Never Gonna Give You Up: staying on top of IoT security risks

The old bait-and-switch digital prank “Rickrolling” has wavered in and out of popularity for the last decade and a half, but an 18-year-old student of Security Research and Computer Science put up a blog post earlier this year detailing a creative spin on the classic prank – he “Rickrolled” his entire school district via an IoT hack.  

Thankfully, for all those involved, the outcome of this Whitehat hacking prank was hilarious, entertaining, and relatively victimless. The perpetrators took care to ensure they would not disrupt any school sessions or tests. They even debriefed the school district’s IT team with information on how and where they found the vulnerabilities to prevent a malicious attack in the future. You can read the full account of the incident, accompanied by a video, here.  

IoT has been around for decades now, so you might wonder how this practical joke was so easy to pull off? The short answer is that IoT is often overlooked in cybersecurity because IoT devices are built with convenience, not security, in mind. As we’ll explore here, it’s imperative that your IoT landscape be included as part of your cybersecurity risk assessment. With the amount of data handled via IoT, it can quickly become overwhelming. This is where Axio360’s platform can help you gain a better, holistic understanding of your environment.  

Consumer IoT 

IoT, or “the internet of things,” is a term used to describe “sensors and actuators embedded in physical objects [that are] linked through wired and wireless networks.” It includes a broad list of devices used to collect and transmit data from one device to another without human intervention. Most folks are the most familiar with consumer IoT. Consumer IoT includes things we use every day. A network of devices, such as Siri, FitBit, Alexa, Ring doorbells, Smart Home automation, etc., are all examples of IoT devices. They are meant to operate in the background and make daily tasks easier. 

Consumer IoT is ubiquitous, and because it often runs in the background and integrates so seamlessly with our daily lives, it’s no surprise that many people don’t often think about or consider security when using or purchasing these devices. Using webcam feeds as an example, CNN demonstrated in 2019 how easily consumer IoT devices can be hacked, and our personal privacy compromised. And there are many, many, more examples to be found online. The popularity of personal IoT devices continues to grow at a much quicker rate than the call for better protection against IoT attacks, raising the risk of attacks on home network security. 

“Smart technology requires smart handling,” says Martin Schallbruch, former Cybersecurity consultant to the German government; he compares ordinary users living in “smart houses” full of “smart devices” to a systems admin managing a data center. Meaning, consumers should follow basic cyber hygiene guidelines, just as sysadmins are required, like keeping software up to date, changing passwords, etc.  

IoT for Business and Government 

Whether a person chooses to outfit their home with smart devices or not is irrelevant because, in 2021, living without IoT is nearly impossible. Today, there are more than 10 billion active IoT devices, and in the US, IoT devices are used throughout our critical infrastructure. Examples include medical devices, supply chain tracking (GPS), predicting when manufacturing equipment needs maintenance, and other critical infrastructure system management like power plant or water plant monitoring. Deloitte projects that, in healthcare alone, the global IoT market will be worth $158.1B in 2022. 

The growth of IoT in the business world brings with it an evolution of cyber risk and increased scope of damage. In 2017, the FDA discovered a vulnerability in pacemakers issued by St. Jude Medical, leading to a recall of 500,000 devices. The security flaw allowed potential hackers unauthorized access to the devices via “commercially available equipment.” In 2021, Peloton learned from its Advanced Threat Research consultant, McAfee, that its bike had a vulnerability that would have allowed a hacker to gain access to the Peloton tablet, where they could install malware and intercept the user’s personal data, or even gain control of the device’s camera and microphone. Peloton issued a patch for this vulnerability before any known exploits occurred, but it doesn’t ensure future vulnerabilities can’t arise. While the NSA has helped ensure that President Biden’s Peloton and other devices are secure, what about other high-ranking officials, judges, CEOs, etc. that don’t have the NSA’s help? 

The advancement of IoT technology reduces manual labor and cost while it increases efficiency through automating business processes. A 2021 study found that the main revenue driver for most enterprise IoT projects is cost savings, and, on average, over 80% of senior executives across industries say IoT is critical to some or all lines of business. 

However, these applications become vulnerable as they need to communicate via the internet to send information to other devices, making IoT cybersecurity for businesses critical. Your cybersecurity strategy is only as strong as your weakest link. “Just one device can compromise the entire system, whether it’s a home or an entire industrial system,” Schallbruch points out.  Cyber-attacks against critical systems are on the rise, and the reliance on IoT produces a landscape where attacks are easy to create and difficult to remedy. Business leaders need to understand that IoT security must be included in the foundations of their cybersecurity risk management strategy.  

How does this affect me? 

Again, most IoT devices are built with convenience in mind, and often the cost of convenience is security. Outside of home automation and digital assistants, IoT plays an integral part in the way we do business at an enterprise level today. It provides the data we need to make better business decisions. 

Part of your cybersecurity risk assessment process needs to look at IoT devices because, for the most part, they’re not built with security in mind. Most IoT vendors don’t think of themselves as security professionals, so it’s up to businesses and general consumers to ensure their devices are secure. IoT devices are significant potential risk factors that you must consider in your risk assessment scenarios. Axio360 offers practical business solutions that you can use to discern what basic cybersecurity principles apply to your IoT devices when making risk management decisions.