A lack of security in IoT devices can provide a backdoor to corporate networks.
Many low-cost IoT devices have weak network security that could allow hackers to access corporate networks through those devices. Companies compete on who can develop the most feature-rich products at the best price; device makers, unfortunately, haven’t made security a priority.
In the past, most of the connected devices in manufacturing used 2G/3G cellular technology, secured by strong encryption protocols on cellular carriers’ networks. But now cellular hardware is challenged by new low-cost WiFi and Bluetooth-enabled devices using wireless technologies, including standards such as ZigBee and WiFi 802.11ah. While these new standards offer the possibility to connect many more devices at low cost, they pose bigger security challenges by operating in frequency bands that everyone can access and exploit.
Last month, the Security of Things hackathon hosted at MIT’s Media Lab showed how just how difficult it is to protect WiFi and Bluetooth-connected devices from motivated hackers.
The hackathon was a unique opportunity to explore the vulnerabilities of connected devices, as teams competed to find a way to get full control of the devices, many of which had been purchased on Amazon by the organizers, according to published reports. In n many cases, the hackers were able to get in within a few minutes, using passwords such as “1234” or “admin.” One hacker explained how accessing an inexpensive WiFi-connected baby monitor enabled him to break into the home network and open the electronic lock on the front door.
Many off-the-shelf IoT devices are shipped with very basic WiFi credentials, use older encryption protocols, and have default passwords such as admin/admin. Changing the default security settings of each of those devices is very time consuming.
Additionally, manufacturers rarely provide security updates and, when they do, they are difficult to install. A WiFi-enabled smoke detector may work fine for several years, but hackers could exploit a previously fixed security hole if the device firmware has not been updated.
Once a hacker has access to one device in the network, he or she can start compromising other devices and potentially access sensitive data and services in the organization.
The problem often is exacerbated when IT is not involved in the purchasing decisions for connected devices. Some departments feel that they know much better what devices to buy because they are experts in their area, and they want the models that provide the best solution for their needs. But in the search for the most advanced features for the task at hand, they are likely to overlook the security implications of connecting those devices to the corporate networks.
The IoT industry — forced by demonstrations of product vulnerabilities — is beginning to improve the security of its products. Last year’s news that hackers were able to remotely kill the engine of a Jeep on the highway triggered a recall of 1.4 million vehicles for software upgrades. In 2014, two Spanish researchers demonstrated how vulnerabilities in one of the most popular models of smart meters could be exploited. The industry is waking up to the potential of attacks and legal liabilities, and slowly becoming more proactive, instead of reactive, on the issue of security.