Preparing for Next-Generation Cyber Attacks Targeting IoT
As massive IoT becomes a reality, the threat surface has hugely expanded, with every sensor, module, connection, and processor becoming a potential entry point for cybercriminals. We’ve heard of fish tank pumps being used to attack Las Vegas Casinos and tire pressure monitors providing the entry point to hack vehicle systems, so it’s clear that there are many dimensions to consider to secure your IoT deployments.
What is clear is the volume and diversity of attacks are increasing. Research by security specialist Kaspersky has uncovered that more than 1.5 billion attacks have occurred against IoT devices in the first six months of 2021. The firm’s telemetry data, gathered from its honeypots that collect attack information, have shown that cyberattacks on IoT devices have increased by more than 100% since the previous half-year.
Greater understanding of the potential threats facing IoT deployments is needed and stronger measures to mitigate security weaknesses need to be put in place. However, security needs to be proportionate to the risk and there is a concern that investing too much in IoT security could hinder scalability in the future or delay time-to-market now.
Hardening a device means making it more secure and resilient to attacks from hackers.
However, the flip side of this coin is that attacks are proliferating and damage comes in multiple forms, not all of it with a clear monetary value. For example, attacks that steal customers’ data may not immediately result in lost revenue, but they will cause reputational damage and typically result in substantial fines from regulators. In addition, cybercrime is rapidly professionalizing.
Cybercrime is Evolving
Previously, casual hackers near-randomly attacked organizations with ransomware, phishing emails, and distributed denial of service (DDoS) attacks but cybercrime is now more sophisticated and well-managed with some nations approving and supporting attacks on businesses and other nations. We know of cybercriminals with organizations that are so well-structured they have call centers to take victims' payments for ransoms and target specific businesses in specific countries.
DDoS is only one of many attack measures that cybercriminals can use but it costs just a few dollars to launch a massive attack so, even on the radically widened threat surface of IoT, huge volumes of actions can be launched at a minimal cost. IoT organizations, therefore, need to prioritize addressing their greatest risks and find rapid and cost-effective ways to protect themselves and their users. They must also recognize that security is a continuous process and not something that can be done once and forgotten about. The IoT skills gap means most organizations will turn to the IoT ecosystem to find ways to achieve more secure deployments that meet their cost and time constraints.
At the same time, IoT device connectivity is becoming more secure, ensuring the identity of the device is better protected than using a traditional plastic SIM card. New SIM technologies such as integrated SIM (iSIM) have the potential to offer improved security, but adoption is at an early stage and there are challenges to be addressed regarding secure key sharing between operators. The embedded universal integrated circuit card (eUICC) should remove the need for physical sockets in devices which have, in the past, been a prized entry point for criminals. The capability to manage embedded or integrated SIMs remotely via remote SIM management systems provides users with a fully-tested means to provision secure connectivity and protect the device's identity.
The Main Threats
Lack of Physical Hardening of IoT Devices
Cost can play its part in allowing nonhardened devices to be deployed out into the market. The need to keep device costs low can result in weak devices but the adoption of hardened devices that also have fewer ways to be hacked, such as integrated SIMs rather than traditional plastic card SIMs, can substantially mitigate risk.
Insecure Data Storage and Transfer
Insecure communications at data storage are among the greatest concerns that face IoT deployments because this is where sensitive data can be exploited. Data encryption is the means to address this, and it is an effective way to fight against eavesdropping attacks used in industrial espionage. Encryption also provides a defense against man-in-the-middle attacks in which the hacker intercepts messages and injects new ones between two devices.