Why 98% of IoT traffic is unencrypted

98 percent of IoT Traffic is unencrypted . When I read that statistic – published by Palo Alto Networks in their Unit 42 2020 Threat report – I should have been shocked, says Mike Nelson,VP of IoT Security at DigiCert.

Last year, a Z-Scaler report said something similar: That 91% of IoT traffic was unencrypted. While it’s possible that those numbers are not truly representative of the real problem, one thing is for sure – far too much IoT traffic is unencrypted when absolutely all of it should be.

Unencrypted IoT traffic most obviously means that attackers can perform Man in The Middle (MiTM) attacks. By tapping into that unencrypted stream of data, attackers can get in between devices – or a device and the larger network – and steal or alter the data.

The failures of IoT security are well documented. Connected devices are often speedily brought to market by manufacturers who make painfully obvious, but mostly easily preventable, security mistakes in the design process. They are then eagerly bought up by enterprises who often don’t take those faults into account and deployed into otherwise secure networks. From there, attackers discover them via a simple shodan search and find an easy breach point into an enterprise.

And yet – whatever the state of its security – the IoT is growing voraciously. McKinsey estimates that there will be 43 billion IoT devices connected to the internet by 2023. If current trends continue – and 98 percent of IoT traffic is left unencrypted – it will be a feeding frenzy for cyber-criminals.

Often, when people think of an IoT hack – they think of a vulnerable doll or doorbell – attacks which leverage the functionality of a device – interesting but ultimately gimmicky. The real threats are far less colourful. Enterprise IoT deployments are often made up of hundreds if not thousands of individual devices, if only one of those devices were to be left exposed then it could provide an easy breach point into an otherwise secure network.

One can see just such an example in a now infamous IoT breach in Las Vegas . In 2017, hackers used a fish tank to carry out a casino heist. The fish tank in question was connected to the internet via a sensor which allowed its operators to remotely operate and control the tank. However, not long after it was installed, security staff noticed the fish tank sending data to a remote server in Finland. Further investigation revealed a massive breach – hackers had used that fish tank to exfiltrate 10 gigabytes of data from the casino’s database of high rollers.

The hack revealed three pressing points. Firstly, that the stolen information was unencrypted on the casino’s system and available for attackers to merely pick up. Secondly, the casino had insufficient access and authentication checks to stop attackers getting from that IoT device to some of the most sensitive information they held. Finally, that fish tank was connected to the casino’s broader network – and by exploiting the weaknesses of that product – they could connect to and steal a horde of sensitive data.

The consequences of such attacks can vary from financial or customer data leakage to attacks on critical infrastructure. Think of the damage from large scale power grid outages, internet blackouts, the shutdown of nationwide health systems and access to critical care. The list goes on.

Getting to 100% encryption

IoT or no IoT – all confidential data has to be encrypted. All of it – Anything above 0 percent is unacceptable. You might be able to make small allowances for mistakes here and there – but any data that is not encrypted is susceptible to compromise.

Which is not to say it doesn’t come with its own challenges. The nature of modern data is that it is constantly moving – from hub to gateway, gateway to cloud and further onwards. That makes things more complex as data has to be encrypted both at rest and in flight.

That’s especially true with enterprise IoT networks, which are commonly constructed of a series of different endpoints, sensors and devices constantly sending data back and forth between its different parts. One crack in that network can let an attacker in, making it not only a particularly sensitive area, but one that’s particularly critical to fix. 

Public Key Infrastructures (PKI) with digital certificates are starting to solve that problem. Because PKI can provide mutual authentication between the various nodes of large networks and encrypt data flowing throughout, at an enormous scale suited for the IoT, enterprises are beginning to seize it as a way to secure their large IoT deployments.

Though the industry is making progress, and leading companies, practitioners and regulators are taking steps to work together and improve the security posture of these devices – we still have a long way to go. We need more manufacturers to prioritise security and implement best practices – encryption, authentication and integrity to name a few – and the implementation cannot be incremental. That won’t be good enough.

Encryption at scale is what enterprises need to secure IoT traffic. Leading manufacturers are taking notice and implementing PKI. Let’s hope the rest catch up. And soon.

Mike Nelson

The author is Mike Nelson,VP of IoT Security at DigiCert.

About the author

Mike Nelson is the VP of IoT Security at DigiCert, a provider in digital security. In this role, Mike oversees the company’s strategic market development for the various critical infrastructure industries securing highly sensitive networks and Internet of Things (IoT) devices, including healthcare, transportation, industrial operations, and smart grid and smart city implementations.

Mike frequently consults with organisations, contributes to media reports, participates in industry standards bodies, and speaks at industry conferences about how technology can be used to improve cyber security for critical systems and the people who rely upon them.

Mike has spent his career in healthcare IT including time at the US Department of Health and Human Services, GE Healthcare, and Leavitt Partners – a boutique healthcare consulting firm. Mike’s passion for the industry stems from his personal experience as a type 1 diabetic and his use of connected technology in his treatment.

Comment on this article below or via Twitter: @IoTNow_OR @jcIoTnow

FEATURED IoT STORIES

9 IoT applications that will change everything

Posted on: September 1, 2021

Whether you are a future-minded CEO, tech-driven CEO or IT leader, you’ve come across the term IoT before. It’s often used alongside superlatives regarding how it will revolutionize the way you work, play, and live. But is it just another buzzword, or is it the as-promised technological holy grail? The truth is that Internet of

Read more

Which IoT Platform 2021? IoT Now Enterprise Buyers’ Guide

Posted on: August 30, 2021

There are several different parts in a complete IoT solution, all of which must work together to get the result needed, write IoT Now Enterprise Buyers’ Guide – Which IoT Platform 2021? authors Robin Duke-Woolley, the CEO and Bill Ingle, a senior analyst, at Beecham Research. Figure 1 shows these parts and, although not all

Read more

CAT-M1 vs NB-IoT – examining the real differences

Posted on: June 21, 2021

As industry players look to provide the next generation of IoT connectivity, two different standards have emerged under release 13 of 3GPP – CAT-M1 and NB-IoT.

Read more

IoT and home automation: What does the future hold?

Posted on: June 10, 2020

Once a dream, iot home automation is slowly but steadily becoming a part of daily lives around the world. In fact, it is believed that the global market for smart home automation will reach $40 billion by 2020.

Read more
RECENT ARTICLES

Renesas and wolfSSL enable ready-to-use IoT security solutions based on embedded TLS stack

Posted on: October 27, 2021

TOKYO, Japan and EDMONDS. Washington, October 27, 2021 ― Renesas Electronics Corporation, a supplier of advanced semiconductor solutions, and wolfSSL, a provider of embedded security solutions, announced a multi-year licensing agreement whereby customers of Renesas’ 32-bit MCU offerings can obtain a free commercial license for the wolfSSL TLS (Transport Layer Security) stack with integrated Renesas hardware

Read more

Infineon and Hyundai Motor Group to nurture startups focusing on future mobility and digitalisation

Posted on: October 27, 2021

Munich, Germany, Seoul, South Korea and Singapore. October 27, 2021 – Semiconductors are at the core of emerging technologies that enable digital transformation. To amplify startup engagement Infineon Technologies AG has signed a memorandum of understanding with Hyundai Motor Group.

Read more