Unmasking the Vulnerabilities of IoT Devices

By 2020, the number of IoT devices reached 12.3 billion. Electronic devices that communicate with each other through the clouds, smart homes, and intelligent industrial systems are becoming our new reality. In the distant 90s, the first thing that could connect to the internet was the most ordinary toaster created by John Romkey.

After almost 30 years, the number of Internet of Things (IoT) class devices has exceeded the population of the planet. According to Statista, there are approximately 15.14 billion connected IoT devices as of 2023 which is equivalent to just under twice the total number of people worldwide.

By 2030, according to Cisco IBSG forecasts, the number of things connected to the internet will reach 50 billion. In other words, there will be six smart devices per inhabitant of the planet.

The IoT landscape is glistening with the promise of a utopian future—a world where automation streamlines our processes, reduces material costs, and shaves off precious minutes from our routine tasks. But, let's not get lost in this techno-optimism. For every layer of convenience, these innovations provide, they also introduce a serious number of potential security vulnerabilities.

How IoT can be hacked

The entire IoT is made up of "turn on and forget" devices. And from the user's point of view, such actions are quite expected and logical, because sometimes many things seem completely safe, although this is far from the truth.

In theory, vendors should ensure the safety of their equipment, releasing timely updates and applying security during development. But often, due to cost-saving measures, vendors also adopt a “turn on and forget” approach. As a result, "smart" devices may not get updated. And even if updates are released, getting users to install them is another challenge.

A multitude of unprotected IoT devices, even those with low computational power, pose an easy target for hackers. By exploiting their weaknesses and vulnerabilities, cybercriminals create botnets for activities like launching DDoS attacks. The infamous Mirai botnet launched a record-breaking DDoS attack in 2016, prompting concerns about the future of the internet. Yet, this only marked the beginning of IoT-related threats.

The most dangerous are routers

According to a security test conducted by researchers from IoT Inspector and CHIP, all common Wi-Fi routers from well-known manufacturers demonstrate significant security vulnerabilities. Although not all of them pose an equal level of risk, every router tested harbored major security flaws that could simplify the attacker's efforts. In other words, hackers can easily gain access to personal and corporate data.

Networks infected with millions of compromised devices pose a genuine threat, not just to businesses, but also to individual users. When a device that's been seized by a hacker enters a home network, chances are it's not only contributing to DDoS attacks but also collects a huge amount of information about its "owner": steals personal information, passwords, banking data, and intercepts traffic.

How to protect IoT

This looming problem calls for a solution in the form of IoT regulation. There's an urgent need for a fresh security approach towards all IoT devices. However, the quick-profit mindset of vendors, who often avoid costly development, may be at odds with the perspective of the professional community.

Regulators need to step in, building IoT security around smart-device protection standards, considering the significant risks IoT poses to users and businesses. In the case of the UK, the Product Security and Telecommunications Infrastructure (PSTI) Act has set the tone for this change. The legislation enforces stringent security requirements on firms dealing with IoT devices. The non-compliance penalties have been consciously mirrored after the EU's GDPR, reinforcing the seriousness of the situation. However, this act is just the start of a broader global effort.

The EU is developing its Cyber Resilience Act, while the US proposes clear labeling regulations for IoT devices. These developing laws underscore the urgency and importance of enhancing IoT security. Meanwhile, users must navigate this landscape, even as vendors are yet to develop agreed-upon IoT protection strategies.

By now, it is up to users to control the safety of the data and equip themselves with precautions to defend against potential threats in the realm of smart devices.

It is necessary to keep your network "clean":

• Change default passwords
• Install firmware updates on time
• Protect routers, which many do not even think about (according to research by Positive Technologies, passwords of approximately 15 out of 100 routers are never changed)
• Purchase smart devices only from known vendors with experience in security

Keep in mind that similar measures should be taken not only for home networks but also for corporate ones.