Who’s at the Back Door: The Very Real Security Risks of IoT

by | May 18, 2023

Cybersecurity is a critical concern for any business–or at least it should be. ‌ While you know by now to protect your corporate IT network from users leaving post-it notes with passwords stuck to desktops, or answering suspicious emails asking for login credentials, you probably don’t think twice about a rising source of cyberattacks: The Internet of Things or IoT devices, more specifically.

IoT devices are items that connect to the internet, commonly known as “smart” devices. When we think of smart devices, we may think of cloud-based office security systems or mobile devices, but it goes much further. Your HVAC systems, Bluetooth speakers, smart LED lighting–even your coffee maker–are a new vector for attack by malicious actors.

IoT Attacks on the Rise

Enterprise companies have made headlines for various IoT-based attacks– famously, in 2014,  Target fell victim to an IoT attack in which a remotely accessible HVAC system served as the point of entry, while just last year, a 19-year-old managed to remotely hack over 25 Tesla smart cars. This type of attack is on the rise in 2023, and its potential is far underestimated by a valuable target: SMBs.

SMBs make a great target for IoT attacks for several reasons, one of which is that they don’t view themselves as desirable targets due to their size. Enterprise companies are far from the only ones being breached: in 2021, the FBI’s Crime Complaint Center saw 847,376 complaints involving cyberattacks and malicious cyber activity, accruing almost $7 billion in losses. The majority of those targeted were small businesses.

Some of the most common reasons SMBs are targeted by hackers include random drive-by attacks and subsets of criminal enterprise activity, including:

  • Ransomware
  • Bitcoin mining on your network
  • Using your infrastructure to attack someone else–stealing your resources to perform a DDoS attack on a third party

Because of the perception of minimal risk and the increasing number of IoT devices going mainstream every day, many small businesses don’t think twice before installing these smart devices–and often don’t implement measures to protect these devices from being a vulnerability to their network.

Why IoT Requires Special Consideration

IoTs are not a new concept in themselves–they’re essentially just computers living inside devices and connecting to the internet. But because embedded computers are weaker, spread in disparate locations, and are often not managed through the same corporate security suite of protection as regular PCs, phones and laptops, they require extra security considerations. Unfortunately, they’re the least likely devices to be protected, creating a perfect gap for bad actors to slip through these entry points, and cybercriminals know and happily exploit this.

“The fact that something is connected creates a door, and now the question is, how determined is the opponent, how determined is that malicious actor that wishes to walk through that door?” postures Ariel Pisetzky, a 25-year IT world veteran, Team 8 member, and VP of IT & Cyber at Taboola on The UPSTACK Podcast.

As an SMB, you probably lack the resources to reach the pinnacle of security, and this can feel discouraging. But, it’s better to have many good locks throughout your infrastructure rather than one great lock with many holes surrounding it. The best method of reducing risk is to invest in solutions appropriate to the level of risk itself. In the following paragraphs, we’ll walk you through three major risks and how you can avoid them.

1. Isolate your smart devices

Connected devices have IP addresses and take instruction over the internet. These devices are often managed through the narrow protocol of your device’s vendor. Most of the time, your company is unable to intervene or define parameters, monitor processes, or install your preferred or mandated solutions. You can manage corporate computers and phones by configuring the security to your protocol– but, when utilizing a smart device, the vendor’s provisions and specifications are all you can rely on, and often, they’re not transparent enough in this area to ease concerns.

Unfortunately, all it takes is one lapse in your vendor’s security processes to instantly gain access to the full network through one gap found in a connected device– and for many, that network is the same network hosting corporate data, customer information, and other extremely sensitive information that hackers see as high-value for their criminal enterprises.

To combat this easy method of entry, you should be isolating your devices to a network that is reserved solely for the use of such devices and that does not connect to your corporate IT network. An IoT device should never be on the same network that hosts sensitive information and corporate data. Separating these devices as much as possible from your main network, putting them on their own network instead, won’t keep them secure per se, but that will limit the damage that can be done.

One approachable way to manage this is through the use of vLANs. vLANs, or Virtual Local Area Networks, is a tool that isolates the traffic of devices on the same LAN network, allowing you to separate traffic from each IoT device while maintaining the use of a single network switch. This solution maintains streamlined operations while adding an enhanced layer of security to the operation of multiple IoT devices, as is common in modern office environments.

IoT devices in high-risk environments like factories and manufacturing plants, wherein critical industrial equipment (like sensors) can be hacked and controlled, may require further protection. Devices with higher risk to vital processes, control of dangerous items, or which pose a threat to human life if overridden require much higher entrance controls. In that case, a solution that firewalls these devices may be necessary alongside segmentation of networks.

2. Use disparate providers

What happens when attackers discover a faulty factor in your provider’s security measures and perform an open source attack, zero-day attack, or other form of exploitation? If you have multiple devices from the same provider, the surface area of your exposure is equal to the number of devices. By using different manufacturers, you reduce the surface area to just the number of devices form the exposed manufacturer.

When choosing smart devices, consider branching out with multiple trustworthy providers. Even if device traffic is separated, it’s much harder to manage a security event that occurs across the entirety of your IoT device fleet than just one aspect, like a camera, lighting device, or conferencing equipment. Having multiple providers and disparate systems makes it much easier to flush and discard affected devices with minimal interruption and costly downtime. Utilizing multiple providers helps ensure that you won’t be subject to multiple methods of attack from a singular vulnerability, and reduces the risk of a total outage stemming from a single open door.

3. Limit access

IoT devices reach out to the internet in random and unexpected ways, a phenomenon that the user can’t truly control. Elevators, lights, video conferencing systems, ACs, and other smart devices are often present in the same environment, meaning multitudes of computers connected to multiple providers sit in a single location. These devices often have different accesses and permissions for connectivity, creating additional vulnerabilities in accessibility that corporate-issued personal devices are subject to. That makes it much easier to hack into them using credential stuffing and similar methods.

When it comes to IoT, SMS authentication or simple 2FA is no longer a trustworthy way to provide secure access. It’s too easy to be phished, stuffed, speared, or sprayed, all methods that make it easy for hackers to bypass passwords and authentication measures.

FIDO Authentication Standards are the most trustworthy level of security in high-risk environments like industrial and chemical plants, manufacturing locations, and others. For office-based SMBs, FIDO compliance helps to regulate and reduce the amount of passwords and false authentication by providing passkeys, a more secure way to sign in than OTPs, regular passwords, simple 2FA, and other common measures.

Your Best Is Better than Nothing: Attainable, Appropriate Security for SMBs

There are four ways most SMBs react to risk: accept it, reduce it, ignore it, or transfer it to a third party via insurance. While insurance may appear helpful for the time being, attacks are also quickly becoming “uninsurable.”

Insurers dictate the level of risk they are willing to accept, so you’ll need to comply with their parameters–which could be costly in both time and dollars. Besides that barrier, relying on insurance may help with economic damages, but as far as consumer trust and regulatory issues, it won’t be helpful. In the event of a breach, you will likely lose employees, and those who stay will be engaged with the fallout for weeks or months–meaning you lose manpower and focus on business initiatives.

The best ways to approach risk are to be aware that it exists (and in this case IoT vulnerabilities may be flying under the radar) and do what’s in your power to reduce it. A mastermind solution or heavily stacked in-house IT security team are likely unattainable for the average SMB, but options exist to help fill those gaps.

A Virtual CISO, or vCISO, is a valuable option for small or medium-sized businesses. It allows you to call on an expert on a subscription or contract basis to aid in cybersecurity tasks like strategy and budgeting, procurement, troubleshooting, incident response, and more–all without paying a salary or benefits.

Similarly, an MSSP can provide affordable, subscription-based services to an SMB looking for expert monitoring, incident response, and more. Working with an MSSP gives you access to a full team of specialists at a fraction of the cost of hiring.

When it comes to IoT security, it’s best to approach solutions that meet the realistic level of risk for your company. You’ve got to do what you can, and you can do more with UPSTACK. We put a new level of IoT cybersecurity within your reach.

Our team specializes in cybersecurity with an IoT focus, including asset tracking, medical IoT, supply chain management, and other in-demand IoT security services. Whether you’re optimizing management of assets, systems, vehicles, people, processes, workflows, buildings or entire cities, UPSTACK can help you plan your IoT deployment to meet your objectives, evaluate and source best-fit providers for your needs, and deliver ongoing, dedicated customer support. Our advisory partners understand the importance of your IoT deployment security and keeping connected infrastructure protected from vulnerabilities.

Learn more about our IoT solutions at upstack.com and be sure to give episode two of The UPSTACK Podcast, “Cybersecurity,” a listen for other helpful security tips for your organization from Alex Cole, Greg Moss, and guest Ariel Pisetzky.