What many fail to understand is that the safety of an IoT device depends heavily on how the user operates it, says SecurityHQ’s Eleanor Barlow

Cyber Security Company, SecurityHQ, have reported that issues with IoT devices have risen across the globe throughout 2021 and continue to grow. The prime challenge with IoT devices is the lack of employee awareness of the risks associated with them, a lack of education/training available to highlight said risks, and an assumption from the buyer (both in business and in personal use) that anything purchased and installed will have gone through all the necessary security processes, no questions asked.

Wilful blindness surrounding device control in the workplace

Whether it’s because it’s easier to not think about the issues or to believe that it’s someone else’s responsibility, people tend to want to think that because an item looks secure and is bought from a reputable source, that they do not need to worry about the security of their IoT devices.

But what many fail to understand is that the safety of an IoT device depends heavily on how the user operates it. The configurations, the settings, and the actions of the buyer and their surroundings will have a considerable impact on the security level of that device.

Many users buy security cameras that connect to multiple entry points in their organisation via Bluetooth or an app and think that they have all the right security in place. However, if they connect this device via an unsecure network, does not update passwords or does not keep personal devices that connect to said camera secure, then issues with security can be severe. A camera has access to your company network, your visual, your audio, knows your employee schedule, when the workplace is empty – for a potential malicious attacker, this device becomes an alert system of activities.

In fact, 47% of the most vulnerable devices are security cameras installed on company networks, followed by smart hubs (15%), and network-attached storage devices (12%), according to the GDPR PrivSec Report.

Eleanor Barlow, SecurityHQ

Security cameras hacked

According to ItPro, “at least 83 million Internet of Things (IoT) devices around the world could be at risk of hacking, potentially enabling threat actors to listen in on private conversations and watch live video streams from baby monitors and smart cameras.”

Remote code execution is common with such devices. Such an attack can make the data within the device visible to the attacker, give control of the device to the attacker and release confidential and private material.

Weak company network DDoS disruption

Distributed Denial-of-Service (DDoS) attacks are primarily aimed at IoT devices, with the intention to infiltrate a weak network, target the user, and stop or control the systems/devices. Such an attack is hard to contain and can amount in anything from acquiring personal data to sell online, direct blackmail or used as the base to infiltrate further devices.

Next steps for enhanced protection

For business IoT devices:

1. Only use IoT when necessary. The fewer devices, the fewer items that are hackable. Use IoT devices when it is crucial to do so, and know that, even with the right security measures in place, devices can still be infiltrated. Mitigate the damage by reducing the obtainable material and give access to those only on a need-to-know basis.
2. MDR. Ensure you have Managed Detection & Response (MDR) set up, for complete visibility of your digital world. Visualise and understand malicious or anomalous activity. Analyse, prioritise, and respond to threats in rapid time. Safeguard your data, people, and processes.

For personal IoT devices:

1. Secure devices. ‘Portable devices contain sensitive and private information. Information that needs to be safeguarded to protect the safety and security of organisations, clients, and employees. Which is why, on top of standard security measures, it is important to secure all devices such as mobile phones and laptops, both commercial and private, to maintain security protocols and reduce the attack surface’.
2. Update passwords and WiFi settings. Change the default password (it might be publicly known) for the administrator account that allows access to device configuration, to a strong password that follows security protocols. Similarly, change the default password and username for Wi-Fi network. Remember that your Wi-Fi username is often publicly visible, so avoid using personal details.
3. Configure settings. Often, default device privacy and browser settings are not configured to the user’s advantage. To make devices more secure, customise advanced device privacy and browser settings. Block auto cookie and location tracking. Disable auto-download and auto-run of Flash.

Report any suspicious activity

If you notice anything suspicious, report a cyber security incident instantly, so that immediate action can be taken to mitigate the cyber threat. Reach out to our forensics team for 24/7 support.