Securing IoT Systems

What is IoT security?

Security for the Internet of Things means protecting internet devices and the networks they
connect to from online threats and breaches. This is achieved by identifying, monitoring, and
addressing potential security vulnerabilities across devices. At its simplest, IoT security is the
practice that keeps IoT systems safe.
Why is IoT security important?
The IoT isn’t just about computers or smartphones – almost anything that has an on/off switch
can potentially be connected to the internet, making it part of the Internet of Things. The sheer
volume and diversity of 'things' that comprise the IoT mean that it contains a considerable
amount of user data. All this data has the potential to be stolen or hacked by cybercriminals. The
more connected devices, the more opportunities there are for cybercriminals to compromise your
security. Read more about how the Internet of Things works here.

The consequences of IoT security breaches can be highly damaging. This is because the Internet
of Things affects both virtual and physical systems. For example, think of a smart car connected
to the internet – cybercriminals could hack it to disable certain safety features. As the IoT
becomes more prevalent within industry – hence the term IIoT or Industrial Internet of Things –
cyberattacks can unleash a series of potentially devastating consequences. Similarly, in
healthcare – where the term IoMT or Internet of Medical Things is used – devices can expose
sensitive patient data or even compromise patient safety. In smart homes, compromised devices
could allow criminals to monitor people’s homes.

IoT security challenges

Challenges for IoT and key IoT security concerns include:
Lack of testing and development
Some IoT manufacturers have treated security as an afterthought in their haste to bring products
to market. Device-related security risks may have been overlooked in the development process,
and once launched, there may be a lack of security updates. However, as awareness of IoT
security has grown, so too has device security.
Default passwords leading to brute-forcing
Many IoT devices come with default passwords and these are often weak. Customers who buy
them may not realise they can (and should) change them. Weak passwords and login details
leave IoT devices vulnerable to password hacking and brute-forcing.
IoT malware and ransomware
Given the considerable increase in IoT connected devices in recent years – which is forecast to
continue – the risk of malware and ransomware to exploit them has increased. IoT botnet
malware has been amongst the most commonly seen variants.
Data privacy concerns
IoT devices gather, transmit, store and process a vast array of user data. Often, this data can be
shared with or sold to third parties. While users typically accept terms of service before using
IoT devices, many people don’t read the terms – which means it's not always apparent to users
how their data may be used.
Escalated cyberattacks
Infected IoT devices can be used for distributed denial of service (DDoS) attacks. This is where
hijacked devices are used as an attack base to infect more machines or conceal malicious
activity. While DDoS attacks on IoT devices more commonly affect organizations, they can also
target smart homes.
Insecure interfaces
Common interface issues that affect IoT devices include weak or no encryption or insufficient
data authentication.
The rise of remote working
Er.Binay Kumar Yadav Page 1
 Securing IoT Systems

Following the Covid-19 pandemic, remote working has increased around the world. While IoT
devices have helped many users to work from home, often home networks can lack the security
of organisational networks. The increased usage has highlighted IoT security vulnerabilities.
Complex environments
Research shows that in 2020, the average household in the US had access to 10 connected
devices. All it takes is one overlooked security misconfiguration in one single device to put the
whole household network at risk.

Examples of IoT security breaches

There have been high-profile examples of IoT devices being compromised by cybercriminals in
recent years. These include:
2016: Mirai botnet attack
In 2016, hundreds of thousands of compromised connected devices were pulled into a botnet
called Mirai. A botnet is a network of computers that have been intentionally infected by
malware to carry out automated tasks on the internet without the permission or knowledge of the
computers’ owners. As a result of the Mirai attack, major services and websites such as Spotify,
Netflix, and PayPal were temporarily shut down.
2018: VPNFilter malware
In 2018, VPNFilter malware infected over half a million routers in over 50 countries. VPNFilter
malware can install malware onto devices connected to your router, which collects information
passing through, blocks network traffic, and steals passwords.
2020: Tesla Model X hacked
A cybersecurity expert hacked a Tesla Model X in less than two minutes by exploiting a
Bluetooth vulnerability. Other cars which rely upon wireless keys to open and start have
experienced similar attacks.
2021: Verkada camera feeds hacked
Verkada is a security camera firm. In 2021, Swiss hackers compromised 150,000 of its live
camera feeds. These were cameras that monitored activity inside public sector buildings – such
as schools, hospitals, prisons–and private corporate organizations.

IoT security best practices

To ensure IoT device security and IoT network security, here are some best practices to bear in
mind:
Keep up to date with device and software updates

When buying an IoT device, check that the vendor provides updates and consistently apply them
as soon as they become available. Software updates are an essential factor in IoT device security.
Devices that use out-of-date IoT software are easier for hackers to compromise. Your IoT device
may send you automatic updates, or you might have to visit the manufacturer’s website to check
for them.
Change default passwords on IoT devices

Many people use the same login and password for every device they use. While it's easier for
people to remember, it's also easier for cybercriminals to hack. Make sure every login is unique
and always change the default password on new devices. Avoid using the same password across
devices.
Use strong passwords for all devices and your Wi-Fi network
A strong password is long – made up of at least 12 characters and ideally more – and contains a
mix of characters, such as upper- and lower-case letters plus symbols and numbers. Avoid the
obvious – such as sequential numbers ("1234") or personal information that someone who knows

Er.Binay Kumar Yadav Page 2

 Securing IoT Systems

you might guess, such as your date of birth or pet's name. A password manager can help you to
keep track of your login credentials.
Change your router’s name

If you keep the router name given by the manufacturer, it could allow snoopers to identify the
make or model. Instead, give your router a new name – but make sure that whatever you choose
doesn’t disclose any personal identifiers such as your name or address.
Use a strong Wi-Fi encryption method
Using a strong encryption method for your router settings – i.e., WPA2 or later – will help to
keep your network and communications secure. Older WPA and WEP versions are vulnerable
to brute force attacks. You can read more about WPA versions here.
Set up a guest network

If your router gives you the option, consider creating a guest wireless network, also using WPA2
or later, and protected with a strong password. Use this guest network for visitors: friends and
family may be using devices that have been compromised or infected with malware before using
your network. A guest network helps to enhance your overall home network security.
Check the privacy settings for your IoT devices

Your IoT devices probably come with default privacy and security settings. It’s a good idea to
read through these and change the settings where appropriate to ensure they are set to a level you
are comfortable with. In a similar vein, it’s worth reviewing privacy policies to understand how
the provider stores and uses your personal data.
Keep track of device available features and disable the unused features

Check the available features on your devices and switch off any that you don't use to reduce
potential attack opportunities. For example, consider a smartwatch – its primary purpose is to tell
the time. But it will probably also use Bluetooth, Near-Field Communication (NFC), or voice
activation. If you are not using these features, they provide more ways for an IoT hacker to
breach the device, with no added benefit for the user. Deactivating these features reduces the risk
of cyberattacks.
Enable multi-factor authentication where possible

Multi-factor authentication (MFA) is an authentication method that asks users to provide two or
more verification methods to access an online account. For example, instead of simply asking for
a username or password, multi-factor authentication goes further by requesting additional
information, such as an extra one-time password that the website's authentication servers send to
the user's phone or email address. If your smart devices offer MFA, use it.
Understand what IoT devices are on your home network

Review all devices communicating across your network and understand what they do. Some of
these devices may now be older models – consider whether upgrading to newer devices could
offer greater IoT security features.
Be careful when using public Wi-Fi

You might want to manage your IoT devices through your mobile device when you're out and
about – for example, in a coffee shop, shopping mall, or airport. It's essential to be aware of the
security risks involved in using public Wi-Fi. One way you can mitigate these risks is by using a
VPN.

By being mindful of IoT cyber security and following IoT security best practice, it is possible to
minimize risks.

Er.Binay Kumar Yadav Page 3