Cybersecurity risks to IOT

Part
01
of three
Part
01

IoT Compromisation Risks-Part 1

Two of the most talked-about common vulnerabilities or security risks for Internet of Things (IoT) devices are factory set or hardcoded passwords and the lack of security update mechanisms.

1. Factory Set or Hardcoded Passwords

  • OWASP (The Open Web Application Security Project), named factory set or hardcoded passwords the biggest problem for IoT device security in their 2018 list.
  • OWASP defined this problem as the "use of easily bruteforced, publicly available, or unchangeable credentials, including backdoors in firmware or client software that grants unauthorized access to deployed systems."
  • Factory set, weak, or hardcoded passwords consistently appeared as the most commonly mentioned problem for IoT devices across sources and industry opinions.
  • Despite the problem seeming obvious, it still remains a common problem among IoT manufacturers.
  • Because consumers often expect a smart device to run like an appliance, there is not the same consumer understanding of the need for cybersecurity or password maintenance, as there is with more traditional IT devices, like computers.
  • Many of the most destructive and well-known DDoS (distributed denial of service) attacks on IoT devices are carried out by the Mirai botnet, which primarily exploits the widespread usage of default passwords.
  • Just as obvious as the problem is the solution. Most importantly, manufacturers must stop sending out devices with hardcoded passwords or simple default passwords. Consumers should be educated about the need to change passwords when they buy an IoT device.

2. Lack of Security Update Mechanisms

  • Another commonly cited security risk is the lack of security update mechanisms present on IoT devices.
  • OWASP defines this as: "[The] lack of ability to securely update the device. This includes lack of firmware validation on device, lack of secure delivery (unencrypted in transit), lack of anti-rollback mechanisms, and lack of notifications of security changes due to updates."
  • Because IoT devices are a new and rapidly expanding market, many companies race to create IoT devices that are then quickly abandoned in service of a newer IoT device. Thus, many manufacturers only provide firmware improvements for a short time period designed specifically to end at the very moment that they start working on the next exciting and new gadget.
  • Stated simply, IoT devices, which were secure upon release to consumers, run the risk of rapidly and increasingly becoming insecure or vulnerable to attacks as time passes.
  • As well, consumers typically do not expect that IoT devices will be regularly unavailable due to maintenance. As the NIST (The National Institute of Standards and Technology) states: "Operational requirements for performance, reliability, resilience and safety [of IoT devices] may be at odds with common cybersecurity and privacy practices for conventional IT devices."
  • There are many ways in which the update mechanisms of an IoT device are potentially vulnerable. According to the OWASP's IoT Vulnerabilities Project, common update mechanism problems include updates sent with no encryption, updates to writable locations, few manual update mechanisms and missing update mechanisms.
  • To combat this, manufacturers must commit to providing continued updates and ways in which consumers may manually update (and check for updates) on devices. Forbes states: "Address this [updates and maintenance] with redundant backup devices, planned maintenance windows or a concerted education campaign that aligns user expectations with security necessities."

METHODOLOGY

In order to determine the best or top current vulnerabilities or security risks of Internet of Things (IoT) devices, we searched through trusted news media sites, industry publications, and government and academic reports. From these gathered sources, we analyzed each article or report, and searched for the most commonly mentioned problems across all reports. We chose those vulnerabilities that were overwhelmingly mentioned in a variety of reports.

Part
02
of three
Part
02

IoT Compromisation Risks-Part 2

Two of the most talked-about common vulnerabilities or security risks for Internet of Things (IoT) devices are insufficient privacy protections for personal data and device hijacking.

INSUFFICIENT PRIVACY PROTECTIONS FOR PERSONAL DATA

  • OWASP (The Open Web Application Security Project) named insufficient privacy protections as one of the top 10 IoT vulnerabilities, particularly when the user's information has been stored "insecurely, improperly, or without permission."
  • An article from Peerbits on IoT security challenges explains that IoT companies use, transfer, store, process, and share user data collected through IoT devices. This leaves the data open to security breaches. IoT For All's article on IoT security threats notes that hackers can access a user's private information simply by identifying an unsecured IoT device.
  • A recent survey of risk professionals found that 97% feared that an attack on unsecured IoT devices would lead to a catastrophic data breach.
  • To address this risk, IoT companies should first ensure they have the user's permission before doing anything with the user's data, according to OWASP. Next, they should ensure that data is secure while being transferred or stored.
  • On the regulatory level, governments can also help mitigate this risk by committing to legal and regulatory guidelines regarding how companies use and store consumer data, and strictly enforcing compliance with those guidelines. Specifically, sensitive data should be redacted and anonymized, and data that is no longer needed should be securely destroyed.
  • Virtual private networking (VPN) technology is also recommended by security experts to secure IoT connections, encrypt all traffic, and keep the user's IP private.

DEVICE HIJACKING

  • One of the greatest risks with IoT devices is a hacker "hijacking" a device, or gaining remote access and control of the device. Once a hacker gains control of a device, they can turn it into an email server, force it to join a malicious botnet, or cause dangerous malfunctions. One of the most talked about potential risks from hijacking comes from smart vehicles; a hacker taking control of an IoT car could have potentially lethal consequences.
  • In one case, there are multiple reported incidents of Nest smart thermostats and cameras being hijacked and manipulated in users' homes, as reported by CSO. To mitigate this risk, users can ensure they are using strong passwords, update those passwords frequently, and activate two-factor authentication.
  • According to OWASP, one cause of device hijacking can be insecure network services, which can compromise the device and allow a remote user to take control. Peerbits calls this problem one of the "biggest IoT security" challenges, and recommends that companies mitigate the risk by ensuring that cloud devices and services are encrypted at the highest level, or that different devices use isolated networks.
  • OWASP identifies a lack of physical hardening of IoT devices as a vulnerability to hijacking. Forbes also notes that unpatched or abandoned IoT devices can be highly vulnerable to this type of attack, and points out that many IoT devices are designed to be unseen and unheard and are therefore easily forgotten. To mitigate this risk, Forbes recommends that manufacturers enforce strict "replacement and refresh cycles" to ensure that devices are not abandoned and that they receive the latest security updates.
  • RESEARCH STRATEGY

In order to determine the best or top current vulnerabilities or security risks of Internet of Things (IoT) devices, we searched through trusted news media sites, industry publications, and government and academic reports. From these gathered sources, we analyzed each article or report, and searched for the most commonly mentioned problems across all reports. We chose those vulnerabilities that were overwhelmingly mentioned in a variety of reports (excluding those risks already discussed in part one of this project).

Part
03
of three
Part
03

IoT Solution Companies

Some companies in the IoT space that are providing innovative solutions to cybersecurity risks in relation to IoT are Praetorian, Bitdefender, Armis, Claroty, Cisco, McAfee, and Symantec.

PRAETORIAN

  • This Texas-based company is a leading provider of cybersecurity solutions to organizations in the dynamic digital environment that is characterized by lots of cybersecurity threats.
  • Their IoT solutions to cybersecurity risks "provides end-to-end Internet of Things (IoT) product security evaluations and certifications that help organizations successfully balance risk with time-to-market pressures."
  • The company uses innovative technology to help organizations strengthen the security of their IoT products from chip to cloud.
  • Praetorian's IoT cybersecurity solutions help their clients to position their IoT products as the most secure in the market, with Samsung IoT and Microsoft being among the company's happy clients.
  • The company's IoT cybersecurity solutions also have innovative "multiple analysis methods and machine learning techniques to identify new vulnerabilities introduced by incremental code movement."

BITDEFENDER

  • This award-winning Romanian cybersecurity software company provides innovative solutions to cybersecurity risks related to IoT.
  • Bitdefender IoT security platform has a self-improving design that enables the adoption on connected devices on either new or existing infrastructures.
  • The Bitdefender IoT cybersecurity platform uses the intelligence of over 500 million endpoints, with every single detection automatically improving the platform for all global users.
  • The software company keeps all IoT devices in the home safe by using innovative "enterprise-grade filtering and inspection technologies tailored for the home network environment."
  • The company's Security-as-a-Service (SECaaS) also contains various other features to embed with other infrastructures easily.

ARMIS

  • Armis is an agentless IoT device security solution that automatically identifies and disconnects devices that are not managed while discovering all the devices in the connected environment before they enter the connected network.
  • The IoT security solution monitors all the connected devices to detect the slightest vulnerability that can act as a point of entry for cyber attacks.
  • They also use their Risk Analysis Engine to assign a risk score to every device in the connected environment based on factors like detected vulnerabilities, network behavior, and known attack patterns.
  • Since Armis' solution is agentless, deployment is fast and it can quickly integrate with new and existing infrastructure.

CLAROTY

CISCO

MCAFEE

  • McCafee's innovative Embedded Control technology "provides whitelisting and file integrity monitoring technology to combat targeted malware, unauthorized software changes, and configuration alterations across commercial and industrial IoT devices."
  • The company's solutions help their clients to prevent software changes that are not authorized and also design security into new IoT devices.
  • The company's innovative IoT security solutions won them the 2018 Gartner Peer Insights Customers’ Choice award for Endpoint Protection Platforms.
  • According to the company, many companies are using their security solutions to protect against malware without necessarily updating definition files or running scans.

SYMANTEC

  • Symantec has a plug & play USB scanning that uses artificial intelligence to "prevent known, unknown and future forms of attacks, such as adversarial machine learning."
  • The company employs cutting-edge technology like neural networks, enforcement driver, advanced Machine Learning, signatures, emulation, and file reputation to secure IoT devices.
  • Regardless of the age of the industrial control system, Symantec's IoT security solutions offer advanced protection without needing to replace the equipment.
  • With security solutions such as application whitelisting and sandboxing capabilities, Symantec offers innovative solutions to secure medical IoT devices.
  • Among the company's IoT security solutions is "lightweight behavioral hardening engine is purpose-built to protect legacy and EOL systems, by adding layers of defense at the kernel level to prevent unhygienic operations to your endpoints" and "Critical System Protection isolates IOT devices from network intrusion, zero-day exploits, and other future forms of attacks."
  • Symantec's IoT security solutions have received industry recognition with awards Frost & Sullivan Industrial IoT Best Practices award.

RESEARCH STRATEGY:

To provide a list of companies in the IoT space that are providing innovative solutions to cybersecurity risks in relation to IoT, we searched through the IoT industry-specific sources such as CRN, Postscapes, IoT World Today, 360 Quadrants, for preexisting lists of companies providing innovative solutions in the IoT cybersecurity space. While this search yielded a plethora of lists, we first considered the companies that appeared in IoT world today. The criteria of selection for this particular list included companies leveraging innovative technologies. We scoured through the company websites and included companies with the most authoritative industry presence, cutting-edge technologies, excellent client testimonials, and the most relevant award won or prestigious mention for their IoT security solutions. We also selectively picked the companies mentioned the most across the other industry sources and searched through their official websites. We elected to use companies with better innovative technologies than the rest.
Sources
Sources

From Part 03
Quotes
  • "Innovation is exploding as the next wave of technological progress transforms our world into an increasingly smart and connected cyber-physical place, where billions of new devices and sensors will be made even smarter by intelligence in the cloud. All of us at Praetorian are excited to be working with customers and partners who see security as an enabler of next-wave innovation and a requisite for new technologies to meet their full market potential."
  • "Praetorian provides end-to-end Internet of Things (IoT) product security evaluations and certifications that help organizations successfully balance risk with time-to-market pressures. Our engineers help you strengthen the security of your IoT products from chip to cloud. Our solutions provide coverage across technological domains, including embedded devices, firmware, wireless communication protocols, web and mobile applications, cloud services and APIs, and back-end network infrastructure."
  • "As an alternative to providing clients a security evaluation that represents a single, snapshot in time, Diana’s subscription model offers holistic, continuous security analysis. Using multiple analysis methods and machine learning techniques to identify new vulnerabilities introduced by incremental code movement, Diana is designed to provide customers with on-going, comprehensive, and efficient security testing coverage."
Quotes
  • "To keep pace with the mass adoption of smart home devices and drive business growth without service interruptions, you need the self-improving AI technology already used by over 500 million to secure their home networks, clouds and endpoints"
  • "Bitdefender IoT Security Platform’s self-improving design supports the rapid adoption of Internet-connected devices on new or existing infrastructures. It protects the whole networking ecosystem against cyber attacks, malware, and spying attempts. And Bitdefender is uniquely positioned to deliver the best protection available: drawing on the intelligence of more than 500 million endpoints, each new detection automatically improves the platform for all users globally."
  • "he Bitdefender IoT Security Platform is flexible enough to allow you to add security features even on lower performance devices, where heavy local processing would impact end-user QoS due to hardware constraints. You can also go completely modular and integrate one or all of our IoT security technologies into your offering."
  • "Innovation and a deep passion for security stand at the heart of Bitdefender. The Bitdefender IoT Security Platform keeps all devices in the smart home safe by employing enterprise-grade filtering and inspection technologies tailored for the home network environment. Our Security-as-a-Service (SECaaS) platform also includes a whole suite of features for easy embedding with all infrastructures."
Quotes
  • "Without an agent, Armis discovers and monitors all devices in your environment, managed or unmanaged, on/off your network, and in your airspace. This is critical for any organization, including those subject to regulatory frameworks like PCI, HIPAA, or NIST, or if you follow security guidelines like the CIS Critical Security Controls. Our unique out-of-band sensing technology allows you to see all connected devices – from traditional devices like laptop computers, smartphones, and printers to new smart devices like TVs, webcams, HVAC systems, medical devices and more."
  • "Armis doesn’t just tell you what each device is, we tell you what the device is doing. We continuously monitor the behavior of all devices in and around your network to detect a possible compromise. Armis compares real-time device activity to established “known-good” baselines in the Armis Device Knowledgebase. We also assign a risk score to every device via our Risk Analysis Engine. This score is based on factors like vulnerabilities Armis detects, known attack patterns, and the behaviors that we observe on your network."
  • "Armis doesn’t simply generate alerts, we can automatically take action to protect your organization or stop an attack. We work with your existing security enforcement points like Cisco and Palo Alto Networks firewalls, Network Access Control (NAC) products, as well as directly with your wireless LAN controllers to restrict access or to quarantine suspicious or malicious devices"
  • "As an agentless solution, Armis is frictionless to deploy and can be up and running in minutes, letting you see the devices in and around your environment. We don’t require agents and don’t impact your existing network infrastructure."
Quotes
  • "Claroty offers a live window into your network, delivering full-spectrum visibility across IT, OT, and IoT networks without the need to install agents and at no risk to operations."
  • "Claroty’s integrated suite of cybersecurity products addresses the unique challenges of ICS systems allowing engineers, operators, and cybersecurity professionals to protect the most complex industrial networks."
  • "Claroty offers the only integrated and comprehensive IoT and OT security monitoring and remote access control platform. Our customers benefit from the most coverage and fastest deployment in the industry. Translates to the best visibility and fast time-to-value. Our machine learning technology eliminates the noise that characterizes other security products. This explains why Claroty’s deployments span fifteen industries in over twenty-five countries across the globe. And why the world’s leading industrial automation vendors have backed our company and adopted our technology."
Quotes
  • "Cisco IoT Threat Defense blends our security architecture and services to defend your IoT deployments"
  • "Protect control systems from attacks and human error while assuring availability."
Quotes
  • "Non-traditional endpoints—from wearable fitness trackers to energy grid sensors—are expanding the attack surface. With the number of connected IoT devices expected to hit 28 billion by 2020, security is critical. McAfee Embedded Control provides whitelisting and file integrity monitoring technology to combat targeted malware, unauthorized software changes, and configuration alterations across commercial and industrial IoT devices."
Quotes
  • "A high degree of protection can be achieved by leveraging IOT security for a transiting USB device. Air-gapped environments are frozen in time and host unseen classes of malware, often via a transiting USB device between the OT and IT networks. Monitoring at a network security level does not enable organizations to prevent even accidental infections. Our plug & play USB scanning station is endowed with artificial intelligence technologies to prevent known, unknown and future forms of attacks, such as adversarial machine learning."
  • "Your facility does not have to be a target; accidental infections happen daily. Implement control points to protect against USB-borne malware, network intrusion, and zero-day exploits to industrial control systems with ICSP and CSP integration."
  • "Whether your industrial control system is 20 years old or modern-day technology, our IOT security solutions provide you a high degree of protection without replacing existing equipment, software or downstream operations"
  • "Cyber criminals continue endangering patient safety by tampering with medical devices and continue to manipulate PHI and PII data. Deploy application whitelisting and sandboxing capabilities to prevent malware such as ransomware or spyware from installing and executing; control access to external hardware (e.g. USB) and the users / groups that can install applications on your medical IOT devices."
  • "Building a cyber defense arsenal for IOT systems requires control points for a vast range of operating systems and device-specific threats. Our lightweight behavioral hardening engine is purpose-built to protect legacy and EOL systems, by adding layers of defense at the kernel level to prevent unhygienic operations to your endpoints. Naturalizing defense on fixed-function systems through our application whitelisting approach ensures IOT device security , freezing systems such that malicious content is unable to run. Critical System Protection isolates IOT devices from network intrusion, zero-day exploits, and other future forms of attacks"
Quotes
  • "Here, we present 25 trailblazing IoT security companies, presented alphabetically. All the companies on this list either have a dedicated IoT security business or they leverage innovative connected technology to help thwart security risks, whether they are stopping an unauthorized person from accessing the network or a drone from entering an organization’s property."
  • "Criteria for ranking included firms’ degree of focus on enterprise and industrial IoT security and the innovation and market traction of their product offerings. When available, we factored into the ranking reviews of the companies’ technology and workplace culture. "