Article Read Time
Why do you need to worry about IoT security? Your office is full of computers you never think about, and that’s a problem.
Yes, IoT security is a real thing. Last month, a county clerk in central Kentucky called our office with a problem. Her building’s HVAC system had been acting up for weeks, cycling on and off at odd hours, running the electric bill through the roof. The HVAC vendor eventually found the issue: someone overseas had gained access to the thermostat’s web interface and was using it as a foothold to probe the rest of the county’s network. The thermostat was connected to the internet. Nobody remembered putting it there.
That thermostat is what the industry calls an IoT device, short for “Internet of Things. and IoT security is protecting them. The phrase sounds abstract, but the reality is concrete. An IoT device is any physical object that connects to the internet to send or receive data. If it has a Wi-Fi signal, a Bluetooth chip, or an Ethernet port, and it is not a traditional computer, phone, or tablet, it is probably IoT.
They Are Everywhere, and Multiplying
Most people can name the obvious ones. Security cameras. Smart speakers. Doorbell cameras. The Keurig in the break room that connects to an app. The printer in the hallway. Those are IoT devices, and most offices have at least a handful.
But the list goes deeper than most people realize. Here are some devices that connect to the internet in ways their owners rarely think about:
Building systems. Thermostats, HVAC controllers, smart lighting panels, electronic door locks, and elevator monitoring systems. Many of these were installed by contractors who set up remote access for maintenance and never mentioned it to anyone on staff.
Medical and safety equipment. Connected fire alarm panels, emergency notification systems, and, in healthcare settings, patient monitors and infusion pumps. A small clinic in eastern Kentucky may have a dozen networked medical devices and no IT staff to manage them.
Vehicles and fleet tools. GPS trackers on county vehicles, electronic logging devices on trucks, and even connected tire pressure monitors. If your organization manages a fleet, those vehicles are on your network whether you planned for it or not.
Office equipment people overlook. Conference room displays, digital signage, postage meters, badge readers, and VoIP phone handsets. Each one has firmware, a network connection, and, in many cases, a default password that has never been changed.
At home, the list is just as long. Baby monitors, smart plugs, robot vacuums, garage door openers, refrigerators, and irrigation controllers all connect to your home network. Your teenager’s gaming console counts. So does the smart TV in the living room.
By most estimates, there are more than 15 billion IoT devices in use worldwide, and that number is expected to double over the next five years. The sheer volume matters because every connected device is a door. And doors that nobody watches tend to be the ones that get opened.
What Can Go Wrong
IoT security risks are not theoretical. They have already played out in public, sometimes in spectacular fashion.
In 2016, a piece of malware called Mirai infected hundreds of thousands of IoT devices, mostly home routers and security cameras with factory-default passwords. The infected devices were organized into a botnet that launched a massive attack against a major internet infrastructure company called Dyn. The result brought down Twitter, Netflix, Reddit, and dozens of other sites for an entire day. The entry point was not a server farm. It was ordinary devices in ordinary homes and offices, none of whose owners knew anything had happened.
In a widely reported case from 2018, hackers breached a North American casino’s network through an internet-connected fish tank thermometer in the lobby. The thermometer was on the same network as the casino’s internal systems. The attackers used it to move laterally and exfiltrate data from the building. A fish tank.
These are large-scale examples, but the principle applies at every level. A compromised security camera at a small business can give an attacker a view of the interior, the Wi-Fi password posted on a sticky note, and a path to the point-of-sale system. A hacked smart speaker in a nonprofit director’s office can record board meeting conversations. A compromised badge reader can reveal exactly when the building is empty.
The pattern is consistent: attackers look for the device nobody is watching, because that is the device nobody has patched, nobody has updated, and nobody has changed the password on since the day it was installed.
Three Things You Can Do This Week
You do not need a six-figure security budget to improve your IoT security. You need to do three things, and you can start today.
First, find out what is on your network. You cannot protect what you do not know about. Ask your IT support, your managed service provider, or a knowledgeable staff member to run a network scan and produce a list of every connected device. Include the ones the HVAC vendor installed, the ones the security company put in, and the ones someone brought from home and plugged into a spare Ethernet port. Write them all down. This is your inventory, and it is the foundation of everything else.
Second, change all default passwords and update all firmware. Default passwords are published on the internet. Anybody can look them up. If a device still has the username “admin” and the password “admin,” it is not secured at all. While you are at it, check for firmware updates. Manufacturers issue patches for known vulnerabilities, but IoT devices rarely update automatically. Someone has to do it. Make that someone a named person with a recurring calendar reminder.
Third, put IoT devices on their own network segment. This is called network segmentation, and it means that your security cameras, thermostats, and smart displays communicate with the internet on a separate channel from your computers and financial systems. If an attacker compromises a camera, segmentation keeps them from reaching your payroll data. Most modern routers and firewalls support this. If yours does not, it may be time for an upgrade. Your IT provider can set this up in an afternoon.
What Stays the Same
The Internet of Things is not coming. It is already here, in your office, in your courthouse, in your clinic, and in your home. The convenience is real. So is the risk. The organizations that stay safe will not be the ones with the biggest budgets. They will be the ones who took IoT security seriously and made the time to count their devices, change their passwords, and separate their networks.
That thermostat in the county clerk’s building is working fine now. But only because someone finally asked the right question: what else is connected that we do not know about?
If you are not sure what is on your network, that is a good place to start. Commonwealth Sentinel offers free initial consultations for local governments, small businesses, and nonprofits across the Commonwealth. No pitch, no pressure. Just a conversation about what you have and what you can do to protect it.
At Commonwealth Sentinel, we stay focused on cyber security so you can focus on other things!