecurity Improvement Act of 2020 requires government agencies to keep their IoT devices secure, there’s still no mandatory regulation around connected medical devices, or widely available smart devices like doorbells and security cameras. On the contrary, many US police forces have contracts with Ring, allowing them to access private footage without a search warrant.
Tips for securing your IoT devices at home and work
With lack of regulation in place — especially in the US — it’s up to users and businesses to keep their IoT devices secure. Here are the best ways to make sure you’re using your smart devices safely:
- Update device firmware as soon as possible. Don’t delay installing updates, as these often contain security patches that fix vulnerabilities in your device
- Avoid buying second hand IoT devices. Previously used devices may have been (intentionally or unintentionally) subject to malware, spyware, or other malicious programs
- Always change the default login credentials. Update the default password (and username if possible) to a highly secure sequence — use a password manager if you need to
- Don’t use smart devices that can’t be password protected. If your smart device can be accessed without a password, avoid installing it on your home or office network, as these are easy targets for hackers
- Only use smart devices made by companies that adhere to local standards. Smart device users in Europe can minimize security risks by buying devices from companies that meet the ETSI EN 303 645 standard.
Protect your business from threats unleashed by the Internet of Things
A single exploited smart device can put your whole business network at risk. Advanced bots and sustained bot attacks can easily compromise your smart device without your knowledge, giving them unprecedented access to your business and customer data.
Netacea’s bot management system identifies and blocks malicious bots from entering your network. It prevents credential stuffing attacks on smart devices, keeping your IoT network safe from cybercriminals. Watch our two-minute demo to learn more.
Subscribe and stay updated
Insightful articles, data-driven research, and more cyber security focussed content to your inbox every week.
By registering, you confirm that you agree to Netacea's privacy policy.