Cybersecurity Snapshots #13 - Are IoT Devices Secure?

Cybersecurity Snapshots #13 -

Are IoT Devices Secure?

Internet-of-things (IoT) devices are already being used frequently in homes and businesses, and their use will be continue to grow in the future. Researchers from Hub Entertainment Research found that in 2020 39% of all homes in the US have a connected device, and there was a 33% increase in US homes using smart home gadgets in 2020. Since IoT devices are increasingly being used within enterprise and home settings, we need to ask whether IoT devices are secure.

Researchers with Nokia's Threat Intelligence Lab discovered that IoT devices had become a favorite target for cybercriminals this year. New research has shown that there has been a sharp increase (100%) in IoT infections observed on wireless networks. IoT devices are now responsible for 32.72% of all infections observed in mobile and Wi-Fi networks, up from 16.17% in 2019. Researchers with Nokia's Threat Intelligence Lab believe that IoT infections will continue to grow as connected devices increase in home and enterprise settings.

Researchers at Purdue University found a Bluetooth Low Energy (BLE) vulnerability that allows spoofing attacks and potentially impacts billions of IoT devices. The BLESA flaw arises from authentication issues in the process of device reconnection, which is an area often overlooked by security experts. Attackers can use BLESA on BLE implementations on Linux-based BlueZ IoT devices, Android-based Fluoride, and the iOS BLE stack, while Windows implementations of BLE remain unaffected.

Researchers at Palo Alto Networks Unit 42 have found that 99% of all IoT device traffic is unencrypted, exposing personal and confidential data on the network. The researchers also found that more than half of all IoT devices are vulnerable to medium or high severity attacks. The type of device that brings in the most security issues are cameras, and they amount to about 33% of security issues seen among general enterprise IoT devices. Many IoT devices have insecure software or have been deployed in an insecure configuration, which leaves them vulnerable to attack. For example, 83% of medical imaging systems use unsupported operating systems, which is a severe security issue. Even though the number of imaging systems used in the medical field is not as great as other medical devices, it is the number one type of device that brings in the most security issues.

Researchers at Irdeto conducted a survey of 700 security decision-makers from the US, UK, Japan, Germany, and China, from the connected health, connected transport, and connected manufacturing industries to determine the types of cyberattacks targeting IoT devices, their concerns about the technology, and the security measures in place. The researchers found that 82% of healthcare organizations' IoT devices have been targeted with a cyberattack within the last year, compared with 80% of organizations overall. Manufacturing organizations' IoT devices were the second hardest hit (79%), followed by connected transports' IoT devices (77%). On average, an IoT-focused cyberattacks cost healthcare organizations $346,205, slightly higher than the overall average for all industries that totaled $330,602. Only 7% of attacks against healthcare IoT devices had no financial impact. Overall, more than three-quarters of US organizations have faced an IoT cyberattack. Operational downtime was the biggest impact for those organizations (55%), followed by compromised customer data (37%), and compromised end-user safety (36%). Only 11% said they had no impact after the IoT security event. Almost all manufacturers and 96% of users said the IoT devices they manufacture or use could be improved a little or by a great extent. Those numbers increase for the healthcare sector, with 98% saying IoT devices have room for security improvements. The overwhelming majority (83%) of organizations are concerned about IoT devices being targeted by cyberattacks, hacking, or a security breach, with 82% expressing concern that these devices are not adequately secured.

IoT security has been foreshadowed in the past, with many organizations and users stressing that there is a lack of standard guidance about IoT security, contributing to the lack of overall awareness. The new IoT Cybersecurity Improvement Act that recently got the stamp of approval by the U.S. Senate aims to help create more IoT security guidance. Dirk Schader, global vice president at New Net Technologies (NNT), stated that security measures, like the IoT Cybersecurity Improvement Act, “improves the security posture overall.” Hack Mannino, CEO at nVisium, believes that Fixing IoT security requires a concerted effort across the supply chain, not on fixing a singular technology or vulnerability. He also believes that establishing better standards and accountability for securing devices and their software is a positive development. The number of attacks on IoT devices is predicted to grow into the future. Hopefully, with new IoT security standards put in place, insecure IoT devices will cause fewer data breaches in the future.