IoT Security: Risks, Examples, and Solutions

Connecting devices through the Internet of Things (IoT) brings convenience. Yet, it comes with a crucial concern: keeping everything secure. Unauthorized access and malware threats are just some of the IoT security issues you may face when protecting your organization.

As IoT advances, so do the tactics of those trying to exploit its weaknesses. Recent statistics show an alarming 87% year-over-year increase in IoT malware volume in 2022. That’s not all — 112 million cyber attacks worldwide targeted the Internet of Things industry in the same year.

We’re not just throwing loud stats; we understand their significance precisely. With over four years in the Internet of Things and successful projects like Propuskator and MyBox, WebbyLab has firsthand knowledge of IoT security issues and solutions. If you want to protect your IoT ecosystem, use our article as your go-to guide on the primary threats and strategies to address them.

I believe that effective security measures serve two primary objectives. First, to bolster the system’s resilience against attacks, thereby providing the support team with ample time to respond. Second, to elevate the costs associated with hacking to the point where the effort and resources expended by the hacker outweigh any potential gains from the breach.

Kostiantyn Oliynyk, Head of IoT at WebbyLab

Roles overview and device management capabilities in MyBox 

The Importance of IoT Security

In IoT, potential threats lurk from various sources. That’s why robust security measures are your top priority. Your entire ecosystem may face challenges in the following three areas:

• Device vulnerability
• Infrastructure vulnerability (servers and services)
• Customer’s local area network vulnerability

Let’s see how insufficient protection affects these three areas and why security is critical.

Device Vulnerability

Smart devices connected to the IoT platform may face risks associated with:

• Outdated software
• Lack of firmware updates
• Weak and generic passwords
• User ignorance about basic security practices
• Botnet attacks
• Unreliable deployment locations
• Inadequate data protection measures

These vulnerabilities can lead to data breaches, compromising not only individual devices but the entire ecosystem. Therefore, IoT devices security is a must to ensure user privacy, mitigate cyber risks, and maintain data integrity.

Infrastructure Vulnerability

IoT security threats extend to the infrastructure. Upon obtaining device credentials, attackers may manipulate the platform or server to access valuable client information and potentially compromise other devices. In this scenario, authorization mechanisms, like access control lists (ACLs) and role-based access control (RBAC), ensure that only authorized users or devices can access specific resources.

In addition to the connected devices that pose risks to the infrastructure, the IoT ecosystem hides numerous other vulnerabilities. And the reason is evident. Why target individual devices when you can hack the entire system? Here are several examples of cybersecurity threats:

• Obtaining access to the platform’s database
• Getting access to the platform’s servers
• Obtaining admin (root) access to MQTT
• Facing disruptions because of DDoS or other attacks

All the mentioned scenarios aim to obtain customer data, access the IoT devices, or shut down the whole system.

Customer’s LAN Vulnerability

The customer’s local network vulnerability directly impacts IoT platform performance if insufficient attention is given to the platform architecture. This IoT security risk stems from the previously mentioned aspect — the smart device’s vulnerability. Attackers with access to the client’s local network can obtain device credentials and attempt unauthorized access to the system or gather sensitive customer information.

The importance of IoT security is hard to overestimate, especially in a world where everything is becoming “smart.” It’s challenging to anticipate where new dangers may arise.

In a recent incident, the iRobot Roomba J7, a smart vacuum cleaner, stirred controversy as its built-in camera captured images accessed by unauthorized individuals. Subsequently, these pictures surfaced on Facebook, depicting people from unflattering low angles, the kind one would prefer not to share on social media.

Therefore, when creating an IoT platform or project, it’s critical to prioritize user data protection, maintain anonymity, and minimize risks.

IoT Device Security Challenges

Having identified your IoT ecosystem’s three most vulnerable components, let’s look at the challenges of securing IoT devices. Here are the main ones:

• Weak authentication. Poor, default, or generic passwords expose devices to unauthorized access. Many IoT devices come with no authentication mechanisms at all.
• Legacy assets. Older devices with outdated IoT standards and security protocols become potential entry points for cyber threats.
• Limited device management. End users may face challenges in promptly identifying and deactivating compromised devices. The limited ability to update these devices leaves them vulnerable to exploitation as well.
• Device diversity. The wide range of IoT devices, each with security and compliance considerations, makes it harder to implement standardized security measures.
• Firmware and software updates. Devices may run on outdated firmware or software versions. The lack of regular updates creates additional vulnerabilities.
• Data encryption. Devices that don’t encrypt the data they send or encrypt it poorly may threaten the IoT ecosystem’s data integrity.
• Privacy concerns. Devices collect a lot of data on IoT systems. Insufficient protection can lead to unauthorized use or exposure of personal information.
• Supply chain risks. IoT devices risk being compromised with pre-installed malware or other threats throughout production.
• Interoperability. Devices typically use various protocols and standards, which makes it challenging to maintain a unified and secure IoT ecosystem.

Let’s now look at the practical example of how these challenges impact the IoT devices security. Imagine that you’re developing an IoT platform that connects devices of different manufacturers simultaneously. The risks you may face include the following:

• Weak authentication: Default login/password for a built-in web admin panel of the device.
• Data encryption: Unsecured file systems may reveal stored information through WiFi access, IoT cloud credentials, or USB UART.
• Communication channel vulnerability: An unencrypted communication channel with the IoT cloud can potentially grant unauthorized access to user data.
• Firmware and software updates: During OTA firmware updates, devices are vulnerable to man-in-the-middle attacks, allowing attackers to install malicious firmware.

Consequently, these vulnerabilities may let an attacker access the user’s LAN (WiFi), receive their credentials to authorize the platform or gain control over the device. Given that all user devices use the same data for platform authorization, an attacker could automatically obtain access to the data of every device within the platform.

Ways to Solve IoT Issues and Protect Your IoT Device

Despite the many security threats in IoT, there are various ways to tackle them. Consider the following solutions:

• Change passwords often and make them strong. Combine alphanumeric characters and symbols when creating passwords for your IoT devices. Update them regularly to strengthen security.
• Handle regular firmware and software updates. Make sure your devices are running the latest firmware and software versions. Regular updates help patch vulnerabilities and improve the overall IoT devices security.
• Ensure supply chain security. Choose IoT device manufacturers and suppliers thoroughly. Verify the integrity of components to prevent potential risks.
• Consider technology besides cloud solutions. While cloud tech offers convenience, think of other solutions like edge computing.
• Use secondary networks. Isolate your IoT devices from the primary network, e.g., WiFi, to add an extra layer of protection.

At WebbyLab, we address the numerous IoT cyber security threats at the platform architecture level. For example, denying OTA renewal through unencrypted HTTP or allowing device connection only through secure channels, such as MQTTS, are effective measures. 

However, challenges persist in the firmware architecture, given the potential for sometimes unpredictable threats. Hence, the most optimal solution lies in establishing a robust architecture for the platform itself, be it a system or a project. You can learn more about how to protect your infrastructure here.

IoT Security Best Practices

Besides the strategies we listed above, you can follow numerous other IoT security best practices. Here are the top IoT security issues and solutions you can leverage:

• Secure the server infrastructure. To achieve this, enable server access through VPN or bastion host, ensuring protection against data interception, unauthorized access prevention, minimization of the attack surface, and effective monitoring and logging capabilities.
• Configure a firewall for limited platform access. Ensure restricted access to the platform by blocking unauthorized access, providing malware protection, monitoring network traffic, controlling internet access, and storing data confidentiality.
• Restrict device production access for employees. Alternatively, you can grant personalized access control for each employee.
• Handle regular system backups. Back up your IoT data regularly and distribute stored backups among servers to mitigate the risks of complete data loss.
• Use encryption. Leverage encryption for backups to ensure effective risk management associated with data leakage.
• Monitor system and business metrics. Track CPU, RAM, disk usage, etc., and keep an eye on parameters that capture any unusual activities beyond the scope of ordinary users or devices.

Besides that, prioritize the code infrastructure security. Handle routine security audits for updates of open-source libraries and services used on the platform.

Learn from the example of Log4j, an open-source logging library that has likely affected numerous individuals and organizations worldwide. A security flaw identified in Log4j could have enabled attackers to infiltrate systems, steal passwords and logins, and introduce malicious software into networks if not addressed promptly.

Are you looking for other IoT security best practices? Check out our recent post on the five essential steps to ensure secure communication with IoT devices.

WebbyLab Experience in IoT Security

WebbyLab prioritizes security in all IoT projects. We introduce robust protection measures on the architecture level to mitigate any issues beforehand. Make sure of our profound expertise by looking at some of our IoT solutions:

Access Control System’s Security

Video surveillance in the Propuskator access control system

When working on Propuskator, our cloud access control system, we handled the following IoT security issues and solutions:

• Developing a device (hardware and software) and an access rights administration platform from scratch.
• Enabling device communication with the platform through secure protocols, including MQTTS and HTTPS.
• Introducing OTA updates available through HTTPS or manually via the device admin panel.
• Restricting access to the device admin panel.
• Implementing a custom protocol for the seamless data exchange and access rights between the platform and the device.

Configuring settings from the admin account in the Propuskator ACS mobile app

EV Charging Station’s Security

Our client, a manufacturer and supplier of EV charging stations, MyBox, required us to develop a backend cloud infrastructure and a mobile app for end-users. We handled the task with precision, ultimately introducing the following security measures:

• Enabling personalized access for each device on the platform (access rights administration).
• Creating secure software and firmware. 
• Introducing restricted access to the device admin panel.
• Establishing communication with the OCPP server through WSS (WebSocket and TLS).
• Securing device communication with the platform through MQTTS and HTTPS.
• Enabling OTA updates over HTTPS.

User requests for actions protected by admin password

Discover more about our use cases where we tackle IoT and IIoT security challenges in our portfolio.

Protect Your IoT Ecosystem with WebbyLab

Despite the many IoT security issues that may lead to data leaks, operational disruptions, and financial and reputational harm, effective solutions exist for addressing these challenges. Consider protecting your architecture, updating your firmware and software regularly, or leveraging any other strategy described in our post.

If you’re looking to protect your IoT technology project with precision, count on WebbyLab as your reliable partner. Drawing on our four-year background in the Internet of Things, we can prevent your solution from potential risks. Reach out to us to secure your IoT system today.