The growing threat of IoT cyber-attacks – what you need to know

IoT devices (Internet of Things) have changed how we live and work beyond recognition in just a few short years. But with the accelerated evolution and rapid uptake of these new technologies comes a wave of new and significant threats users must be aware of and protect themselves against.

The expansion of IoT capabilities and widespread adoption of this new technology in domestic and commercial settings mean IoT devices have many formats, features, and applications—including smart home systems, industrial controls, and even medical devices. It is predicted that there will be 20.1 billion active IoT devices by 2025, prompting even more concern over their vulnerability and exposure to cyberattacks. This makes the potential impact of IoT threats much more far-reaching and disruptive.

 What are the potential consequences of IoT cyberattacks for individuals and organisations?

The threat of IoT cyberattacks is a serious concern in both domestic and commercial settings. Because they are growing in number and revealing more potential weak spots cybercriminals can exploit, IoT devices are increasingly being targeted by sophisticated and damaging malicious activity.

IoT attacks can compromise device functionality and viability for personal users, but the effects are usually much more insidious. As with many hacks, most only realise their data has been compromised when they find it is used by someone else.

The consequences can be much more severe in commercial or public service settings, where significant harm to the company, its workers, and customers is a real possibility. Cyber threats to IoT systems can result in many worst-case scenarios that can be difficult to recover from, including data breaches, financial losses, fines, reputational damage, operational disruption, or total downtime. In some cases, the disruption is significant enough to cause lasting damage.

Larger companies often become the focus of more organised, targeted cyberattacks as they represent a higher reward. However, many smaller businesses are seen as 'low-hanging fruit' by hackers and cybercriminals because they rely on a network of systems and software but generally lack sufficient security protocols to protect themselves adequately.

Common IoT attack vectors

Common attack vectors within IoT technology include data theft (personal identity information, names, addresses and contact information), DDoS attacks (Distributed Denial-Of-Service), which can disrupt or take down entire networks and man-in-the-middle attacks (MITM), where undetected hackers infiltrate systems and secretly intercept private internal and external communications to then use or edit information maliciously. How these attacks are carried out can differ between different criminal groups and devices.

Cybercriminals can infiltrate and compromise IoT devices in several ways, and due to their configuration, they're often able to do so remotely. As a modern technology, you'd expect IoT devices to have robust built-in security features. Still, a combination of insufficient protection in this area and a lack of user awareness around security contribute to the uptick in cyber-attacks against IoT technologies.

The first issue is that domestic IoT devices are typically shipped with easy-to-guess default passwords – more often than not, these are never changed (despite the manufacturer's instructions recommending that they are). Failing to update firmware and software regularly is the next concern – unpatched vulnerabilities open up your devices to several common cyber threats. Many people aren't aware of the security risks late updates pose. And because these devices are usually in almost constant use, they are often seen as an inconvenient task, put off continuously until an issue occurs.

Real-world examples of IoT attacks

Case studies covering previous significant cyberattacks and criminal activity can teach us a lot. These help us identify the technological sources of a breach and any behavioural or user-related errors or issues that can infiltrate, corrupt, or compromise a device. They also illustrate the potential impact of these threats, raising awareness of the real risk cybersecurity breaches can pose.

Mirai Botnet

In 2016, the Mirai Botnet attack brought down French telecom giant OVH's systems and caused widespread internet outages. The initial DDoS attack concerned experts, who noted it was 100 times larger than anything they'd seen before. Within a month, DNS provider Dyn was also hit with an unprecedentedly powerful DDoS attack. The impact was so huge that it led to over 170,000 websites going down and a drop in internet quality across Europe and the Eastern US. Huge hacking groups were suspected, and even governmental involvement from hostile nations was suspected due to the scale and sophistication of the attack.

 Mirai is a type of malware (malicious software) that infects smart devices and, through exploiting the network, effectively takes them over for remote control. This cyberattack was significant because it was one of the first that specifically targeted IoT devices as opposed to high-ticket hardware like computers and servers. A Botnet is a network of hijacked computers controlled by one central source—in this case, Mirai was running an automated script through a vast network of devices to cause swift and extensive damage.

 The Mirai Botnet was eventually brought down after the FBI's extensive investigation revealed its creators' identities. Some good did come of the incident, in that the cybercriminals responsible put their knowledge of exploiting networks to good use and helped to develop WatchTower, an IoT honeypot designed to lure and trap hackers and keep others safe from similar types of attack.

 The Jeep smart control hack

One space smart devices are often forgotten about is in the motor industry. All modern vehicles feature smart technology to some degree, designed to enhance user experience and safety – but as these systems become more sophisticated (and can be remotely monitored and controlled), the risk to drivers increases. In the Jeep hack in 2015, researchers Charlie Miller and Chris Valasek demonstrated that they could remotely take complete control of the vehicle by covertly infiltrating the car's IoT software, using a hacking technique known as a 'zero-day exploit'. In a feature for Wired, the pair hijacked a Jeep Cherokee driven by journalist Andy Greenberg, first exploiting the vehicle's entertainment system and then taking over controls including air conditioning, brakes, steering and transmission from a property 10 miles away. Other successful attempts have been made since, prompting Jeep and other manufacturers to uplevel their in-built security systems.

The Stuxnet incident

IoT attacks pose a collective and individual risk – but there could also be much wider consequences where technology has military or governmental applications. In 2010, the powerful computer worm Stuxnet targeted Iranian nuclear facilities, causing significant damage and subsequently triggering a global diplomatic crisis. Stuxnet is widely thought of as the world's first-ever 'cyberweapon', created in collaboration with the US and Israeli intelligence.

What can individuals and organisations do to protect themselves from IoT attacks?

Conduct a Device Inventory

Organisations need to know what IOT devices exist on their networks, what they do and how they are configured. To do this effectively, a device inventory or asset register should be created that accounts for all known devices in operation.

Keep Firmware and Software Updated

The IoT connected devices then need to be configured securely. This can be a lengthy process involving multiple considerations and it would be recommended to refer to IOT security best practice standards and regulations such as the ETSI EN 303 645 to help you thoroughly risk assess a device.

The two quickest and most effective considerations that can be made immediately are:

Ensure the devices firmware and software are supported and up to date

Ensure there are no default authentication credentials in use

Changing default credentials

The second key to effective security for IOT devices would be ensuring that the device is not using any default credentials.

The use of default passwords is inherently unsecure as default passwords are usually readily available online.

Some IOT devices use default credentials to ease in the set-up of the device itself – however, if the device does not force the user to change the default credentials after set-up, the user now has a fully functioning unsecure device on their network.

Securing your Wi-Fi network

A Wi-Fi router is itself an IOT device and serves as the primary communication channel for other devices. Therefore, a router should not be overlooked when considering IOT security measures.

Consider changing the name (SSID) and password of the Wi-Fi router from the factory default to something unique.

Consider enabling the network encryption feature on your router which is usually turned off by default.

Further Wi-Fi configuration tips include disabling remote management, disabling Wi-Fi protected set up (WPS) and disabling universal plug and play (UPnP).

Implementing Network Segmentation

It may be advisable to separate IoT devices them from the main network.

This approach enhances security by limiting access and controlling the flow of traffic between segments, thereby reducing the potential impact of security breaches and the usefulness of an unsecure entry point.

IoT Certifications

Currently, there are 17.08 billion IOT devices in use globally and the vast majority of them are unsecure out of the box.

If you are a buyer of IoT devices, consider whether the device you are purchasing has a PSTI statement of compliance accompanying them, or an IoT certification such as IASME IOT Cyber Scheme or BSI Kitemark to confirm the security capabilities of the device.

If you are an IoT manufacturer or distributor then the IASME IoT Cyber Scheme can ensure you are compliant with the UK‘s PSTI act that became law in April 2023.

The IoT Cyber Scheme aligns with all 13 provisions of the worldwide standard in IoT Cyber Security ETSA EN 303 645 and with the current UK IoT security legislation and guidance.

Resources for IoT and the PSTI regulation.

If you want more information about the legislation and its impact, we have a resources page that is a great starting point.

You can of course also Contact Secarma at enquiries@secarma.com and we’ll be happy to help.