Protecting Your IoT Devices

Internet of Things (IoT) devices are transforming the way we live and interact with the world around us. These smart devices, embedded with sensors, software, and Wi-Fi connectivity, collect and exchange data over the Internet. From smart thermostats, wearable fitness trackers, internet cameras and industrial sensors, IoT devices are revolutionising our daily lives and the way businesses operate through their ability to monitor and optimise processes. Essentially, IoT devices offer convenience, efficiency, and valuable assets to individuals and organisations.

However, with the proliferation of IoT, it also makes them convenient and attractive targets for threat actors. IoT devices tend to collect significant amounts of data about their users and their environment, including personally identifiable, commercially confidential and/or sensitive data to perform their intended functions. As such, it is crucial to secure IoT devices to safeguard the sensitive data they retain or collect, maintain personal privacy, and prevent compromise. This advisory aims to highlight common vulnerabilities associated with IoT devices and provide recommended measures to enhance their security.

Many IoT devices come with default or weak credentials, making them vulnerable to unauthorised access. Threat actors can exploit this weakness to gain control over the devices and potentially move laterally to other devices connected to the network.

Insecure network services leave IoT communications susceptible to interception and tampering. Without proper encryption, sensitive data transmitted between devices and servers can be compromised and easily accessible to threat actors eavesdropping on such communications.

Many IoT devices feature web interfaces or mobile applications for user interaction. Poorly designed interfaces may lack basic security measures, such as input validation and access controls, enabling attackers to exploit common vulnerabilities and gain unauthorised access.

Manufacturers often release firmware and software updates to address security vulnerabilities and enhance device functionality. However, IoT devices frequently remain unpatched due to the lack of automated update features or neglect from users, leaving them vulnerable to known exploits. Additionally, some devices may lack the ability to securely validate an update.

Personal information stored on devices could be stored insecurely without the proper access controls. Additionaly, a lack of encryption of these sensitive data can also result in unauthorised access to the data at rest, in transit or during processing.

Physical access to IoT devices can pose significant risks, allowing attackers to manipulate hardware components, extract sensitive information, or install malicious firmware. For example, IoT devices such as sensors and security cameras may be installed in public spaces for operational purposes, making them vulnerable to physical access. If these devices are not tamper-resistant, or lack proper physical safeguards, it will increase the likelihood of successful physical attacks.

Users and administrators are advised to consider the following measures to secure their IoT devices.

Weak/Default credentials are common weaknesses that an attacker tries to exploit in IoT devices. Default usernames and passwords are often posted online, leaving your devices vulnerable. Default credentials should be avoided, and strong passphrases should be used throughout the system. Minimally, passphrases should consist of 12 or more characters comprising a combination of upper-case and lower-case letters, numbers and/or special characters. MFA should also be enabled, whenever possible, to add an additional layer of protection on top of passphrases.

Some devices apply updates automatically. Regularly check with the manufacturer and install updates when they become available for those that do not update software automatically. Enable automatic updates if available in the device settings. When your device has reached end-of-life (EOL), additional updates will no longer be released for your device. Devices that don’t have access to security updates will not be protected if new vulnerabilities are discovered, and these devices may become a risk to your network, privacy and personal data. Hence, do consider upgrading to a newer device to receive continued support from the manufacturer. 

Assess if the devices need to be connected to the Internet. Devices that are not connected to the Internet are much less likely to be compromised. Hence, if you’re not going to use the features that require internet connectivity, do consider keeping your device disconnected from the Internet. If your device has unwanted or unnecessary features (such as cameras or microphones), they should be disabled where possible.

Well-known reputable manufacturers are more likely to produce devices that are secure, while considering industry standards and best practices for IoT. Additionally, you can assess a manufacturer's track record of how and how quickly they address security vulnerabilities. A quick and transparent disclosure of the vulnerability and its mitigating measures instills confidence that the manufacturer would patch the devices should a new vulnerability arise. CSA has also launched the Cybersecurity Labelling Scheme (CLS) for consumer smart devices, as part of our efforts to improve IoT security. Find out more here: https://www.csa.gov.sg/our-programmes/certification-and-labelling-schemes/cybersecurity-labelling-scheme

Implement strong control measures for physical access to your IoT devices. Restrict the access to only authorised users to help reduce the risk of physical compromise. Additionally, ensure that physical connectivity options such as ethernet and USB ports are not exposed to the general public. You may also wish to create an IoT asset management checklist to track the ownership and status of each device when used.

Given its widespread use and potential to act as a gateway to the rest of the network, IoT systems are prime targets for cyber attacks. Therefore, it is also important to know how to recover from an attack to mitigate the impact of the damage. The following are steps you can take to recover from an attack on your IoT devices:

Physically disconnect the device from the Internet and disassociate the device from other mobile phones and devices. Disconnecting the device from the Internet would ensure any remote attackers do not have access to the vulnerable device and prevent further advances from the threat actor.

Changing the credentials is important to ensure threat actors who leverage known credentials would not be able to use it again in future attacks. Where possible, a factory reset should be done to the compromised device. A factory reset is designed to erase data kept in local storage and reset passwords, usernames and settings back to default. Check the device’s user manual or the manufacturer’s website for information on how to perform a factory reset. Additionally, enable MFA to add an additional layer of protection against IoT password-related attacks.

You may want to contact the manufacturer to seek clarification for any mitigation measures that can be applied to any known or newly discovered vulnerabilities. If your device has reached EOL and was compromised through a vulnerability, you may wish to consider upgrading to a newer device or seek assistance from the manufacturer to get your device replaced.

If the problem persists, contacting the manufacturer would be an alternative option to find out if there are any known vulnerabilities and the mitigation measures that can be used in the meantime. If it is a hardware vulnerability and a newer version of the device is available, consider requesting for a device replacement.

Securing IoT devices is a multifaceted process that requires proactive measures to mitigate potential risks effectively. By addressing common vulnerabilities, implementing robust security controls, organisations and individuals can enhance the resilience of their IoT deployments and protect themselves against evolving cyber threats. Should an IoT attack occur, knowing the available avenues to recover from them is also important in protecting against future attacks.

 

References: