The IoT market size in Europe is estimated to reach €242,222 million by the end of 2020. This rise in popularity of IoT-connected devices leading to rise in IoT app development does come with its fair share of concerns and security challenges.
As manufacturers continue to compete on who would get the latest device in the hands of consumers first? Very few of them are considering the security issues associated with data access & management as well as with that of the IoT devices themselves.
But what is the largest security challenges currently plaguing the field of IoT-connected devices?
1. Insufficient testing and updating
Currently, there are over 23 billion IoT connected devices worldwide. This number will further rise up to reach 30 billion by 2020 and over 60 billion by the end of 2025. This massive wave of new gadgets doesn’t come without a cost.
In fact, one of the main problems with tech companies building these devices is that they are too careless when it comes to handling of device-related security risks. Most of these devices and IoT products don’t get enough updates while, some don’t get updates at all.
This means that a device that was once thought of as secure when the customers first bought it becomes insecure and eventually prone to hackers and other security issues.
Early computer systems had this same problem, which was somewhat solved with automatic updates. IoT manufacturers, however, are more eager to produce and deliver their devices as fast as they can, without giving security too much of a thought.
Unfortunately, most manufacturers offer firmware updates only for a short period of time, only to stop the moment they start working on the next headline-grabbing gadget. Even worse, they use unsupported legacy Linux kernels.
This leaves their trusted customers exposed to potential attacks as a result of outdated hardware and software.
To protect their customers against such attacks, each device needs proper testing before being launched into the public and companies need to update them regularly.
Failing to do so is bad for both the companies and their consumers, as it only takes a single large-scale breach in consumer data to completely ruin the company.
2. Brute-forcing and the issue of default passwords
The Mirai botnet, used in some of the largest and most disruptive DDoS attacks is perhaps one of the best examples of the issues that come with shipping devices with default passwords and not telling consumers to change them as soon as they receive them.
There are some government reports that advise manufacturers against selling IoT devices that come with default (read, hackable) credentials such as using “admin” as username and/or passwords.
That said, these are nothing more than guidelines now, and there aren’t any legal repercussions to incentivize manufacturers to abandon this dangerous practice. Weak credentials and login details leave nearly all IoT devices vulnerable to password hacking and brute-forcing in particular.
The only reason why Mirai malware was so successful is that it identified vulnerable IoT devices and used default usernames and passwords to log in and infect them.
Therefore, any company that used factory default credentials on their devices is placing both their business and its assets and the customers and their valuable information at risk of being susceptible to a brute-force attack.
3. IoT malware and ransomware
As the number of IoT connected devices continues to rise in the following years, so will the number of malware and ransomware used to exploit them.
While the traditional ransomware relies on encryption to completely lock out users out of different devices and platforms, there’s an ongoing hybridization of both malware and ransomware strains that aims to merge the different types of attack.
The ransomware attacks could potentially focus on limiting and/or disabling device functionality and stealing user data at the same time.
For example, a simple IP camera is ideal for capturing sensitive information using a wide range of locations, including your home, work office or even the local gas station.
The webcam can then be locked and footage funneled to an infected web address which could extract sensitive data using the malware access point and demand ransom to unlock the device and return the data.
The ever-increasing number of IoT devices will give birth to unpredictability in regards to future attack permutations.
4. IoT botnets aiming at cryptocurrency
The heated mining competition, coupled with the recent rise of cryptocurrency valuations is proving too enticing for hackers trying to cash in on the crypto-craze.
While most find blockchain resistant to hacking, the number of attacks in the blockchain sectors seems to be increasing. The main vulnerability isn’t the blockchain itself, but rather the blockchain app development running on it.
Social engineering is already being used to extract usernames, passwords, and the private keys and we’ll see it being used more often in the future to hack blockchain-based apps.
The open-source cryptocurrency Monero is one of the many digital currencies currently being mined with IoT devices. Some of the hackers have even repurposed IP and video cameras to mine crypto.
Blockchain breaches, IoT botnet miners and manipulation of data integrity pose a huge risk for flooding the open crypto-market and disrupting already volatile value and structure of cryptocurrencies.
IoT applications, structures, and platforms relying on blockchain technology need to become regulated and constantly monitored and updated if it were to prevent any future cryptocurrency exploits.
5. Data security and privacy concerns (mobile, web, cloud)
Data privacy and security continues to be the single largest issues in today’s interconnected world. Data is constantly being harnessed, transmitted, stored and processed by large companies using a wide array of IoT devices, such as smart TVs, speakers and lighting systems, connected printers, HVAC systems, and smart thermostats.
Commonly, all this user-data is shared between or even sold to various companies, violating our rights for privacy and data security and further driving public distrust.
We need to set dedicated compliance and privacy rules that redact and anonymize sensitive data before storing and disassociating IoT data payloads from information that can be used to personally identify us.
Cached and no longer needed data should then be disposed of securely. If the data is stored, then the largest challenge is in compliance with various legal and regulatory structures.
The same practice should be employed with mobile, web and cloud applications and services used to access, manage and process data associated with IoT devices.
Secure development of mobile app and web-based IoT applications can be quite difficult for small companies with limited budgets and manpower.
As we already mentioned, most manufacturers tend to focus solely on getting the app and device on the market fast to attract even more funding and start growing their user base.
Unless you want to risk a major breach of security and ruin your brand authority and trustworthiness, then you might want to consider going through a directory of mobile and web development companies and find the best one to help you iron out the kinks that come with multi-layered data management and its security.
6. Small IoT attacks that evade detection
The largest IoT-based botnet two years ago was the Mirai botnet. In 2017, it was the Reaper, a significantly more dangerous botnet than the famed Mirai.
As important as large-scale attacks can be, what we should be fearing in 2018 are the small-scale attacks that evade out detection.
We are guaranteed to see more and more micro-breaches slipping through the security net in the next couple of years.
Instead of using the big guns, hackers will most likely be using subtle attack small enough to let the information leak out instead of just grabbing millions and millions of records at once.
7. AI and automation
As IoT devices continue to invade our everyday lives, enterprises will eventually have to deal with hundreds of thousands, if not millions of IoT devices. This amount of user-data can be quite difficult to manage from a data collection and networking perspective.
AI tools and automation are already being used to sift through massive amounts of data and could one day help IoT administrators and network security officers enforce data-specific rules and detect anomalous data and traffic patterns.
However, using autonomous systems to make autonomous decisions that affect millions of functions across large infrastructures such as healthcare, power and transportation might be too risky, especially once you consider that it only takes a single error in the code or a misbehaving algorithm to bring down the entire infrastructure.
As you can see, most of them revolve around two things, keeping IoT secure against attacks and keeping the user-data secure against theft.
Both of these challenges can be resolved with strict legal and regulatory frameworks aimed at manufacturers, with large fines and working constriction used for those who do not follow said frameworks.