The future is automated. The future is smart. And the future is all about finding ways to leverage the Internet of Things (IoT).
IoT technology is becoming embedded at a rapid pace in almost every area of our physical environments. From smart power grids that optimize loads and distribution to smart engineering which senses environmental changes or hazards automatically, machine-to-machine (M2M) communications is fast becoming the foundation of a new IoT-based economy.
However, there's another less well-known side to this story. As M2M communications technology becomes more established, and both corporate and public organizations start to rely on its benefits, new cybersecurity risks are emerging.
If you use IoT technology, or you’re thinking about adopting it, recognizing these risks is absolutely essential. That's why we thought it would be useful to run through a few of the top IoT devices targeted by hackers.
What kind of attacks can be mounted against IoT technology?
Before we talk about individual devices, it's helpful to quickly cover some of the ways that cyber-attackers can target IoT systems.
The most important vulnerability concerns machine identities—the unique IDs which integrate IoT devices into networks and allow them to communicate. These identities usually take the form of SSL/TSL certificates, which protect the devices concerned via data encryption.
If these certificates expire (which they all do at some point), the encryption provided rapidly becomes out of date and vulnerable. Attackers can then use these expired certificates to pose as legitimate network actors, gaining access to systems, implanting ransomware, or propagating any other forms of malware.
Along with certificate-based attacks, IoT systems are exposed to human error and insider attacks, networks can be prone to DDoS attacks and "man-in-the-middle" attacks, as well as botnets that can take over entire industrial installations. However, most of those attacks benefit significantly from poor cybersecurity practices regarding machine identities and SSL/TSL certificates.
Keeping that in mind, let's take a closer look at the way cybersecurity relates to some of the most popular IoT devices.
1. Security cameras
Security camera networks were one of the first areas to be affected by the IoT revolution, enabling organizations to automate surveillance of their properties, and mix cameras with thermal or motion sensors to enhance their monitoring abilities.
However, they are also one of the devices most prone to cyber-attacks. Security consultancy SAM Seamless Networks has found that 47% of IoT devices hit by hackers are cameras of some form—way ahead of any other device.
These unsecured cameras could transmit data to thieves or competitors, lose functionality, and breach data protection laws as well. So staying in control of them is vital. But many companies utilize camera networks based around "shadow" systems, separated from their core IT networks. This, combined with poorly maintained machine identities, is often the root cause of camera-related IoT security breaches.
2. Wireless office equipment
Many offices have moved to wireless setups, where printers, copiers, shredders—everything they need for daily operations—is connected to a form of the Internet of Things. This enhances flexibility, reduces physical maintenance needs, and tends to work well. Until a security breach occurs.
Wireless printers, in particular, have been flagged as security risks, enabling attackers to take control and transmit information to third parties. Enterprising attackers have shown that this can be done with ease, even with devices located at the top of office blocks, so all offices are at risk.
3. Telco Infrastructure
The telecommunications industry has been an early adopter of M2M communications, and with good reason. The IoT offers a way to construct smart communications networks that manage data transmission efficiently, automate maintenance tasks, and offer easy scalability.
The problem is that as M2M-based TelCo networks have expanded, so has WiFi offloading. This normally helps cellphone companies to optimize their WiFi operations, but can also open the door to hackers. That's because the nodes which switch traffic from cellphone towers to WiFi networks are often unsigned, lacking the kind of certificates we noted earlier. Without proper protection, they are relatively easy to hijack and exploit, delivering unlimited free WiFi to the attacker.
4. USB Dongles
USB dongles are another area where corporations regularly put their IoT systems at risk without realizing that they are doing so. These accessories are commonly used across all types of organizations to connect computers and communications devices wirelessly. They allow seamless working, reduce the need for cables, and generally make office life easier. But they aren't always safe.
For instance, Logitech Unifying USB dongles have been highlighted especially vulnerable to hackers. In some cases, researchers have found that intruders can hijack keyboards connected via Unifying dongles, giving attackers complete control. In this case, man-in-the-middle attacks are the type to be concerned about, and they can affect any brand of a USB dongle if proper security precautions haven't been taken.
5. Smart Hubs and Home Devices
Finally, hackers are constantly seeking to target the smart devices used in private homes and commercial premises. Again, this affects almost all brands. For instance, the usually security-savvy Korean brand Samsung has been accused of failing to address bugs in its Smart Home systems.
In general, it makes sense to be skeptical about the security claims of smart tech manufacturers—whether we're talking about hotel TV networks or Amazon Echo. And as security expert Matt Pascucci explains, authentication lies at the heart of the weaknesses involved.
As with wireless printers, security cameras, USB dongles, and TelCo networks, smart technology relies on security certificates to guard against attackers. So if there's one takeaway from this list, that should be the imperative need to sharpen up SSL/TLS certificate setups. If not, using the IoS could become a cybersecurity nightmare.