As threats to IoT devices evolve, can security keep up?

Internet of Things (IoT) devices are some of the least secure connected machines, but they are also becoming ubiquitous in our lives. The McKinsey Global Institute estimates that 127 new IoT machines go online every second. Data from CUJO AI research shows the significant presence of these gadgets in Western households, where an average consumer home has upwards to 20 online-capable devices.

As we become more connected and 5G-enabled smart city solutions with even more points of connection proliferate, are we putting our connected lives at risk? To even start answering this question, we first have to realise that the IoT threat landscape is not stagnant.

The myth of perpetual, unchanging threats

Hardly a week goes by without an article about a new type of IoT device being hacked: internet protocol (IP) cameras, baby monitors, light bulbs, even rifles.

Nevertheless, the IoT security landscape has progressed a lot since 2010, even if the perception of IoT vulnerabilities has largely stayed the same. It’s true that people are still playing VNC roulette - trying to remotely access devices at random – or even attempting to hijack cars. For the most part, however, the public image of IoT threats is perpetuated by the media and attention-hungry security researchers. Scary headlines drive clicks.

The real truth is that a decade of threats and increased awareness has pushed IoT security to change course. Some of these changes are welcome, while others provoke mixed feelings among security researchers.

Growth, data collection and shifting security challenges

A decade and a half ago, it was hard to find a smart household device, now it’s hard to find one that is not smart. More than 70% of TVs sold today are smart, and even the “dumb” ones can stream online content through Roku or other smart devices. Analysts predict a compound annual growth rate for Internet Connected Devices of 11% by 2023.

Although some of these devices have useful features, a key driver for developing smart devices is data collection. Some vendors even sell devices with data collection features at a lower price. Customer privacy is a wholly different topic, but it must be noted that having an additional point of contact and connectivity for data collection creates an additional risk vector. To put it simply: the risk of a home network getting hacked increases in line with the number of connected devices, especially if we take IoT devices' long lifespans into account.

Nevertheless, there have also been positive changes in the IoT industry. IP cameras were once notorious hacking targets due to glaring vulnerabilities like open telnet ports. Nowadays, as devices such as these tend to operate via the cloud only, attacking them is more difficult because they do not usually have open ports or hardcoded default credentials and so are more secure.

Cloud connectivity may create more threats than solutions

Cloud connectivity has generally been good for security, but it is important to note that it is a key enabler for data collection in the IoT sector. Also, while the move towards cloud services may have solved some glaring security issues, new ones appear almost instantly.

If a device can only work with an internet connection to cloud servers, operational risk becomes a concern – what happens if the servers go down? Cloud dependency has rendered many devices non-functional in recent years, from smart pet feeders, to home temperature control and security devices, doorbells and vacuum cleaners.

Devices can also be hacked en masse through cloud connectivity. One researcher was able to generate valid camera IDs, use those IDs to connect to a device login screen and guess owners’ passwords or bypass the authentication altogether.

IoT security depends on good practices, which are still not followed by many developers. Standard username and password combinations remain common, as does password reuse. This leaves systems and accounts vulnerable because malicious actors can use that information to target IoT systems. This happened with Ring doorbells before its provider offered two-factor authentication, which significantly reduces the chances of a successful attack, according to our experience at CUJO AI. Sadly, not all IoT service providers offer multi-factor authentication.

Hacking centralised cloud services is also more lucrative for criminals. Once a cloud camera service provider is breached, hackers might be able to access all cameras operated by a provider and then sell that access. The recent case of 150,000 hacked Verkada cameras is a good example of this type of breach.

Another development in the IoT threat landscape is the shift towards targeting higher-value cloud-enabled devices, such as Network Attached Storage (NAS). Criminals focus more on the vulnerabilities of these devices and use them to install ransomware that encrypts the victim’s backups, such as family photos and videos. According to data from CUJO AI Labs, NAS adoption is stable at around 0.2-0.3% of all online devices, which makes it a common, but not pervasive target.

The near-term future of IoT threats and security

The growing number of connected devices is forcing the long-overdue transition to Internet Protocol version 6 (IPv6) addresses. As more Internet Service Providers (ISP) support IPv6 by default, IoT devices will be able to connect to the internet directly rather than operating on private networks. Unfortunately, few of these devices will be powerful enough to run any antivirus or antimalware software. As such, we expect to see more instances of attackers connecting directly to these devices from the internet.

ISPs could block such connections at the gateway (the router) or by adopting better network monitoring solutions, but it is unclear how many ISPs will be willing and able to do this. We will find out whether these new IoT threats appear at the ISP level in the very near future, although hopefully not as part of a new research article about an in-the-wild IPv6 botnet.