For every person on this planet, there are about four and a half IoT devices. The Internet of Things is all over the place, from intelligent watches to smart home appliances to medical sensors and beyond. And it’s only becoming more prevalent, quickly: nearly 130 new IoT devices are hooked up every second. These devices make life more convenient, more connected, and more informed. But there are downsides: privacy is a concern, and IoT vulnerabilities are a growing problem. The National Institute of Standards and Technology’s (NIST) National Vulnerability Database (NVD) found more than a five-fold increase in firmware attacks over the last four years. And yet many industries and companies are neither aware of this nor prepared for it.
Unique IoT Vulnerabilities
Unlike devices that require a lot of computational power, like laptops and desktops, IoT gadgets typically have a distinct purpose and limited capabilities. They’re often less expensive, too. Because of this, manufacturers don’t bother with security aspects as much. Designing them with less computing capabilities sometimes means they don’t have what they need to keep up good security. And unlike ever-evolving software, the basic functions of an IoT device are likely to stay the same over time—so the manufacturers also may not bother to send out updates or patches. Even more, most IoT devices don’t use secure communication protocols when they transfer data to the cloud. This opens up the opportunity for data interception and man-in-the-middle (MITM) attacks.
The Problem with IoT Firmware
IoT has its own particular firmware challenges. It may seem like these devices work almost magically, but that’s made possible by a collection of several distinct microprocessors inside each one. These specialized microprocessors all have different functions: some are for graphics, some enable a quick and connected response to your input, some support AI for intelligent capabilities—along with other operations. Oftentimes they each have their own firmware layer (the specific software designed for each specific piece of hardware) and may even use different operating systems.
Because of this complexity within a limited (and relatively inexpensive) system, the firmware in IoT devices leaves a lot of potential for attack. Even the best Endpoint Detection and Response (EDR) tools can have trouble protecting IoT at the firmware level since they’re broken up into these varied microprocessors and systems. This is a big problem, especially for companies that leverage a lot of IoT in their operations. And many of those companies aren’t even trying to address IoT firmware, perhaps because they don’t know enough about it or what to do. One study found that 83% of security leaders had already experienced at least one firmware attack in the past two years, but only 29% of them were budgeting for firmware protection.
What Can We Do About It?
As with other general technology issues like privacy, a crucial element of safe practices with IoT is a government oversight. After some congressional fumbling of previously attempted bills, the Internet of Things (IoT) Cybersecurity Improvement Act of 2019 was finally passed late last year. This was specifically designed to strengthen security in devices owned and used by the federal government, but the hope is that it will also cover broader use by extension. And it’s a good start: if manufacturers and security providers are already in the habit of setting high standards for government users, they’re in a better position to do the same for the rest of society. Microsoft is one technology leader that’s making this a priority—see our blog on how they’re doing that.
Finally, consumers can also play a role by supporting those strong security standards and exercising their own IoT control. While you can’t completely ensure that an attack won’t happen, you can minimize risk. Before investing in devices, research manufacturers and opt for those who prioritize security more. Once using them, do make sure they’re part of your cybersecurity budget, and manage them well. If possible, configure your devices to connect to your internal network instead of the open internet. Check privacy settings. Turn off mics or skip the video options when they aren’t needed. Use good passwords and change them frequently. All of these little actions can help, starting with your attention to them. Awareness leads to engagement, and engagement paves the way toward solutions.