Bolster physical defenses with IoT hardware security

Hardware vulnerabilities, security concerns

Connected devices have specific vulnerabilities that enterprise leaders must address as they build out their IoT ecosystems.

IoT hardware is often more physically accessible than traditional pieces of computer equipment. That means sensors and edge devices, such as gateways, can be displaced or damaged -- either accidentally or intentionally -- through physical actions.

"With IoT in general, these devices aren't going to be locked up. It's not like a data center device behind armed guards. To be useful, they'll be in substations and retail and farms. They'll be in places you have access to it," Nelson said.

IT admins can't forget the security implications that stem from the devices themselves.

These endpoint devices have limited computational and power resources by design, meaning they don't support advanced security features.

"Sensors don't have a lot of horsepower or complexity; they're a simple embedded chip on a board, and you're not going to get a whole lot of functionality on that hardware," Nelson said.

Moreover, some device manufacturers don't require users to change the factory default logins and passwords to start them up. Devices often have insecure interfaces with other parts of the IoT ecosystem. They generally can't -- or can't easily -- be updated to address vulnerabilities. Users, for example, can't easily swap out chips on dozens, if not hundreds or thousands, of deployed sensors if a vulnerability is discovered.

"We absolutely see significant vulnerabilities on the devices themselves," said Christine Livingston, IoT managing director at consulting firm Protiviti. "As has been said many times before, an environment is only as secure as the weakest link, and IoT devices provide a very significant attack vector."

If exploited, hackers could take advantage of the vulnerabilities to tamper with the hardware's functionality and firmware, the class of software that instructs devices and tells them what to do with significant implications.

"These embedded IoT devices are [frequently] connected to crucial equipment. And, if [a hacker] can interact with a device in a way that can cause physical harm, that represents the most egregious of risks. Additionally, the firmware can be another threat factor; it could be a backdoor, expose information about updates or expose credentials stored on the device that the hacker can then use to pivot into the back-end infrastructure," said Caleb Davis, manager in Protiviti's IoT practice.