Ready or not, the Internet of Things (IoT) is here. No longer just a buzz term, it’ll continue to grow at an unprecedented pace over the next few years.

IoT Security Is an Afterthought

History shows that most fast-growth technology solutions focus on solving business problems first; security is an afterthought. Web applications, which have grown dramatically – to hundreds of millions in number over the last decade, still have major security problems, and cybercriminals continue to attack through this low-hanging fruit. Mobile apps, numbering around 4 million and counting, are still easily exploitable, leading to major losses from cyberattacks.

Unfortunately, IoT is following the same trend. Most IoT devices, apps and infrastructure were developed without security in mind and are likely to become targets of cybercriminals.

IoT Will Allow for Attacks We Can’t Even Imagine

To put it bluntly, IoT security concerns are critically serious. According to some security experts, major cyberattacks against IoT devices are looming. From connected cars to connected medical devices to smart buildings and cities, security implications are huge.

Bruce Schneier painted a very gloomy picture in a recent article. Schneier said that “the Internet of Things will allow for attacks we can’t even imagine” and noted that “the next president will probably be forced to deal with a large-scale internet disaster that kills multiple people.” He added that “today’s threats include hackers crashing airplanes by hacking into computer networks, and remotely disabling cars, either when they’re turned off and parked or while they’re speeding down the highway.”

This may be a dark view of the IoT, but many organizations fear the worst when it comes to their security. Business executives consistently cite security as a major barrier to adopting IoT technology:

IoT Threat Vectors

Today’s IoT software applications are entrusted to securely manage your organization’s health care, transportation and other critical functions without fail. However, IT and security executives must be aware of safety and security risks that connected products pose as they rapidly evolve from unintelligent point objects into fully autonomous, IoT-enabled smart devices. They must also understand that fundamental security protection begins with controls built into devices and applications, and takes the ecosystem in which those devices and applications operate into consideration.

At a very high level, a typical IoT framework consists of edge devices (such as sensors, adapters, beacons, etc.), a gateway to communicate with these devices and a back-end server in the cloud or on-premises. You have to take each section separately and address security issues for each. Conduct a security penetration test, for example, to find out if endpoint devices can be hijacked and exploited.

If you need certificates for devices to communicate, ask your device manufacturer or find a security certificate vendor to provide the solution. For the gateway and the back-end server, make sure that besides the network security and data encryption issues, you address application security issues by performing security testing and fixing vulnerabilities. You should also harden binary code to protect your environment. An effective organizational security plan should incorporate basics such as network security protection and data encryption as well.

Watch the on-demand webinar to learn more about IoT Security

Securing IoT Infrastructure, Piece by Piece

Most companies lack the resources to protect every single aspect of the IoT infrastructure, so it’s important to prioritize the various assets based on exposure and liability issues. Fundamentally, it’s about risk management.

A medical device manufacturer, for example might have various IoT initiatives that could include smart buildings with lighting and thermostat controls, security cameras, logistics automation and actual products being sold to medical facilities. Clearly, from a liability perspective, it has to ensure the security of its medical device products that are communicating with each other over the internet before it looks at other internal IoT projects. Similarly, automotive manufacturers would want to make sure their connected car infrastructure can operate securely between the consumer’s mobile device, the dealer’s software and the telematics system.

Governments across the globe need to start taking IoT security seriously and create standards for companies to follow. Some discussions have already begun; Director of National Intelligence James Clapper and NSA Director Mike Rogers testified before Congress last year, warning of these threats, Schneier noted.

Although organizations don’t always welcome new regulations, minimal oversight opens doors and budgets for security teams. CEOs and boards of directors are more inclined to create budgets for compliance-related issues because they don’t have a choice. They might get complacent if there is no regulatory standard with specific deadlines. Many companies naturally tend to wait until they get attacked, which is absolutely the wrong practice to follow.

Get Educated

As a security manager and executive, you have to start by educating yourself on the concepts of IoT, various vulnerable vectors and the solutions available to protect your infrastructure.

Watch the on-demand webinar: Application Security and the Internet of Things

More from Application Security

X-Force Identifies Vulnerability in IoT Platform

4 min read - The last decade has seen an explosion of IoT devices across a multitude of industries. With that rise has come the need for centralized systems to perform data collection and device management, commonly called IoT Platforms. One such platform, ThingsBoard, was the recent subject of research by IBM Security X-Force. While there has been a lot of discussion around the security of IoT devices themselves, there is far less conversation around the security of the platforms these devices connect with.…

4 min read

Patch Tuesday -> Exploit Wednesday: Pwning Windows Ancillary Function Driver for WinSock (afd.sys) in 24 Hours

12 min read - ‘Patch Tuesday, Exploit Wednesday’ is an old hacker adage that refers to the weaponization of vulnerabilities the day after monthly security patches become publicly available. As security improves and exploit mitigations become more sophisticated, the amount of research and development required to craft a weaponized exploit has increased. This is especially relevant for memory corruption vulnerabilities.Figure 1 — Exploitation timelineHowever, with the addition of new features (and memory-unsafe C code) in the Windows 11 kernel, ripe new attack surfaces can…

12 min read

Backdoor Deployment and Ransomware: Top Threats Identified in X-Force Threat Intelligence Index 2023

4 min read - Deployment of backdoors was the number one action on objective taken by threat actors last year, according to the 2023 IBM Security X-Force Threat Intelligence Index — a comprehensive analysis of our research data collected throughout the year. Backdoor access is now among the hottest commodities on the dark web and can sell for thousands of dollars, compared to credit card data — which can go for as low as $10. On the dark web — a veritable eBay for…

4 min read

Direct Kernel Object Manipulation (DKOM) Attacks on ETW Providers

17 min read - Overview In this post, IBM Security X-Force Red offensive hackers analyze how attackers, with elevated privileges, can use their access to stage Windows Kernel post-exploitation capabilities. Over the last few years, public accounts have increasingly shown that less sophisticated attackers are using this technique to achieve their objectives. It is therefore important that we put a spotlight on this capability and learn more about its potential impact. Specifically, in this post, we will evaluate how Kernel post-exploitation can be used…

17 min read