What are the biggest IoT security risks and challenges

High-speed 5G mobile networks not only connect people more efficiently, but also enhance the interconnection and control of machines, objects and devices. High data rates, low latency, and high capacity are good for both consumers and businesses. But as one company that introduced 5G early experiences, these benefits also carry new, significant security risks.

Global home electronics manufacturer Whirlpool has already begun building 5G at one of its plants. The company still uses IoT devices for predictive maintenance, environmental control, and process monitoring over its existing local area Wi-Fi network, but the introduction of 5G will enable autonomous forklifts and other vehicles not possible with Wi-Fi.

“The plant is heavily metal,” said Douglas Barnes, Whirlpool’s North American IT and OT manufacturing infrastructure application manager. WiFi is reflected in the metal. I built a mesh Wi-Fi in the factory, but I can’t help but have too much metal.5G passes through walls and is not reflected by metal. ”

“When 5G is deployed at the plant, Whirlpool will see a breakthrough,” he says. “We will be able to introduce true autonomous vehicles across the facility, covering everything from maintenance and delivery to manufacturing operations.” This business case is significant and can provide significant cost savings. The 5G rewards are great. ”

Vans said the test has already been completed to verify the normal operation of the autonomous vehicle. The budget will be allocated starting this month, and vehicles will be based on 5G by the end of the year. “If the results are good, the autonomous vehicle business case will work everywhere else,” Vans said.

Vans is well aware of the cybersecurity issues already occurring in the enterprise and the extent to which all these issues will amplify as the transition to 5G moves. Whirlpool worked with 5G partner AT & T to address the concerns. “I wrestle with security issues every day.” “Before we started, the first thing we talked with AT & T was how to build a secure network.”

The following are seven key areas that companies such as Whirlpool should consider when developing a 5G implementation plan for IoT.

1. 5G Network Traffic Encryption and Protection.

With 5G, the amount of traffic flowing through these networks increases dramatically with the number of intelligent devices connected to the network. According to Gartner, the number of enterprise and vehicle IoT devices will reach 5.8 billion, up 21 percent next year, from 4.8 billion, the expected number of IoT endpoints this year. For attackers, this means a much richer network of targets than it is today.

According to Vans, Whirlpool will configure the 5G antenna to encrypt all 5G traffic and accept only authorized traffic to address this issue. “When we add a device, we configure it as an acceptable device in 5G,” said Barnes. It does not receive traffic from devices that are not included in the whitelist. In addition, the traffic is encrypted, so don’t worry. “If someone picks up the signal, there is very little that can be done.”

Vans said that when traffic leaves the local network and is sent over public 5G or the Internet, the content is protected via a secure VPN tunnel, “we’ve done this in advance in case we need to communicate with the outside using 5G.”

2. Protect and Isolate Vulnerable Devices:

The next potential weakness is the device itself. Vans said, “There is a weak security awareness throughout the industry.” In particular, industrial equipment uses its own operating system and often does not have the ability to install patches, or patches are often prohibited under licenses. “It’s not designed with patches in mind,” Vans said.

Jonathan Tanner, senior security researcher at Barracuda Networks, said that the vast majority of IoT security mistakes haven’t been fixed, and some devices have problems that cannot be fixed by a firmware update, or that there is no mechanism to update the firmware. Even if device manufacturers add security to the next generation of devices, the older, unsafe devices will still be used.

Tanner disregards this and ignores security researchers who point out vulnerabilities. “There are cases where companies that make vulnerable devices go out of business. In this case, the vulnerable device is left untouched. ”

What should companies do with insecure IoT devices? Whirlpool’s Vans said using network isolation along with other network security technologies could help. Barnes said, “The whirlpool uses a two-tiered approach. The first layer is network security, which monitors all traffic, and the second layer is protocol-based security, looking for malicious activity embedded in the protocol through deep packet inspection. ”

In addition, general security hygiene applies, such as patching immediately above this layer, regular security audits for all devices, and inventorying all devices on the network.

3. Prepare for Larger DDoS attacks

In general, 5G is not less secure than previous generation wireless technologies. Kevin McNami, head of the Nokia Threat Intelligence Lab, said, “5G brings new security features that aren’t actually available in 4G or 3G. In 5G, the entire control plane is transferred to a Web services type of environment, which is strongly authenticated and very secure. “

This improvement is offset by increased opportunities for botnets,” McNami said. “In 5G, the bandwidth available to devices is significantly increased. As bandwidth increases, IoT bots will increase.” This bandwidth will of course increase. ”The

increased bandwidth can be used to find more vulnerable devices and spread the infection, increasing the number of vulnerable devices that the botnet can find. As Whirlpool says, companies use IoT devices a lot, as do other types of organizations, including government agencies, and

when 5G is deployed, they will be able to deploy the device in remote, difficult-to-maintain locations. Interest in the Oregon Wireless Internet Service Providers Union “A lot of sensors record everything from weather to air quality to video feeds,” says co-chairman Cameron Camp. “There’s a lot of new machines that are likely to be hacked and botnetized.” It will be difficult to find and respond to hacks. ”

IoT devices are also typically used for a long time. The user does not have to replace the device that performs the desired function well. Attackers prefer a stealthy approach in order not to draw attention. Even if a patch is released or a manufacturer releases a more secure version of the device, it’s useless if the customer doesn’t want to change it.

Many smart IoT devices, on the other hand, run a comprehensive operating system, such as embedded Linux, allowing them to behave almost like normal computers. It is therefore possible to use infected devices to host illegal content, malware, command control data and other useful systems and services for attackers. Users don’t consider these devices to be computers that need antivirus, patches, or updates. Many IoT devices do not keep logs for inbound and outbound traffic. It’s even harder to get rid of botnets because attackers can stay active without being caught.

Eventually, all three threats increase: the number of devices that can be exploited, the bandwidth available for botnet proliferation, and the bandwidth available for devices to launch DDoS attacks. Many devices are still unprotected and some cannot be patched at all, so in a 5G environment, companies must be prepared for a much larger DDoS attack than they are today.

4. Switching to IPv6 May Replace Private Internet Addresses with Public Addresses
As the number of devices increase and communication speeds improve, companies may want to use IPv6 instead of IPv4, which is now commonly used. IPv6, with longer IP addresses, has become an Internet standard since 2017.

The maximum number of available addresses for IPv4 addresses is 4.3 billion, which is not enough. Some registrars have faced address shortages since 2011 and organizations have begun their transition to IPv6 in 2012. But according to data from The Internet Society, less than 30 percent of current Google users access the Google platform via IPv6.

Nokia’s McNami said that many organizations, and nearly all home devices and many cell phone networks, use private IPv4 addresses instead of IPv6, “private IPv4 addresses are not exposed to the Internet, providing natural protection from attacks.”

As the world moves to 5G, carriers will have to switch to IPv6 to support billions of new devices. But if the carrier chooses a public IPv6 address rather than private, the device is exposed to the Internet. McNami said this isn’t an issue with IPv6 or 5G, but it could lead to a situation where companies that switch devices from IPv4 to IPv6 inadvertently leave them in the public address space.

5. Increased Attack Surface due to Edge Computing:

There is a growing interest in edge computing among customers or companies looking to reduce latency and improve performance for their distributed infrastructure. When 5G is deployed, the communication capabilities of endpoint devices are enhanced, further increasing the benefits of edge computing.

At the same time, edge computing also dramatically increases the potential attack surface. Companies that have not yet started their transition to zero-trust network architecture should look at this architecture before investing heavily in edge computing infrastructure. If you actually build a zero-trust network architecture, security should be treated as the most important consideration, not as a follow-up.

6. New IoT Companies Focus on Preoccupation, Not Security:

When the IoT gold rush begins, new players will enter the market and existing ones will launch new devices ahead of time. Barracuda’s Tanner says there are more IoT devices than security researchers already looking for vulnerabilities, and that new manufacturers will add new cycles of security mistakes.

Tanner notes that as the same mistake continues to occur, the number of vulnerabilities reported on IoT devices is not decreasing, but increasing. “There is not enough learning from events in other companies in the industry.”

“The company doesn’t care about security,” says Joe Coates, who focuses on corporate network intrusions, leading penetration testing at A-lign Compliance and Security. Earlier this year, I bought five devices related to the ability to turn the lights on and off, and I could access four of them outside the home. The test mode embedded in the device was released by the vendor without being removed. ”

Cortes said all companies want to enter the market first. Many companies use ready platforms such as embedded Linux to get devices to market as quickly as possible. Cortes said, “I recently got IoT malware that can bring a device down with seven lines of code.” Cortes said that manufacturers who do not tighten their devices are vulnerable.

For example, an attacker could use this malware to shut down a plant or critical infrastructure, or to hold a company’s system hostage and demand a ransom. “That’s not happening yet,” Cortes said. “5G is not widely deployed.” As 5G adoption increases and IoT increases, it is likely that exploitation of industrial systems, such as the manufacturing industry, will increase significantly. ”

7. Everyone is Responsible for IoT security:

The biggest obstacle to IoT security is psychological obstacles, not technology. Nobody wants to take responsibility. Everyone wants to pass on to someone else. The buyer accuses the vendor of not making the device secure. Vendors blame buyers for finding cheap, insecure products. Avoiding responsibility for IoT security in the 5G world leads to even greater wave lengths.

In a last year’s Radware survey, 34 percent of respondents said that the responsibility for IoT security rests with their device manufacturers, 11 percent with service providers, 21 percent with individual consumers, and 35 percent with business organizations. Mike O’Malley, vice president of strategy at Radware, said: “In other words, there is no consensus.” O’Malley also said that consumers have no knowledge or skills. Companies do not hire enough people. Manufacturers are so numerous and different that they are difficult to control.

Companies can hire service providers to take some of the responsibility off, but that doesn’t solve the problem of unprotected consumer devices, passive manufacturers in change, and the absence of consistent global regulations and enforcement.

Everyone should be responsible for IoT security. Buyers should ensure that their products do not use a default password or test mode, that communications are encrypted and authenticated, and that devices are regularly patched and updated. Vendors should stop selling unprotected devices and consider security at the start of the product design process, rather than adding features later.

Amram David

Senior Contributor at DFI Club
Amram is a technical analyst and partner at DFI Club Research, a high-tech research and advisory firm .He has over 10 years of technical and business experience with leading high-tech companies including Huawei,Nokia,Ericsson on ICT, Semiconductor, Microelectronics Systems and embedded systems.Amram focuses on the business critical points where new technologies drive innovations.
Amram David

Latest posts by Amram David (see all)