The internet of things will undoubtedly lead to a smarter, more connected future. But if there’s anything acting as a threat to this future, it’s the security of the IoT network.
Warren Buffet recently said that cyber attacks are the number one threat facing mankind – far greater than nuclear weapons. While Buffet may not be a cybersecurity expert, his statement isn’t without logic.
Data breaches are occurring more often and costing businesses and consumers billions of dollars every year. Most businesses don’t even discover their data breaches until more than six months have passed. By that time, 90 percent of hackers would have already covered their tracks through encryption.
Are you surprised by the rise in cybercrime? My guess is probably not.
Data acts as the window to our personal lives – making it extremely valuable. Phones, tablets, laptops, smart watches, and more are reservoirs of sensitive data. Through our internet-connected devices, we generate roughly 2.5 quintillion bytes of data every day. As more devices come online, this number is expected to skyrocket.
So, while the internet of things will present new and exciting opportunities, its rapid growth will give way to various cybersecurity issues.
IoT security challenges
One of the more obvious challenges is keeping up with the production of IoT devices. There are more of these devices in use today than there are people in the world, but this number doesn’t even come close to what’s expected by 2020.
Research from GSMA Intelligence estimates there will be at least 20 billion IoT devices up-and-running over the next few years. As 5G mobile networks come online, this number could easily increase.
The math isn’t hard. More devices equal more opportunities for cybercriminals to attack. When these devices become connected within an IoT network, a single vulnerability could lead to thousands of compromised devices – and there are instances in which this has already happened.
Larger and more frequent botnets
A botnet can send spam, steal data, and allow remote access to devices without the owner’s knowledge. One botnet, Mirai, did so by scanning the internet for open telnet ports – a protocol giving access to other devices within the same network.
The 2016 Mirai botnet was powered by 61 default usernames and passwords. You can see the list of these login credentials below, complimentary of CSO.
Once Mirai identified an open port, it would apply these usernames and passwords in an attempt to access and cease control of a device. This tactic is called brute-force and is comparable to someone trying to guess your smartphone’s four-digit passcode.
In just a few days, nearly 400,000 IoT devices were compromised.
The Mirai botnet revealed just how easy it was to brute-force into IoT devices, which was possible due to this next major contributor to cybersecurity issues.
Default passwords have become common
If you’re thinking the Mirai botnet was an isolated incident, just know that default passwords are actually quite common amongst newer IoT devices. As a matter of fact, Positive Technologies states that only five sets of default passwords can be used to invade roughly 10 percent of today’s IoT devices.
For those who are curious, the five passwords are:
admin – Accounting for 36.5 percent of default logins
The default passwords above are so painfully obvious that even the least-tech-savvy users could probably guess a login within 30 minutes.
With weak out-of-box security features, users are expected to take security measures into their own hands. Unfortunately, about 15 percent of all IoT device owners fail to change default passwords – leaving their devices open for attacks.
Even more troubling are devices with hard-coded passwords that cannot be changed by the user. Ben-Gurion researchers experimented with off-the-shelf IoT devices containing hard-coded passwords and were able to brute-force in them within minutes.
“Using these devices in our lab, we were able to play loud music through a baby monitor, turn off a thermostat and turn on a camera remotely, much to the concern of our researchers who themselves use these products.” – Professor Yosi Oren
So, what’s the purpose of default passwords? Manufacturers are both trying to meet the high demand for new IoT devices and reduce the time it takes a consumer to set up their device. But is this worth the security risk?
New devices with outdated hardware
Default passwords are only one of two reasons why so many IoT devices today are poorly equipped for future cybersecurity challenges. The second is that the hardware within these devices doesn’t exactly age well.
In its most basic form, an IoT device is really just a “thing” giving off data through microtechnology, sensors, actuators, or other hardware elements. While the software within these devices can be updated and patched, its hardware has physical limits.
Outdated hardware poses an obvious security threat. In 2017, the FDA recalled approximately 465,000 pacemakers due to IoT security concerns. The embedded hardware contained security loopholes that could have allowed the pacemaker to be remotely controlled by hackers.
While this may have been one of the more prominent security threats, it shows just how vulnerable some of these devices are.
Fortunately, the semiconductor industry, which consists of companies that develop things like microchips and processors, is expected to grow exponentially. By 2020, an estimated $34 billion will be spent toward new-and-improved IoT semiconductors – with a focus on hardware security.
The growth of big data
From consumer electronics to manufacturing, IoT devices generate massive amounts of data. This rapid expansion of the digital universe is referred to as big data.
There’s already more data on-hand than we can keep up with. By 2025, an estimated 163 zettabytes, or 163 trillion gigabytes, of data will have been generated. A bulk of this data is expected to come from IoT devices.
Big data isn’t inherently a cybersecurity issue. When applied correctly, big data can aide marketers with more targeted campaigns, help environmentalists see future sustainability, help healthcare professionals predict epidemics, and much more.
Instead, the way big data is managed by companies can pose a security threat. As a matter of fact, over 95 percent of U.S. consumers stated they were concerned with having their personal data in the hands of companies.
With IoT devices exposing more varieties of personal data and data breaches occurring more often, it’s understandable why consumers have grown uneasy.
Securing the IoT
Just like big data, the internet of things will continue to grow and thousands (sometimes millions) of devices will interact with each other over massive networks.
Soon, things like smart cities, autonomous cars, delivery drones, and other farfetched concepts will work in-sync – changing our everyday lives. It’s for this reason why securing devices within the IoT network has become a top priority.
Businesses that rely on the internet of things for future success can turn to IoT management software to safeguard their devices.
For example, equipment failure in an industrial sector like manufacturing, mining, or oil can be extremely time-consuming and costly for a business. With IoT management, sensors embedded within equipment can send alerts regarding poor health or signal a hot-fix – meaning the device requires updating.
Resolving device issues remotely (whether software or hardware-related) has become an increasingly popular way for businesses to manage their IoT environments.
For consumers still using “1234” as their IoT device passwords, it’s probably best to go back and change it to something a bit harder to guess. Until the security of these devices become more robust, most cybersecurity experts recommend taking your own measures.
Interested in learning more about cybersecurity? We compiled the top cybersecurity trends to look out for in 2019.
Devin is a former Content Marketing Specialist at G2, who wrote about data, analytics, and digital marketing. Prior to G2, he helped scale early-stage startups out of Chicago's booming tech scene. Outside of work, he enjoys watching his beloved Cubs, playing baseball, and gaming. (he/him/his)