By Antoinette Hodes, a Check Point Global Solutions Architect and an Evangelist with the Check Point Office of the CTO.
This article aims to provide a comprehensive overview of the most common misconceptions surrounding IoT (Internet of Things) devices. As the adoption of IoT devices continues to grow, it is crucial to address these misconceptions and provide accurate information to users and businesses alike. This will lead to better adoption and utilization, and foster a more informed and secure IoT ecosystem.
IoT devices are not a valuable target for hackers (read: criminals)
This is false. IoT devices often collect personal and sensitive data, making them attractive to hackers. Topics like user consent and data privacy should be addressed. IoT data is the “new gold” and it is important to anonymize data and incorporate data privacy-by-design principles.
IoT devices don’t collect or hold sensitive information
Many IoT devices collect and transmit personal or sensitive data, which can be compromised. Although devices will not store it, security controls like data encryption are often needed. There 3 types of data: data at rest, data in transit and data in use. Data in use the most vulnerable and often easy to compromise.
IoT devices do not pose a risk to the overall network security
Often, there is an assumption that IoT devices are isolated from the network: IoT devices can act as entry points to the broader network, a potential starting point of starting the Cyber Kill Chain. We also see lateral movement and propagation attacks.
Manufacturers always prioritize security when developing IoT devices
IoT device manufacturers are already under high levels of pressure in a very competitive market. They must balance cost against device functionality, while remaining attractive and differentiating their products. So, in general, security is often overlooked in favor of functionality and cost-cutting measures. IoT devices are often not “Secure by Design” or “Secure by Default”.
Physical access to an IoT device is required to compromise its security
In many cases, IoT devices are remotely exploited and compromised. Connected devices provide access, enabling attackers to exploit vulnerabilities or extract sensitive data from the IoT devices. Or devices can be utilized for network based attacks, like Man-in-the-Middle (MitM) attacks. This can lead to disruption or unauthorized control.
IoT devices are only a threat on the internet
IoT devices connected to a local network can still be compromised and pose a threat. They can be used as jump host, infiltrate or scan the network, lateral movement and propagation attacks.
IoT devices are immune to malware
There is a general assumption that IoT devices are immune to malware due to limited hardware. Nonetheless, malware can infect IoT devices, allowing hackers to gain control or use them as part of a botnet. IoT devices are often connected to the internet and can potentially be accessed by attackers. IoT devices are often used in critical infrastructure, like power grids and hospitals. This makes them very attractive targets through which to cause a massive and widespread impact.
IoT device security is a one-time setup
Either the device should be hardened from within, making it zero-day proof or security measures like ongoing monitoring, updates, and patching are needed. IoT device security is not a “set and forget” kind of thing. As the technology evolves, new security threats evolve along with it. IoT devices that are not attended to, from a security standpoint, can quickly become outdated and vulnerable.
Consumers are not responsible for securing their IoT devices; it’s the manufacturer’s job
Manufacturers bear the responsibility of prioritizing security during the design and development stages. Through the implementation of robust security measures, they can effectively shield consumers from potential attacks and breaches. However, consumers also have a role to play in ensuring device security. By actively pursuing measures such as changing default passwords, using strong passwords, and keeping devices updated, consumers can actively contribute to safeguarding their data and preventing cyber attacks. Ultimately, the security of IoT devices is a shared responsibility between manufacturers and consumers. Informed and educated consumers who prioritize security will assess the security level of the device they intend to use, opting exclusively for trusted reputable vendors.
Home IoT devices are not targets
It is often believed that cyber attacks solely target specific individuals or organizations. However, a significant number of cyber attacks are classified as “spray attacks.” In these cases, random victims with lower levels of security become the primary targets.
Furthermore, attackers frequently focus on home IoT devices, aiming to either obtain personal data or exploit their vulnerabilities for more significant attacks. Unfortunately, many of these devices lack proper security measures, making them easy to compromise. Once compromised, these assets are often utilized as “zombies” in a botnet, potentially participating in activities like DDoS attacks.
In conclusion, debunking these misconceptions helps in understanding the true nature of IoT devices and the need for robust security measures to ensure their safe and effective utilization. Ultimately, the security of IoT devices is a shared responsibility between manufacturers and consumers.