Internet of Things (IoT) devices often lack screens, which is bad for their security. It means entering the multiple details that make a lot devices secure is not possible. This problem adds to the fact that IoT devices are by their very nature connected to many other devices, which means one being compromised could lead to many being compromised.
Security expert Marc Boroditsky, VP and GM of Authy, a Twilio service, explained to TechDigg what can be done to make IoT devices more secure.
What are the main problems of smart devices?
“The most pressing cybersecurity risks for the massive proliferation of IoT devices are the devices themselves, and the networks they connect to,” Mr Boroditsky said.
“IoT already faces several threats on the security front: in the last few months alone, we’ve seen multiple ransomware attacks and a looming malware infestation.”
He added: “If that weren’t enough, IoT devices are still subject to the same threats as any other account with weak or nonexistent authentication. Further complicating the issue is that many of these devices don’t offer an actual user interface (such as a screen), making it far more difficult to know how and when an attack occurs.
“Attackers can leverage IoT devices as a gateway to a network, or worse, anything connected to the same network. Suddenly it’s not just personal information at risk, but access to garage doors, security cameras or thermostats, all because someone was able to compromise a single device connected to an at-home Wi-Fi network.”
What can be done to make IoT users feel safer?
“Already a nightmare scenario for any consumer, these kinds of attacks can effectively eradicate trust in the products or services of the company responsible for the compromised device,” Mr Boroditsky said.
“Relying on users to protect themselves with stronger, more complex passwords isn’t going to cut it. Numerous studies have shown that users continue to use weak passwords, even while acknowledging the associated risks.
“In order to protect their users and maintain trust in their products, IoT device providers should look to two-factor authentication (2FA) to strengthen account security. (There) are three recommended steps businesses can take immediately.”
The three step 2FA approach
Mr Boroditsky explained that:
“Two-factor authentication is already known to be effective in deterring attacks on online accounts, and most 2FA requests happen through a user-friendly mobile interface, such as with a one-time passcode sent through a text message, phone call, or an approve/deny push notification request.
“This works well for apps and other online services, but IoT devices don’t ship with a fully functional smartphone screen. Fortunately, most IoT devices offer mobile companion apps, making it easy to implement a 2FA process into a mobile workflow, in these three steps.
“One – Verify the device. When new users register their smartphones or tablets to work with IoT devices, implement Phone Number Verification as a first step in onboarding to ensure a legitimate device is tied to the account. There are also secondary benefits of combating bots by detecting location from the phone data returned to confirm that the device is being used where expected.
“Two – Authenticate the user. Once the user is onboarded with a legitimate device, encourage (or better yet, require) that user to enable two-factor authentication on their account login process. This way the service provider can combat any strange behavior on the account, such as authorizing new devices or attempts to access IoT devices from new geographies, with a request for further authentication in the form of a push notification or one-time-password (OTP) sent directly to their device.
“Three – Step it up. Once someone is logged in to a system, not all actions are created equal. From a security standpoint, providers can’t treat normal usage the same way they treat high-risk actions, like disabling a security camera or a heart monitor. Rather than give any user who gains access the freedom to make changes at will, the industry should turn to 2FA to be more proactive about account security. A simple “approve/deny” push notification can thwart even the most sophisticated attacks, even when an attacker has already compromised the account.”
Why isn’t this happening already?
“The industry needs to embrace more robust security protocols for IoT devices,” Mr Boroditsky said. “Companies are simply not taking the right steps to protect IoT accounts, the information they contain, or the networks to which they’re connected.
“IoT manufacturers need to adopt the latest device security protocols before they ship devices. Several IoT devices still ship with a default admin password but don’t require users to change the password as part of the onboarding. That’s akin to real estate developers building apartment complexes where the same key accesses every lock.”
The security expert concluded by saying that: “Additionally, there are already standards recommended by the National Institute of Standards and Technology (NIST) which any company can look to for guidance on security frameworks. As the rise of IoT and IoT-related attacks continue, we’ll likely see third-party certifications such as SOC2 and UL 2900 become regulation rather than ‘recommended’.
“The threats out there are sophisticated and relentless, and businesses must employ more than just a username and password to protect any account, not just IoT. It’s not a question of if, but rather a question of when attackers try to exploit something. Put the appropriate account security in place today, and help prevent what could easily be the apocalypse of IoT security.”