In recent years, the default protocol for Internet traffic has changed to IPv6, which offers an unfathomably large pool of 128-bit addresses to assign to devices on Earth’s biggest network, the Internet. How big is it? Large enough, one engineer once calculated, to assign a unique address to every atom on the surface of the earth and still use less than 1% of the available pool.
Sometimes it seems the Internet of Things (IoT) is trying its best to use every one of those trillions of trillions of addresses. Today, consumers can buy Internet-connected products in an endless range of categories: cars, exercise equipment, smartwatches, surveillance cameras, doorbells, coffee makers, refrigerators, and even fish tanks. Enterprises are likely to deploy smart lighting and HVAC systems to keep energy costs down; networked security cameras to monitor activity in offices and factories; and smart locks throughout every corporate building, to keep outsiders outside. Meanwhile, an ever-expanding range of devices like video conferencing hardware, printers, and (naturally) coffee makers are onboarded to corporate networks and assigned their own IPv6 address every day.
As long as everything works, all that interconnectedness is wonderfully convenient. But it’s terrifying to security professionals, who see each of those devices as a potential entry point into the corporate network.
That’s not just theoretical dread, either. On a corporate network, or in a modern apartment building, or even on the street, that huge collection of IoT devices makes for a target-rich environment. If an attacker can successfully connect to a device, he can try to install software or hop to another node on the network where he can take advantage of a different vulnerability.
Weaknesses in IoT security can affect your business in a variety of ways. Does your product include Internet-connected features enabled by third parties? If so, you’re potentially vulnerable to security missteps that those partners make. If you use IoT devices in your business, they’re as much a part of your network as a PC, a router, or a smartphone, and should be secured just as carefully.
Even a company developing some of the most sophisticated hardware in the world can fall to a persistent attacker, as automaker Tesla discovered in late 2020. A security researcher discovered a flaw in the keyless entry system for the company’s Model X that allowed him to connect to a Model X key fob over Bluetooth, rewrite the device’s firmware, and unlock the victim’s car. Exploiting a second vulnerability in the car allowed the researcher to drive away within 60 seconds.
In both cases, the attack succeeded because the system allowed critical activities without checking for cryptographic signatures on the firmware and on the key fob.
Even when the IoT device is performing properly, flaws on the network side can be damaging. Take the case of Verkada, a cloud-based start-up that manages surveillance cameras for 24,000 organizations in the United States. According to a Washington Post report, the client list included “a vast cross-section of American life, including schools, offices, gyms, banks, health clinics and county jails." And a Tesla factory.
Attackers from a European “hacktivist” collective found login credentials for a Verkada Super Admin account that had been carelessly exposed on the web. Using those credentials, they were able to watch live video from security cameras and access saved recordings for any of those customers. The unauthorized access was shut down after another news organization alerted the company.
"Once they were in...[they] found other vulnerabilities and moved laterally to other places in the network."
And then there’s that Internet-connected fish tank, which allowed workers in the casino where it was installed to remotely feed the fish and monitor their environment. But as computer security firm Darktrace reported, attackers were able to commandeer that connection and use it to steal data from the organization.
"Someone used the fish tank to get into the network,” a security researcher told CNN, “and once they were in the fish tank, they scanned and found other vulnerabilities and moved laterally to other places in the network." The attackers were able to exfiltrate 10 GB of data and send it to a remote device in Finland before network administrators were able to shut off access.
In all of those stories, there’s a common thread: Businesses, customers, and suppliers are all affected, and in the case of a serious security incident caused by an IoT device, businesses could find themselves on the wrong end of a product liability suit. Good luck finding competent legal representation if that happens; the unpredictable interactions between sensors, servers, computer networks, and real-world objects create a long list of new questions that don’t fit neatly into existing product liability laws.
If you want to protect your company, it’s absolutely essential to pay extra close attention to security when designing and deploying any kind of IoT product. Here are a few common mistakes, and how you can avoid them:
One thing you can’t do is close your eyes and hope the problem goes away. The population of IoT devices will continue to expand exponentially in the next decade or two, and those billions or even trillions of devices will bring a lot of traditional business models into unfamiliar territory. These new tools will no doubt bring impressive benefits to growing companies, but it’s essential to consider your network security in the process. The sooner you get your bearings, the better your business will fare.