Why cybercrime is an increasing threat to the IoT

Experts say 2021 was the year of ransomware, but things changed in 2022 as criminals realized an estimated 17 billion IoT devices represented an easier target. While IT hardware and software security has dramatically improved, the IoT has lagged.

Many IoT products need to be adequately secured and, as such, represent vulnerable entry points for attacks on critical infrastructure. Or the IoT device itself can be the specific target due to the data it hosts – for example, video from security cameras and patient information from medical wearables.

There is a steady stream of news items about cyberattacks affecting everyday businesses and well-known brands. These can result in financial losses, privacy breaches, or individuals being blocked from accessing critical services. But now key infrastructure is also proving a major target, posing a danger to health, energy, food, water, and communications.

IoT as a growing attack surface for cybercrime

This is a problem that’s not going away. Inexpensive wireless components are proving a boon to connectivity. The price of turning a dumb device into a smart device can be as low as 10 cents, says security expert Mikko Hyppönen. That’s encouraging vendors to add wireless connectivity to many devices, even if the benefits might be minor. And Hyppönen explains that whenever an appliance is connected, that also makes it vulnerable.

According to analyst firm IDC, there will be almost 42 billion IoT devices by 2025. The vulnerable products among that network will contribute to a cost of cybercrime that’s set to grow to $10.5 trillion by the same year, according to research firm Cybersecurity Ventures. The growing number of connected devices creates a larger ‘attack surface’—the number of potentially unprotected targets a miscreant can seek to exploit. In addition, the large volumes of data gathered and transmitted by billions of connected IoT devices create a bigger target for interception.

• Read more: Making sense of a connected world

Addressing the vulnerability of connected devices

Enhancing the security of the IoT is challenging. Cyber attackers benefit from the complexity of the network, as the more companies, equipment, devices, and software are involved, the more opportunities there are for exploitation. Such complexity emphasizes the importance of security being considered at all stages of a product’s lifecycle - not just when it’s in the field.

Even simple IoT products, smart thermostats, for example, should be endowed with a degree of protection. It’s not expensive to build-in simple protection such as secure-boot and secure-update with anti-rollback. Secure boot ensures the device verifies that its original software, and any subsequent update, is authorized and is safe to run. Anti-rollback prevents an older (and potentially vulnerable) version of the firmware being reinstated.

Even greater security can be achieved by isolation. Isolation provides a barrier between the firmware responsible for potentially vulnerable interfaces and the security critical code. Non-critical information can still be extracted from the isolated area for general operation of the IoT device, but no security critical information is accessible beyond the isolated area. The device might also feature secure storage for security critical data and assets.

• Read more: Secure by Design
• Read more: A security first approach to IoT product design
• Webinar: Designing Secure IoT Products

Changing IoT-customers' expectations of security

In the wake of heightened awareness of cyber-attacks, public expectations of IoT devices have shifted. A survey by the U.K. government in 2020 found nine out of ten people now expect smart devices to have basic embedded features to protect user privacy and security.

In response, PSA Certified, a framework for securing connected devices, has brought together major stakeholders to consolidate a range of security approaches into a standardized approach for the IoT. It developed a four-stage framework that guides developers through the steps necessary to implement the right level of security for a product. Nordic itself has aligned with the framework.

• Read more: Why security is critical for the IoT

Regulators in several countries are also outlining expectations and establishing minimum security standards for IoT products. In the EU, lawmakers recently introduced security standards that require internet-connected products to have “appropriate levels of cybersecurity”. In the U.S., recent Executive Orders on cybersecurity have led to the development of IoT security standards by The National Institute of Standards and Technology (NIST).

Unlocking the value of the IoT

Improved security can help developers of IoT solutions unlock stronger customer relationships, especially in contexts where reliability is critical. A prime example is the Wireless Flex Dimming Receiver lighting solution from illumination company Fluence, which is built using Nordic’s nRF52840 SoC and is PSA Certified.

The product is targeted at the agriculture sector and enables growers to increase the amount and quality of produce by optimizing lighting conditions. Its built-in security features make it resistant to disruption increasing industry’s trust in connected commercial solutions. This trust must now extend to key smart infrastructure such as smart electricity distribution grids, education, and healthcare.

• Read more: Agriculture gets smart with cellular IoT and Bluetooth LE

As wireless IoT suppliers like Nordic, industry consortiums like PSA Certified, and regulators around the globe work to prioritize digital security, we may finally see inherent high levels of protection that will unlock the full potential of the IoT.