The world of Internet of Things (IoT) devices is both fanciful and ubiquitous, from routers and smart appliances popular at home to intelligent building systems and self-monitoring industrial assets that power business. While these connected devices deliver countless benefits, they also represent a major attack vector and data privacy nightmare. And in recent years, SolarWinds, Verkada and other large-scale cyberattacks have brought IoT software supply chain risks into sharper focus.
Hardcoded and Weak Credentials Invite IoT Exploits
Many IoT and operational technology (OT) devices use default credentials that are hardcoded (or embedded) by the manufacturer. This may seem shocking, but it’s also understandable: Digital transformation has brought thousands of IoT devices to the modern enterprise, making IoT credential management costly and complicated. Even when default credentials are changed, they’re often easy to crack due to poor practices like weak password selection, credential sharing or reuse and infrequent rotation. Attackers can use these credentials to access vulnerabilities within IoT system software and firmware (which are plentiful) and move deeper into company systems and supply chains.
Credentials for application access accounts — powerful privileged accounts that enable machine-to-machine interaction — are especially popular targets. By exploiting a vulnerability in an IoT device’s software, an adversary could use an application account to implant malicious software into a legitimate product that’s later deployed by thousands of organizations around the world. Or an attacker could use an organization’s own digital signature system to assert the safety and reliability of a vendor’s product, even after implanting malware in the victim application.
To minimize these risks, all IoT device credentials and secrets should always be secured and managed in a secure vault (never hardcoded), and access for every IoT device on the network should be consistently managed and audited.
IoT Firmware Updates are Few and Far Between
Many IoT deployments lack built-in secure software and firmware update capabilities. This makes it very difficult for security teams to patch vulnerabilities in a timely manner — especially at scale. Sometimes years or even decades go by without an update. This could leave anything from hotel door locks to life-saving medical equipment to critical utility infrastructure vulnerable to attacks.
Meanwhile, threat actors are finding new ways to hijack firmware updates when they are pushed. By weaponizing routine or fake patches with malicious code or surreptitiously changing application functionality to bypass security mechanisms, they work to scale their attacks by orders of magnitude.
Limited IoT Visibility Leads to Lots of Guesswork
Another big part of the IoT security issue stems from lack of visibility. Organizations struggle to even identify all the IoT and OT devices existing on their network — let alone patch and manage them effectively throughout the full lifecycle. Just 29% of IT security professionals say their organizations have a complete inventory of their IoT and OT devices, according to a recent Ponemon Institute study. Forty-one percent say their organizations primarily use manual processes to identify and correlate compromised IoT and OT devices to attacks.
Automation can lighten the load and provide much-needed clarity, for instance, by continuously scanning for new devices on the network. And by automatically changing default credentials, rotating passwords and updating device firmware, security teams can save valuable time while improving device protection and compliance with company policies.
Recent Steps Raise Public Awareness of IoT Risks in the Software Supply Chain
The ongoing spate of IoT-related incidents and supply chain attacks has prompted both government and industry to get serious about closing these gaps.
In October 2022, the Biden administration unveiled a plan to develop an IoT risk-rating and labeling system for common household devices — a cyber variation of the popular “EnergyStar” program that helps consumers make informed purchasing decisions. A few weeks later, U.S. government agencies released guidance for enterprise customers on procuring and deploying third-party software as part of a broader effort to strengthen resiliency across the digital ecosystem.
These recent steps build on the work of the National Institute of Standards and Technology (NIST) and private sectors to step up IoT regulations and scrutinize IoT software components against stricter cybersecurity standards — and are collectively driving change. For example, tighter restrictions have prompted aviation companies to seek ways to reliably inventory IoT fleets and keep interconnected avionics devices and sensors up to date. This industry is also focused on protecting IoT applications developed in-house from unauthorized access and tampering and enhancing processes to verify software and firmware release integrity.
There’s still much work ahead, as the same Ponemon Institute study shows. Within the past two years, 35% of organizations have experienced a cyber incident in which an IoT device was used to conduct a broader attack. IoT devices can be game-changing. But without a consistent approach for managing devices and their underlying systems, IoT can become a red zone for cybersecurity risk, and potentially trigger a destructive domino effect downstream.