Disclaimer: Views in this blog do not promote, and are not directly connected to any Legal & General Investment Management (LGIM) product or service. Views are from a range of LGIM investment professionals and do not necessarily reflect the views of LGIM. For investment professionals only.
Smart devices: an open door to hackers?
How many gadgets are connected to your home Wi-Fi network? These seemingly innocuous devices are creating a major cyber security headache.
Browse the ‘smart devices’ category of any big retailer and you’ll see the incredible variety of ordinary products that now come with internet connectivity. Toothbrushes, toasters, deodorants, pet feeders, toilets, cutlery and frying pans are all now available as ‘internet of things’ (IoT) devices.
Although some of these might sound like gimmicks, there’s no getting away from the underlying trend: despite severe chip shortages last year it’s estimated the number of IoT devices hit 14.4 billion in 2022, up 18% from 2021.1
Increasingly, everyday products will require your Wi-Fi password as standard. For consumers, this new generation of household items promises new features and more convenient control via a smartphone. But smart devices also create potential vulnerabilities.
An ever-expanding attack surface
In a previous blog we examined how ‘below the OS’ attacks could represent a hidden vulnerability in PC cyber security. By contrast, a smart toaster might seem harmless. However, for a hacker, every device connected to a network forms part of the ‘attack surface’, meaning it’s a potential point of entry.
Research2 indicates the number of vulnerabilities related to IoT devices rose 16% in 2022, compared with a growth rate of only 0.4% for all vulnerabilities. Compared with laptops and mobile phones, IoT devices represent a largely overlooked segment of the attack surface. While the former benefit from a regular patching cycle to mitigate vulnerabilities, IoT devices often receive little or no attention after they have been deployed.
For corporations, the security flaws of some IoT devices have become an increasing concern since the pandemic led to mass adoption of hybrid working. In an office environment, the threat surface is well mapped as only devices bought by the company can join the network. Today, however, employees use their home network as a steppingstone to the corporate network – introducing any number of potentially insecure IoT devices as a potential gateway for hackers.
How IoT devices can be exploited by hackers
Cyber security is an ongoing game of cat and mouse, in which attackers are constantly probing systems to access valuable information without being discovered. IoT devices are a prime target for hackers, who use a range of techniques to exploit them:
- Firmware attacks: as our previous blog explained, the ‘firmware’ software that runs before you reach an operating system environment is not immune to attack. The firmware of IoT devices has emerged as potential vulnerability, as the ‘install and forget’ nature of these products means they soon become invisible to most users
- Credential attacks: while most of us wouldn’t dream of entrusting a new mobile phone with valuable information without first setting up a passcode or facial recognition, smart devices are often left with the default username and password. Finding this information is remarkably easy, since the makers of IoT devices post this information online3 and public databases make it easy to search for the credentials to any device
- Denial of service (DoS) attacks: smart devices can be hijacked to bombard servers with web traffic, rendering them unable to serve legitimate requests. A distributed denial of service (DDoS) attack is very similar, the only difference being that it uses a network of devices to make the attack harder to fend off
- On-path attacks: also known as a ‘man in the middle attack’, this is when an attacker in the middle of a conversation between two parties that trust each other is able to access and potentially modify the flow of data. Just as compromised email servers and insecure public Wi-Fi can facilitate on-path attacks, the typically unencrypted data of an IoT device can be harnessed by cyber criminals to perpetrate this attack
To defend against these attacks, companies and institutions need security solutions that can provide visibility and protection for the whole attack surface – encompassing not only internal IT systems but also user devices that can escape the radar.
New technologies are constantly creating new opportunities, but also new dangers. In upcoming blogs we’ll look at how artificial intelligence (AI) and quantum computing stand to fundamentally change the cyber security landscape.
1. Source: https://iot-analytics.com/number-connected-iot-devices/
2. Source: https://www.ibm.com/reports/threat-intelligence
3. Source: The password to your IoT device is just a Google search away – Naked Security (sophos.com)