98 percent of IoT Traffic is unencrypted . When I read that statistic – published by Palo Alto Networks in their Unit 42 2020 Threat report – I should have been shocked, says Mike Nelson,VP of IoT Security at DigiCert.
Last year, a Z-Scaler report said something similar: That 91% of IoT traffic was unencrypted. While it’s possible that those numbers are not truly representative of the real problem, one thing is for sure – far too much IoT traffic is unencrypted when absolutely all of it should be.
Unencrypted IoT traffic most obviously means that attackers can perform Man in The Middle (MiTM) attacks. By tapping into that unencrypted stream of data, attackers can get in between devices – or a device and the larger network – and steal or alter the data.
The failures of IoT security are well documented. Connected devices are often speedily brought to market by manufacturers who make painfully obvious, but mostly easily preventable, security mistakes in the design process. They are then eagerly bought up by enterprises who often don’t take those faults into account and deployed into otherwise secure networks. From there, attackers discover them via a simple shodan search and find an easy breach point into an enterprise.
And yet – whatever the state of its security – the IoT is growing voraciously. McKinsey estimates that there will be 43 billion IoT devices connected to the internet by 2023. If current trends continue – and 98 percent of IoT traffic is left unencrypted – it will be a feeding frenzy for cyber-criminals.
Often, when people think of an IoT hack – they think of a vulnerable doll or doorbell – attacks which leverage the functionality of a device – interesting but ultimately gimmicky. The real threats are far less colourful. Enterprise IoT deployments are often made up of hundreds if not thousands of individual devices, if only one of those devices were to be left exposed then it could provide an easy breach point into an otherwise secure network.
One can see just such an example in a now infamous IoT breach in Las Vegas . In 2017, hackers used a fish tank to carry out a casino heist. The fish tank in question was connected to the internet via a sensor which allowed its operators to remotely operate and control the tank. However, not long after it was installed, security staff noticed the fish tank sending data to a remote server in Finland. Further investigation revealed a massive breach – hackers had used that fish tank to exfiltrate 10 gigabytes of data from the casino’s database of high rollers.
The hack revealed three pressing points. Firstly, that the stolen information was unencrypted on the casino’s system and available for attackers to merely pick up. Secondly, the casino had insufficient access and authentication checks to stop attackers getting from that IoT device to some of the most sensitive information they held. Finally, that fish tank was connected to the casino’s broader network – and by exploiting the weaknesses of that product – they could connect to and steal a horde of sensitive data.
The consequences of such attacks can vary from financial or customer data leakage to attacks on critical infrastructure. Think of the damage from large scale power grid outages, internet blackouts, the shutdown of nationwide health systems and access to critical care. The list goes on.
Getting to 100% encryption
IoT or no IoT – all confidential data has to be encrypted. All of it – Anything above 0 percent is unacceptable. You might be able to make small allowances for mistakes here and there – but any data that is not encrypted is susceptible to compromise.
Which is not to say it doesn’t come with its own challenges. The nature of modern data is that it is constantly moving – from hub to gateway, gateway to cloud and further onwards. That makes things more complex as data has to be encrypted both at rest and in flight.
That’s especially true with enterprise IoT networks, which are commonly constructed of a series of different endpoints, sensors and devices constantly sending data back and forth between its different parts. One crack in that network can let an attacker in, making it not only a particularly sensitive area, but one that’s particularly critical to fix.
Public Key Infrastructures (PKI) with digital certificates are starting to solve that problem. Because PKI can provide mutual authentication between the various nodes of large networks and encrypt data flowing throughout, at an enormous scale suited for the IoT, enterprises are beginning to seize it as a way to secure their large IoT deployments.
Though the industry is making progress, and leading companies, practitioners and regulators are taking steps to work together and improve the security posture of these devices – we still have a long way to go. We need more manufacturers to prioritise security and implement best practices – encryption, authentication and integrity to name a few – and the implementation cannot be incremental. That won’t be good enough.
Encryption at scale is what enterprises need to secure IoT traffic. Leading manufacturers are taking notice and implementing PKI. Let’s hope the rest catch up. And soon.
The author is Mike Nelson,VP of IoT Security at DigiCert.
About the author
Mike Nelson is the VP of IoT Security at DigiCert, a provider in digital security. In this role, Mike oversees the company’s strategic market development for the various critical infrastructure industries securing highly sensitive networks and Internet of Things (IoT) devices, including healthcare, transportation, industrial operations, and smart grid and smart city implementations.
Mike frequently consults with organisations, contributes to media reports, participates in industry standards bodies, and speaks at industry conferences about how technology can be used to improve cyber security for critical systems and the people who rely upon them.
Mike has spent his career in healthcare IT including time at the US Department of Health and Human Services, GE Healthcare, and Leavitt Partners – a boutique healthcare consulting firm. Mike’s passion for the industry stems from his personal experience as a type 1 diabetic and his use of connected technology in his treatment.