How can we Prevent an Internet of Compromised Things?

by Nik Hewitt on November 22, 2022

The shape of things to come

An increasing array of physical household and business objects now come with a plethora of sensors, software, and processing abilities, connecting to like-minded devices and swapping data with additional systems via the internet or across networks. These objects and devices have rapidly become the norm, and are a growing and evolving part of our day-to-day business and smart home operations.

The advent of global 5G networks has meant an exponential rise in connected devices. In the last few years, voice-activated lighting and entertainment, city infrastructure sensors, human-wearable biometrics, residential appliances, family vehicles, building heating, building security, and even smart pacemakers, have become commonplace in offices, workshops, laboratories, hospitals, and homes. It is predicted that, in total, there will be 41.6 billion connected IoT devices by 2025 (IDC).

Invariably using a Dynamic Host Configuration Protocol (DHCP) server, they use integrated CPUs, network adapters, and firmware, to connect via an IP address. While this adds functionality and integration into the devices we use daily, it also adds vulnerability.

With great power…

All manufacturers now have a responsibility to their customers to provide adequate security for the lifetime of their products. For many producers, this is a new way of thinking, and they are unlikely to have had to consider the ramifications of a cybersecurity compromise before now. For some countries, where manufacturing costs are inherently cheaper and development processes are more ad-hock, this is an entirely new concept.

While black hat hackers targeting our ancient printers, smart water bottles, refrigerators, or toothbrushes might not sound too concerning, these are sometimes nodes on a network that can then be used to access more critical devices. Accessing other devices means they may also gain access to other systems – and as a consequence, critical infrastructure and data. They can also be used as part of a botnet farm of internet-connected devices co-opted for the purpose of a DDoS attack, pinging other devices as smaller parts of a single attacking entity. Yes, IoT devices could be switched on, off, or put into other operational configurations, but that harmless old printer in the corner could also be taking up valuable bandwidth and resources, or that outdated IP web camera could be snooping on your network activity.

Critical longevity

More obviously concerning is if those same hackers come for our streetlights, medical equipment, mobile communications devices, or autonomous vehicles. Without protection now, there could be dangerous ramifications in the future. There are millions of connected devices already on the market, and many of these need to be safer, future-proof, or supported with patches and security updates. Each vulnerable object could lead to a cybersecurity breach – and a potential legal claim for negligence as a consequence.

Any IoT (Internet of Things) product must be available to accommodate future changes in the security landscape. An increase in computing power and the further growth of AI/machine learning could be major disruptors in the coming years, and smart objects must be able to update themselves, as problems arise, while being secure upon release. Any product security must exceed any predicted product life expectancy. When the life expectancy of some products, like white goods or commercial vehicles, is measured in decades, this is not a small order.

Do not be surprised if a new International Organization for Standardization (ISO) standard appears in the next few years, guaranteeing that all adequate cybersafety precautions have been met for any new smart devices, and do not be surprised if the public becomes cognizant of this quickly and it turns into an important part of their purchase decision process.

Future-proofing

User education will be important, and device users will need to adopt security best practices like changing default security passwords and blocking any remote access not required for a device to operate – by default. Manufacturers may adopt compulsory password changes from the default setting to facilitate this, multi-factor authentication (MFA), or a smart password management policy to devices as standard.

It will be essential to protect command and control (C&C) server centers from compromise attempts and DDoS attacks by using Web Application Firewalls (WAF) to safeguard other connected systems, and to offer at-the-Edge filtering, stopping authenticated and authorized requests from getting any further. Runtime protection should also be utilized to intercept any additional calls from applications (and associated devices) to external systems, to validate data requests within the app, and guarantee they are secure regardless of other security practices and the origins of development code. RASP also helps in the battle against zero-day attacks, letting an app defend itself without the need for patches or signatures.

Any WAF services and DDoS mitigation solutions must also be equipped with load balancing and failover functionality, to avoid the inevitable spikes in traffic that can occur during the release of any new firmware patch.

While it is vital to consider IoT network security, producers will also need to address the matter of IoT encryption (helping to mask data traveling between IoT edge devices and back-end systems, and protecting that same data when at rest) and IoT authentication (considering multiple device users and providing authentication mechanisms, such as static passwords, MFA, or biometrics).

Manufacturers will further need to notify users if their devices are operating with outdated software and prompt version updates as required. Consideration should also be given to the removal of remote device access, as standard, unless required for essential device functionality, plus a rigorous API authorization and authentication policy to further support best practices.

Being cognizant of how our IoT devices might be used and exploited in the future is the responsibility of the manufacturer and producer, and is something we must consider now to prevent catastrophe in only a few years’ time. If you’d like to know about future-proofing IoT devices, please take a look at our IoT security overview for more information, and don’t hesitate to get in touch with us if you’d like to talk more about IoT and the future of device security. It’s in everyone’s interest to help prevent an internet of compromised things.