In 2014, cybercriminals broke into mass retailer Target’s networks, infected its points of sale and stole customers’ card details. When the breach was discovered, the criminals had already stolen the details of over 40 million debit and credit card accounts.
Did they break into Target’s servers? Did they steal login details from the employees? No, they hacked the air conditioning system.
Target’s headquarters used smart air conditioners that were connected to the corporate network. Much like locking the doors but leaving a window open, this tactic helped the criminals bypass security precautions and infect Target’s systems.
This famous story is an example of why security for Internet of Things (IoT) devices is very important. IoT devices are everywhere: air conditioners, fridges, lights, locks, security cameras, and sensors that contain smart features which make our lives easier, but are also susceptible to cybercrime.
Improving IoT security
When businesses overlook the security of these devices, they create a way in for cybercriminals. IoT devices are like any other computer, creating a potential gateway into business systems.
Fortunately, securing IoT devices is often straightforward. Most IoT security flaws result from basic errors, and fixing those will convince criminals to look for other targets instead. Here are five security tips to make your company’s IoT devices safer:
Default passwords
Almost all digital devices have login details. A very common mistake is to leave these credentials on their default setting, meaning the ones they shipped with. Those credentials are often incredibly simple, with “password” as the password, and typically all the devices have the same password because the manufacturer expects that the new owners will change it.
Tip: Change the passwords on IoT devices and don’t use the default password.
Lack of encryption
IoT devices transmit and store data across a network. That is how someone remotely monitors fridge temperatures or security camera feeds. Criminals can try to intercept and even influence the network data. If the data is unencrypted, they can steal that information or use the connection to load dangerous software onto the network. But if the data is encrypted, criminals can intercept it but not do anything with it.
Tip: Activate data encryption on IoT devices.
Outdated firmware
Firmware provides a device with its basic operating instructions, and updating firmware can improve a device’s performance. The firmware also applies security updates, closing holes that criminals can use to hack the device. The problem is that not all devices automatically update firmware, and IT teams often neglect to do so. An IoT device could go for years without an update, making it more and more vulnerable.
Tip: Maintain a patching schedule or automated updates for IoT devices.
No network segmentation
A network connects all the devices in a business. Thus, as with Target’s air conditioners, someone could use any of these devices to access the rest of the network. This is a poor design. By using devices such as routers and firewalls, a secure network restricts what areas a device can access – a concept called network segmentation. Even if the device has weak security, a segmented network would stop opportunistic attackers from getting anywhere useful.
Tip: Segment network access to limit what devices can access.
Shadow IoT devices
Shadow IoT is when someone unofficially installs an IoT device, meaning they didn’t go through the proper channels that would verify and secure the device. No one is even aware it exists, so they don’t check it for patches, weak passwords, or network access. Shadow IoT is rarely malicious. Instead, it could be a new smart TV, a connected camera, or a wireless printer. But it is still a weak spot.
Tip: Give IT teams tools to detect new devices on the network, and create staff policies for introducing new workplace devices.
The benefits of IoT in business are limitless, from task automation and increased productivity, it also gives companies a digital overview of their your operations anytime, anywhere. So this is not to say stay clear of it, but rather a heads up to use it smartly and securely.
