IoT Security Is an Unavoidable Conversation. Here’s Why

The Internet of Things (IoT) is almost implausibly vulnerable to threat actors, making it one of today’s most common attack vectors. For too long, people have neglected to initiate a conversation on the tough topic of IoT security—and they are now facing the consequences.

The Harsh Reality of IoT Security Gaps 

IoT security concerns cybersecurity, data privacy and physical security—everything from cyberattacks to in-person tampering. In addition to securing the device itself, individuals must protect the network it operates on, the system it stores data in, the gateway it uses to transfer information and the application it utilizes to provide a user interface. 

IoT security is critical because many devices are vulnerable to low-level hackers. Researchers using Shodan—the IoT search engine—discovered that 18,638 of them had insecure default settings, 16,356 responded to remote telnet access, 9,241 had expired Secure Sockets Layer certificates and 4,987 ran on non-standard ports. 

The researchers quickly found a variety of low, moderate, high, and critical vulnerabilities with a single free tool, showcasing the harsh reality of the state of IoT security. The team claimed their scan’s results prove these devices are eroding privacy at a “never-before-seen scale,” going as far as to call their findings “alarming” and “shocking.”

With device affordability skyrocketing, attack frequency increasing, vulnerability remediation lagging and built-in security measures lacking, cybercriminals arguably have unparalleled access to IoT systems. The truth is that years of oversight have created ideal conditions for malicious behavior. 

Now that the IoT has become a leading target for threat actors, it will likely remain so for years to come. In the meantime, vulnerabilities will be exploited faster, attacks will happen more often and establishing adequate protections will be more expensive. Without swift remediation, this issue will continue worsening. 

Why IoT Security Is No Longer Avoidable 

A cybersecurity degree isn’t required to understand the appalling state of interconnected device security. For years, IoT companies have neglected adding built-in security features in favor of streamlining development, accelerating time to market and expanding profit margins. While regulatory bodies have begun to catch up, their rules may be too little too late. 

The IoT ecosystem has evolved into a sort of illicit marketplace—a place for threat actors to converge, pry and attack. Unfortunately, constant connectivity substantially increases visibility and vulnerability. Even a lone compromised device serves as an invaluable target for cybercriminals, botnets and hackers because it jeopardizes its entire connected network. 

Although internet-connected devices are notorious for possessing extensive vulnerabilities and subpar security features, they remain a leading attack vector—and attack frequency is on the rise. IoT cyberattacks increased to 112.29 million in 2022, up from 60.14 in 2021, representing an 87.15% year-over-year increase. 

Still, despite the abundance of evidence these attacks are worsening, individuals aren’t giving the potential consequences proper consideration. Many businesses proceed with adoption before fully contemplating the risks. An overwhelming majority—99% of security professionals, to be exact—agree securing their companies’ IoT devices poses a challenge.

The Real-World Impact of Lackluster Security

Cyberattacks and data breaches aren’t just data points—they affect real people. Whether a hacker infiltrates a new mother’s baby monitor or a business’s security system, their actions can leave individuals unnerved, frightened or helpless. In many cases, data theft or malware injection can deal a double blow that leaves a lasting impression.

An IoT attack can be life-threatening if attackers target individuals who use medical wearables or implantables. In addition to exposing vast amounts of personally identifiable information and medical records, bad actors can disrupt services. For someone using a smart pacemaker or wearable defibrillator, a cyberattack could be lethal.

Even regular individuals who have a few internet-connected devices in their homes are susceptible to the real-world impacts of lackluster IoT security. Whether a hacker infiltrates their home WiFi network or tethers their ecosystem to a malicious botnet, they’ll experience abysmal internet speeds, unexplained equipment malfunctions and privacy issues. 

Businesses leveraging an internet-connected ecosystem may be surprised to learn a single IoT attack costs more than $330,000 on average. Direct and indirect expenses like incident response, reputation losses, regulatory fines and remediation quickly add up, overshadowing their presumed return on investment.

What Is the Weakest Point in IoT Security?

Pinpointing the weak point is difficult because these devices’ verticals and use cases vary so substantially. That being said, there are, generally speaking, three main weaknesses—the manufacturers, end users and regulators. Their particular shortcomings—and the disconnect that exists between all three—weaken IoT security. 

Manufacturers set vulnerabilities in motion by allowing subar built-in defenses and insecure settings. For years, IoT devices have shipped with weak default passwords—many of which are discoverable online. Users oftentimes can’t even adjust their device’s security controls because no option to do so exists. 

Users are also often at fault for poor IoT security. In the United States, the average home contains 46 internet-connected devices—enough to be unmanageable. In all likelihood, most people would be unable to remember the last time they updated their smart oven, TV, coffee maker or doorbell camera. Many likely have no idea how to go about doing so in the first place.

Regulators are in charge of setting the laws that IoT companies must follow. Unfortunately, these rules are few and far between outside the European Union. The United States has only gone so far as to place a “Cyber Trust Mark” on devices that meet cybersecurity standards. This utter lack of regulations paves the way for substantial, lasting security gaps. 

IoT security is an ongoing, combined effort. Even if regulators pass patching laws, devices won’t be secure until manufacturers make updates available and users download them. Now, consider how this glimpse into simplistic processes complicates when it expands to apply to applications, gateways, networks and data storage systems. 

How IoT Security Needs to Work Going Forward

Something has to give. Unless significant change happens swiftly, IoT may soon become more trouble than it’s worth. Fortunately, several IoT security solutions exist:

1. Zero Trust and Zero Tolerance Security

IoT companies and regulators must adopt zero-trust and zero-tolerance policies for physical and digital device protection. Since internet-connected ecosystems are common targets for cyberattacks and tampering, they should practice a “better safe than sorry” approach. 

2. Stringent Regulations for Design and Support

Regulatory bodies and security certifiers should adopt more stringent device production and support regulations—accompanied by swift regulatory responses like fines or privilege losses. This way, companies must consider robust cybersecurity a baseline.

3. Widely Accepted Baseline Security Standards 

Since the IoT is so versatile, no single widely accepted security standard exists. Involved parties should collaborate to develop one, considering encryption, network segmentation, visibility, management procedures, and multi-factor authentication as fundamental aspects. 

4. Organization-Wide Support for IT Staff

Vulnerabilities take anywhere from 88 to 208 days to patch, depending on their risk level. Of course, the IT staff patching them needs organization-wide support. The C-suite’s acceptance of higher spending and relaxed workloads can help them perform promptly.

The Potential Consequences of Inaction

If things remain as they are—meaning no widespread, comprehensive action occurs—the IoT will steadily experience more cyberthreats. Over time, increased security requirements due to disproportionately high risk may make deployment and upkeep overly expensive. For this technology to reach its full potential, manufacturers, end users and regulars must act.