Security

Responding to IoT cyber threats - to businesses and individuals alike

3rd May 2022
Kiera Sowery

In the first half of 2021 there were over 1.5 billion IoT related cyber security attacks – more than double the previous year. Many of these attacks exploit device vulnerabilities and can expose individuals, leading to reputational damage and financial loss for businesses. This article from Iqbal Singh, Founder of Intelligens Consulting discusses what risks arise from the increasing number of connected devices and what security design considerations can be used to prevent them.

This article originally appeared in the April '22 magazine issue of Electronic Specifier Design – see ES's Magazine Archives for more featured publications.

The numbers are startling

Cybersecurity research firm Kaspersky estimates that over 1.5 billion IoT security breaches occurred worldwide in the first half of 2021. That means over 1 in 5 IoT devices suffered from a security breach in 2021.

While this may seem a staggering number, what’s more startling is that this represents a 136 percent increase in IoT security breaches compared to the previous year and it is likely to get worse before it improves due to the significant continued growth in IoT device deployment.

To put these numbers into context, in the UK alone, around 55 million IoT devices out of an install base of 253 million were comprised compared to just 1,324 cybersecurity incidents in 2021. These figures show that IoT security breaches dwarf regular forms of cybersecurity breaches. This makes IoT cybersecurity the number one concern for users, manufacturers, service providers and policy makers.

What do these attacks look like?

Almost three out of five IoT security breaches leveraged telnet: a computer protocol that was built for interacting with remote computers and can be used to connect to open ports.

As a result of this, individuals are exposed to threats such as invasion of privacy, as well as of course harm to their wellbeing. Meanwhile, cyber attacks on businesses can lead to reputational damage and financial loss.

A study by DCMS (the UK Government’s Department for Digital, Culture, Media & Sport) in early 2020 looking into IoT cyber security vulnerabilities shows how one attack using malware cracked default passwords on security cameras and digital video recorders that were connected to public Wi-Fi networks. The attacker achieved this by exploiting an open telnet server, and in addition to gaining unauthorised access to personal video footage, they were also able to spread further malware, mine bitcoin, and launch DDOS attacks.

In another example, the owner of a popular smart doorbell found out that his ex-partner had been accessing and downloading video from his smart doorbell to monitor his activities and physically abuse him.

And again, it’s not just consumers but businesses that are also affected. According to the DCMS study, an architecture firm using smart (i.e. internet-connected) drawing pads became vulnerable due to the devices’ poor security practices. The pads were exploited by attackers to hack devices and launch DDOS attacks that overwhelmed the firm with vast amounts of requests for information.

And again, it’s not just consumers but businesses that are also affected. According to the DCMS study, an architecture firm using smart (i.e. internet-connected) drawing pads became vulnerable due to the devices’ poor security practices. The pads were exploited by attackers to hack devices and launch DDOS attacks that overwhelmed the firm with vast amounts of requests for information.

Many cybersecurity breaches are a result of attackers being able to exploit vulnerabilities in IoT devices, routers, and cameras. This is proliferated because of poor password hygiene or IoT devices unable to receive security updates once they have left the factory floor.

Responding to the threats to individuals and businesses

From a policy perspective the UK Government in November 2021 introduced the Product Security and Telecommunications Infrastructure bill in Parliament (scheduled for a second reading in the Commons on the 26th of January 2022).

The bill will ban default passwords and will require manufacturers to disclose the minimum amount of time a product will receive vital security updates.

The bill, if passed, will require IoT manufacturers, importers, and distributors of smart connected products to meet best practice cybersecurity standards. However, the bill does not cover routers, connected vehicles, smart meters, medical devices and desktop and laptop computers.

While such omissions may be critical, IoT security should not be limited to just devices. Communications networks need to have access controls, firewalls, and end-to-end encryption to distribute device-generated data securely. Analytics platforms and cloud applications require multi-factor authentication to protect against data theft.

While such omissions may be critical, IoT security should not be limited to just devices. Communications networks need to have access controls, firewalls, and end-to-end encryption to distribute device-generated data securely. Analytics platforms and cloud applications require multi-factor authentication to protect against data theft.

 

Featured products

Product Spotlight

Upcoming Events

View all events
Newsletter
Latest global electronics news
© Copyright 2022 Electronic Specifier