Are your IoT devices secure?
Internet of things (IoT) devices have seen year on year increases in business and personal use because they are usually beneficial in being convenient and easy to use. IoT devices are used for various purposes, from making smart homes to implementing a business’s security system. As with all internet connected devices, some risks could expose the users to external and possibly internal threats from malicious attackers.
Until recently, there was no security standard for IoT devices resulting in a lack of security awareness and focus during development. However, there is now a European IoT standard (ETSI EN 303 645) to ensure a higher focus on security in IoT devices for manufacturers. This does not ensure vulnerabilities will not be present but will help reduce the risk to these devices. Alongside this, security testing should be done to increase awareness of risks that are present.
What risks do your business IoT devices have?
Have you ever tested your IoT devices? These consist of but are not limited to cameras, printers, smart lock devices and security doors. IoT devices are usually not given much priority in testing resulting in more vulnerabilities in the network you are not aware of. Business implementations of IoT usually consist of security related devices or devices used to handle or store sensitive information.
Both of these have direct risks where compromise could lead to attackers gaining sensitive information. However, these are not the only risks. Certain vulnerabilities may give attackers access to the internal network allowing lateral movement and lead to disclosing more sensitive information. In some cases, this can result in complete compromise of your network. Do you want this to happen to you? If not, keep reading.
Should we condemn all IoT devices?
No, but being proactive and understanding what we can do is an excellent first step. The good news is the new European standard for IoT devices will help improve the standard of IoT security before it even reaches your hands.
This includes but is not limited to:
- No universal default passwords
- Minimising the attack surface
- Validation of input data
- Ensuring personal data is secure
- Communications should be done securely
- Installing and maintaining devices should be easy
- There must be a way to report new vulnerabilities
Does this mean IoT devices will be secure? No, but it will reduce the average risk from each IoT device. As you might have realized by now, this is not good enough for long term security, but it is a start. Relying on manufacturers to provide secure devices is easier, but does not guarantee that even basic security requirements will be met.
So, how should you protect devices?
First, get a list of all IoT devices you own and ensure you are aware of how many there are of each. From here, get as many of these IoT devices security tested to find the vulnerabilities missed by the manufacturers.
Next, apply all possible fixes to your IoT devices, and be prepared to remove some from your network if they contain critical risks with no known patches. Risk Crew recommends adding this to your annual testing portfolio. Your security is worth investing in, so make sure you do.
The road less travelled
With the increase in IoT usage, it is important to be aware of what risks they may bring into your business and your home. By increasing your focus on security, you will be more aware of the potential threat and limit risks associated with IoT devices you use. The question now becomes, will you do your best to improve your security? Because we will.
Risk Crew offers a full portfolio of security penetration testing that includes IoT Security Penetration Testing. Visit our webpage or download our brochure to learn more.