Written by Kevin Perez

01/13/23

The technology landscape experienced so many changes in 2020 that one milestone flew under most peoples’ radars. In 2020, the amount of IoT devices outnumbered non-IoT devices for the first time. The number of non-IoT devices, such as laptops, cell phones, tablets, and PCs, remains relatively stagnant. On the other hand, IoT devices are seeing a boom that is not slowing down. There may be as many as three times more IoT devices than non-IoT devices in 2025.

IoT devices provide exciting opportunities. They can make everyday life easier and more streamlined. Use cases can be at the same time seemingly futuristic and well within the grasp of the average person. IoT devices also present enticing economic opportunities from a business standpoint. We’re not here to dampen excitement about IoT tech. But if everyone were to look at IoT devices through a solely pragmatic lens, cybersecurity concerns would be included with the other buzz. In this article, we will discuss the state of IoT, and address security issues that come along with IoT devices.

What are IoT devices?

An IoT device is any device that connects wirelessly to a network and is capable of transmitting data. The ecosystem of these devices makes up the Internet of Things (IoT). Given this definition, you may be wondering why a smartphone or laptop is not an IoT device. There are a few distinctions that make certain devices considered IoT devices, and others not.

First, IoT devices are non-traditional computing devices. Most IoT devices have non-internet connective counterparts. For example, there are smart thermostats that connect to the internet, and then there are traditional thermostats that don’t. This goes for just about every IoT device you can think of – washing machines, plugs, printers, etc. 

The next qualifier that separates what makes a device an IoT device is that it serves one specific purpose besides providing humans connectivity to the internet. Mainly that purpose is achieved through transmitting data in a way that is automated and does not require human input. 

And finally, IoT devices must be connected to the internet to work properly. On the other hand, network of Things (NoT) devices can connect to a network, but don’t need the internet to function properly.

Types of IoT devices

There are several different types of IoT devices. Consumer IoT devices are ones the average consumer will buy. This is often smart home tech. But IoT use extends beyond the scope of the average consumer. Commercial IoT, Military IoT (IoMT), and Industrial IoT (IIoT) all present different use cases for these devices. Commercial IoT may be seen in the healthcare industry, whereas industrial IoT is seen in industrial applications found in the manufacturing and energy sectors. It’s important to keep these other less-known uses of IoT devices in mind when contextualizing the implications of security-compromised devices.

Why have IoT devices become so popular?

The question of why IoT devices are now becoming so popular is a loaded question. The simplest answer is that IoT devices demonstrate features that are trending in the tech world such as the interconnectivity of devices, automation through data analysis, and streamlining functions and experiences. Because these trends exist and are seen in IoT devices, businesses see value in producing IoT devices, which in turn further solidifies these trends.

On the consumer side, IoT devices allow users to either do tasks quicker or easier. In smart homes, this may look like controlling all devices with voice commands. Devices can also communicate with each other and are beginning to be able to preemptively know what you will want them to do based on your routines by collecting and analyzing vast amounts of data.

On the industry side, IoT devices allow tasks to be done quicker and more efficiently. This may include inventory tracking, health monitoring, or even just remote temperature control in the workplace.

Cybersecurity concerns with IoT devices

The boom in IoT devices may be a techy’s dream, but for cybersecurity professionals, the rise in popularity is faced with trepidation. While ransomware dominated cyberattacks in the last few years, CNBC claims that IoT devices may be “the next big hacking prize”. It’s easy to see why. There is a lack of regulation on the security of these devices. The devices are notoriously easy to hack. And these devices are becoming increasingly prevalent across all market segments and industries. In effect, there is an unstoppable wave of vulnerable tech reaching the mass market.

We’ll break down each of the security concerns below:

1. Lack of regulation –

There is little government regulation that sets security standards for IoT devices. Regulation that does exist varies by country and state. The most stringent regulation put in place for these devices is the IoT Cybersecurity Improvement Act of 2020. This act gives NIST, the National Institute of Standards and Technology, the authority to manage IoT cybersecurity risks for devices acquired by the federal government. The government clearly recognizes the threat that IoT devices bring, but that concern has not led to  any federal regulations for the general public.

Since there are no formal regulations on these devices, there is no incentive for manufacturers to put in security controls. As any IT professional knows, balancing security with user experience is a constant challenge. The more security measures implemented, the more user experience suffers. For example, most IoT devices will trust the local network it is connected to and not require any form of authentication or access control. Any device that then connects to the same network is also trusted. While this presents a security risk, the alternative of putting in access controls would make the average consumer less pleased with the user experience.

The other reason manufacturers are unlikely to put in security controls is that it is cheaper not to. For example, most IoT devices don’t come with any kind of encryption capabilities. This means the devices can’t encrypt any data they transfer. So not only is it easy to infiltrate the device’s network, but it is also easy for the hacker to steal data transmitted by the device.

2. Easy to hack –

We’ve just described a couple of reasons IoT devices are easy to hack (lack of access control and encryption), but there are more. Many IoT devices come with default passwords that users are unlikely to change. While this provides easy functionality to the user, it makes it easy for hackers to be able to infiltrate the devices.

One of the biggest cybersecurity concerns with IoT devices is that they usually do not receive software updates and patches. Your phone and computer receive regular updates. Included in these updates are security patches that address newly exploited vulnerabilities. IoT devices lack this kind of support. If hackers discover an exploit in the device, it is unlikely the producers of the IoT device will make any efforts to fix the vulnerability.

3. Increasing use of IoT devices –

These devices are used in more than just consumer homes (which is already a concern). They are also used across all industries.

The increase in IoT devices also leads to larger attack surfaces. More devices mean more ways hackers can infiltrate networks and exploit user data. Security professionals now have a much harder job in securing the workplace when that workplace is filled with potentially vulnerable devices. Also, the devices themselves can be used to launch attacks once infected with malware. Some of the largest DDoS (Distributed Denial of Service) attacks are launched through botnets of infected IoT devices. This means that not only are users at risk when using unsecured IoT devices but those devices can be weaponized and used on anyone and any company.  

Why do hackers want to infiltrate IoT devices?

Steal data

Why does it matter if IoT devices are vulnerable? What can a hacker gain? There are a few reasons why someone would want to hack IoT devices. One of those reasons is to get data from the IoT device itself. Hackers have easy access to data transmitted on IoT devices if the devices are not using encryption. Many of these IoT devices store personal information. For consumer IoT devices, this may be the user’s name, the user’s password, and the user’s geographic location. For IoT devices in the workplace, this can be information that can lead to widescale data breaches. IoT devices used in healthcare often transmit sensitive health information. 

Take over the functionality of the device

Not only can hackers steal data from the devices, but they can also have full access to the functionality of these devices. For example, hackers who gain access to security cameras or home cameras can see the camera feeds. In a workplace, this can lead to exposed credentials and company secrets. In a consumer’s home, it is at the very least a strong invasion of privacy.

Sourced from wallarm

Use ransomware to extort

If the IoT device is transmitting sensitive data or information, hackers can access this data and then hold it for ransom or use it for extortion. This is less of a concern than ransomware attacks being launched against full systems, as hopefully the IoT device is not transmitting large amounts of data. But even so, hackers can intercept data that is valuable enough to the user that they will pay a ransom to not have it leaked. Hackers can also lock the IoT devices themselves, and if the device is critical to business function, an organization may pay to regain access quickly.

Launch DDoS attacks

Finally, hackers can use IoT devices to launch DDoS attacks. Hackers can infect hundreds or thousands, or even millions, of devices. The devices under the hacker’s control are known as a botnet. Some DDoS attacks simply rely on a large botnet to send traffic directly to the target. It is impossible to ever know how many bots comprise a botnet but estimates for various attacks range from in the thousands to over a million. Botnets can be self-propagating as infected bots can recruit and infect other hardware devices connected to the surrounding network. The owners of the infected devices may be none the wiser. It is possible a hacker is using an IoT device in the room you are reading this for this very purpose.

The next steps – improving IoT security

This article discussed areas of IoT security that are lacking. But there are ways to make them better protected. Ideally, companies would take these precautions during the production stage of the IoT device. Governments will likely only pass regulations when enough IoT devices begin to be at the center of cyberattacks. Cybersecurity compliance regulations for businesses have become more stringent in the past few years, and for some reason, IoT devices seem to be lagging behind this trend. Until produces of these products implement security fixes, it is the responsibility of the user to improve the security of their devices.

PeerWise’s upcoming article will focus on how to best secure IoT devices. Whether you are using these devices in your house or a business owner using them in your office, securing IoT devices is vital to ensure your data and information are safe. Sign up to PeerWise for free to receive access to this article and others.