https://www.sikich.com

Security Considerations for the Internet of Things (IoT)

John Shegonee

Mar 22 2019

4 min read

Nowadays, you can use your smart phone to lock your front door from anywhere. And that door can have a doorbell that lets you see who’s at your home, even if you’re not. Perhaps you’re at the grocery store checking that you’ve got everything on the shopping list that your refrigerator sent you.

More and more, the devices we use daily are becoming “smart” and/or “connected” devices, meaning they can connect to other devices or networks to communicate. This interconnection of devices that historically had no ability to connect to the Internet, for example, home appliances, vehicles, and medical devices, has come to be referred to as the Internet of Things (IoT). It is estimated that, by 2020, there could be as many as 20 billion connected IoT devices.

As the number of devices with the ability to connect and communicate with one another over various networks increases, so too does the number of vulnerabilities being discovered that are associated with these devices. These vulnerabilities can potentially lead to network compromises, identity theft or device takeovers to name just a few possibilities.

From a security standpoint, a concern is that many IoT devices, at least at this point in time, run insecure and vulnerable embedded firmware. To understand the potential dangers related to exploitable IoT vulnerabilities, you can take a look at the post “5 Infamous IoT Hacks and Vulnerabilities” from IoT For All, which discusses:

The cyberattack related to the Mirai DDoS botnet, in which a massive distributed denial-of-service (DDoS) attack using an IoT botnet took down large parts of the Internet across North America and Europe.
Virtual carjacking, where researchers were able to exploit a firmware update vulnerability in which they were able to remotely control a vehicle over a cellular network.
The lack of encryption or authentication for Wi-Fi baby heart monitors, which could let attackers take over the devices and keep alerts related to an infant’s cardiac conditions from being sent to parents.
The Devil’s Ivy Rube-Goldberg attack that made it possible for hackers to control security cameras and access video feeds within buildings to capture potentially sensitive information.
A data breach related to a children’s toy that exposed millions of voice recordings between parents and their children.

In an effort to help device developers and manufacturers better secure and harden IoT devices and networks, the Open Web Application Security Project (OWASP) Foundation recently released an updated version of their Top 10 IoT vulnerabilities.

IoT security internet of things security

The OWASP Top 10 IoT vulnerabilities list primarily helps guide IoT hardware designers and software developers in the creation of secure solutions. While most people aren’t creating IoT devices, the list also suggests some steps organizations and individuals should take when selecting and deploying IoT solutions, including:

Researching the reputation of the vendor and solution, including reviewing security notices
Implementing a secure, isolated network environment for IoT systems separate from other networked systems
Setting strong, unique passwords for IoT interfaces
Selecting IoT solutions that provide a centralized management interface for managing passwords, configurations and firmware updates
Enabling multi-factor authentication if available
Hardening devices by changing default settings to the most secure option following vendor instructions

OWASP also provides additional security guidance for manufacturers, developers, and consumers.

The availability of IoT devices offers several benefits, including in terms of convenience and efficiency. And while it’s unlikely that the everyday consumer can either fully secure their IoT devices on their own or completely avoid IoT devices, being aware of the potential risks can put a consumer in a better position to leverage IoT devices in a more informed and secure manner.

Have questions about your organizations own IoT security? Don’t hesitate to reach out to us at any time!

This publication contains general information only and Sikich is not, by means of this publication, rendering accounting, business, financial, investment, legal, tax, or any other professional advice or services. This publication is not a substitute for such professional advice or services, nor should you use it as a basis for any decision, action or omission that may affect you or your business. Before making any decision, taking any action or omitting an action that may affect you or your business, you should consult a qualified professional advisor. In addition, this publication may contain certain content generated by an artificial intelligence (AI) language model. You acknowledge that Sikich shall not be responsible for any loss sustained by you or any person who relies on this publication.

About the Author

John Shegonee

John Shegonee is an Information Security Analyst for the firm’s Security and Compliance practice. He currently works as part of the Sikich vulnerability scanning and assessment team. In this role, John provides guidance to firm clients that are enrolled in Sikich’s proprietary external vulnerability scanning tool to help them as they work to address vulnerabilities within their environment, including clients that use the scanning tool as an Approved Scanning Vendor (ASV) solution to demonstrate their compliance with the Payment Card Industry Data Security Standard (PCI DSS).