Expanding integration of Internet of Things (IoT) devices in workplaces, industry and home settings remains a leading cybersecurity issue. IoT devices include items from home routers to security cameras and web-enabled refrigerators. Devices often use an internal hardware and operating system architecture identical across an installation making all units vulnerable to the same exploit. The efficiency and savings of integrating IoT into home and business settings makes them a lead contributor to automation advances and ease of enterprise management. The hardware and software exploits that make them a danger remain difficult to address given non-technical factors, however. IoT devices are often installed by non-technical staff and frequently integrated into system networks after insufficient consultation with IT or systems professionals. Once added to a network exploits from uniform device hardware and software, physically accessible hardware ports or default access credentials make IoT units a lurking vulnerability.
IoT integration is often handled by departments outside of information technology to streamline facility and systems management. IoT devices arrive with hard-coded software, passwords and protocols to communicate with one another as well as local or cloud management services. An installation of dozens or hundreds of devices may make changing default settings cost-prohibited or may be done by outside contractors. Time or opportunity to change exploitable settings may not be assigned to IT staff. Website compendiums of default access credentials for devices are widely available and major exploits continue to occur from the often-automated use of this information. Divorcing device implementation from the staff responsible for securing the network leads to blind spots in system security that may go unnoticed until an attack is initiated.
IoT devices that access external cloud services for data storage or centralized management also use legitimate exceptions in institutional firewalls. This opens significant avenues for network penetration. Even if commands entering a network to activate IoT exploits are prevented by a firewall, devices are easily physically accessible. Unsecured USB ports or default Wi-Fi accessibility allows attackers physically present in a facility to access and exploit device capabilities. Once compromised by in-person access, IoT devices used to send sensitive or malicious traffic out of a network will have open pathways through network firewalls intended to accommodate legitimate traffic. The sheer volume of legitimate traffic on a network for IoT systems can make detecting an exploit difficult.
A large deployment of IoT devices with default configurations can easily be harnessed into a botnet, acting in unison to send traffic for denial of service or ransomware attacks to other systems. A network of devices can be compromised and lay dormant on a network with no or minimal indication of their compromised status until an activation signal initiates an attack. Botnets are sold on the dark web and may go undetected for months until implemented.
Tools for detecting what vulnerabilities exist from IoT devices on a network are in development but are not widely implemented. IT staff may miss a large installation of vulnerable devices from mundane factors such as devices being installed on a separate network segment or in a remote branch without consultation of central IT staff. Even if vulnerabilities are discovered, uniquely securing hundreds of devices after installation is a significant expense of human and financial resources.
Well-known issues with IoT implementation have already resulted in major cyberattacks such as the 2016 DDoS attack on French web host OVH. The same vulnerabilities leading to these issues are still widely present in current and upcoming IoT deployments. IoT implementation is developing to reduce default vulnerabilities but human and cost factors leading to their seriousness remains a major source of risk.
