IoT: a new frontier for cybersecurity threats

Author : Christophe Fourtet | Co-founder & Chief Scientific Officer | Sigfox

01 December 2021

IoT security_hacker
IoT security_hacker

By the end of 2021, the number of IoT devices installed globally was expected to exceed 35 billion – a figure predicted to more than double in just 4 years, to 75 billion! These devices include everything from Google & Alexa smart speaker assistants to smartwatches, smart car technology, GPS trackers & remote monitoring devices, such as the Ring video doorbell  – and even sophisticated Industry 4.0 production & manufacturing tools.

This article was originally featured in EPDT's H2 2021 IoT & Industry 4.0 supplement, included in the December 2021 issue of EPDT magazine [read the digital issue]. And sign up to receive your own copy each month.

Uses for IoT technology are almost inexhaustible, particularly with the advent of IoT-powered smart homes, offices and cities. As Christophe Fourtet, co-founder & Chief Scientific Officer at IoT communication service provider, Sigfox tells us here, this exposes fresh challenges from a cybersecurity perspective…

Cybersecurity threats have evolved in line with the growth of emerging technologies. Where security threats once comprised of mainly viruses and malware, threats are now far more sophisticated. The IoT (internet of things) provides a new target for attackers – and more IoT devices mean that there are potentially more vulnerabilities for cyber-criminals to encroach and increased network points to be protected.

The threats to internet and cellular telephone networks, and even to cloud computing usage, differ to those to IoT technology. Remote sensors, smart car technology, the smartwatches used by businesses, and drones for industrial use are all potentially susceptible to cyber-criminals. Attacks can come in all forms. Traditional virus and internet-based attacks could breach servers or impact data transmission frequencies to smart devices – and they could even potentially infiltrate the devices themselves.

These threats all have something in common: the internet, connecting IoT devices, so direct attacks to IoT devices could happen via any of the following:

RFID

RFID (radio-frequency identification) deploys radio frequency waves wirelessly to transfer digital data. Breaching this connection physically is not possible and air infiltration is virtually impossible, so the threat here, therefore, is minimal. However, that said, breaches can occur – and are likely to consist of internet-based attacks to RFID services, via weak points in a server, or via the server link of the recipient RFID reader.

IoT security
IoT security

Ultra-low cost LPWAN

Low-power wide-area network (LPWAN) connections are ideal for IoT devices, such as battery-powered sensors, since they transmit long-range data at a low bit rate. As with RFID devices, the direct risk via the device itself or via the air is negligible, though link ranges are increased. A further limit to the threat is that few transactions occur on devices using this technology, and those that do are via an uplink. The simple and straightforward technology of these devices somewhat protects them, although jamming them is possible. Again, what is more common are cyberattacks to the networks that these devices interact with.

LPWAN

More intricate LPWAN devices, for instance, those that experience increased traffic or use two-way data flow, could be more vulnerable to attack. Here, dynamic scrambling of device transmissions and the Advanced Encryption Standard AES-128 are possible remedies.

Cellular IoT/5G

Cellular and 5G connections are more ubiquitous, experience much higher volume of transactions and utilise more substantial protocols. These connections see more via air-interface security threats. ‘Entrapment’ security solutions are often implemented to sense, track, identify, forecast and shield against cyber-threats. Again, cyber-breaches via servers and app servers – in other words, backend attacks – are more frequent. To counteract these threats, security monitoring through both software and teams, daily, are necessary.

PAN/internet

Identified vulnerabilities in the PAN (personal area networks)/internet sector include much higher traffic volumes and a larger panel of protocol strata associated with this technology, often layered on top of each other. Despite solutions existing against such attacks, there are often oversights in safeguarding interfaces connected in this manner. The greater the complexity or volume of surfaces within these systems, the more often we see discrepancies in the requisite defence solutions needed. Complex systems can even be penetrated and attacked via simple PAN sensors, such as those in smart Wi-Fi lightbulbs.

The larger security risk

IoT security
IoT security

The industrial IoT (IIoT) market is developing its responses to cyberattacks. Over the past few years, just as businesses have implemented enhanced security solutions that shield networks and cloud computing use, similarly, there is a growing recognition that the multitudinous network endpoints and surfaces where IoT is deployed should be equally protected. As a result of the full breadth of threats to IoT, mature technology users have been pushed to repeatedly and painstakingly scrutinise their entire systems.

B2C (business-to-consumer) IoT users, consumers and less mature users usually possess less sophisticated anti-cyberattack systems. These users, where they are third-parties and connections, being more open to breaches, can present greater threats to more protected users and businesses. This is seen in many of the cyberattack headlines in the news. Bigger businesses have fallen prey to security breaches via third-party suppliers or internal threats, for instance, in the form of an individual employee with less security savviness or protection.

The number of connected endpoints, also known as the physical attack surface, is quickly increasing in line with the growth of the number of IoT devices in use. The task of cybersecurity is increasingly challenging, but as the number of networks carrying large volumes of data with several connections are also increasing, this is understandable. With the growing complexity of protecting larger and busier networks, similarly, comes the exponential costs in securing the networks.

Protecting the growing number of IoT devices against cyberattacks

“Quality of service” (QoS) is a term that should accompany cyber-protection. Au fait with this necessity, mature technology users safeguard their devices, both simple and complex, with rigorous cybersecurity measures, treating every endpoint equally. They are deploying cybersecurity teams, software, data analytics and artificial intelligence (AI) to detect anomalies to highlight threats, forecast them and to defend against them.

Software and/or the surveillance of human teams should be employed to monitor every IoT device in a network, either directly or indirectly. An understanding of how both the devices and cyberattackers’ behaviour is needed in order for users to identify and mitigate attacks. For large networks, implementing the strategy of rapid detection of abnormal device and system behaviour “as a service” needs to be commonplace.

As a discipline, cybersecurity takes time and is exponentially dependent on device behaviour. Devices are more complex to monitor and manage, the more they communicate or transact – and similarly, the more unpredictable they are.

IoT security_communications technology
IoT security_communications technology

Straightforward measures to defend against malicious breaches

Adopted cybersecurity measures should not only be technology-based. A poorly conceived system, or one that is inadequately analysed, will not necessarily be protected by even AES-1024 technology. Even intricate security systems can leave weaknesses across large networks, where users need to share complex security codes.

Knowledge and understanding of threats, and consolidating all systems so that every endpoint, human or otherwise, is protected, is fundamental to adequately protecting systems.

The initial stages of defending against threats are usage characterisations and system considerations. In addition, every user of the network should have an awareness and understanding of threats – right from customer-facing employees through to boardroom directors. It is only then that technologies and encryptions, including AES and AI algorithms, can be truly effective.

The reduction of the complexity of endpoints and connection will afford simpler management of networks. Systems and networks becoming heterogeneous will help matters. This will ensure that threats will be similar across common systems, rather than differing from one design to another, as is the case now.

The advancement of computing, and emerging technologies, including AI, will facilitate and accelerate the detection of anomalies and potential threats, if IoT devices and their operations are categorised and analysed. Knowledge sharing among technology and cybersecurity communities will enable businesses to learn from one another on attack vectors and best practice.

Hardware and software, on devices and networks, and risks via technological and human breach vectors, should remain the focus of cybersecurity technologies. IoT increases the surface of attack of business and domestic network systems. The increase in employees working from home, connecting to business networks, become business threats. Cybersecurity should be methodical, relative to threat and system in question, combining both security and operational strategies. Furthermore, cybersecurity awareness is crucial, for all network and device users, and from every employee across a business, from the top down.


More information...

Contact Details and Archive...

Print this page | E-mail this page