IoT Security: How to Protect Your IoT M2M Device

Eseye

IoT Hardware and Connectivity Specialists

LinkedIn

The rapid adoption of Internet of Things (IoT) devices across all sectors has been driven by steadily reducing costs and constantly improving capabilities. But as new features, functions, and connectivity types are added to M2M devices, security is often overlooked in favor of ease of use and faster time to market.

It’s difficult to find numbers that agree, but Gartner estimates 25 billion IoT devices in deployment by 2025 and the majority of research seems to suggest that the majority of these devices are not, and will not be, adequately secured.

Research published by security experts at Kaspersky in 2023 found that brute-force attacks against IoT and M2M device user interfaces are common, as Telnet and SSH services running on IoT devices typically use widely known default passwords. End users tend to leave these passwords unchanged and many IoT and M2M devices have default passwords set by manufacturers that cannot be changed.

If this wasn’t enough, tens of millions of common-use, mass-manufactured IoT devices such as security cameras, use unencrypted and unsecured protocols to communicate, making them vulnerable by default.

Why is IoT security important for M2M devices?

Cybersecurity is often seen as a compromise, either in terms of cost, productivity, or convenience. It may not seem such a problem if a connected vending machine or a building temperature sensor is deployed without security, what’s the worst that can happen? At least if we’re talking about a connected car, or an implanted insulin pump, the consequences of malicious intervention are more tangible.

The point is, that vast web of unsecured cloud-connected IoT and M2M devices significantly increases the risk surface of any organization’s infrastructure. These devices all serve as jumping-off points for hackers, state-sponsored terrorists, and other threat actors to get access to much more sensitive parts of your infrastructure.

There are black market scanners that focus on probing the internet for unsecured IoT devices and will sell this information on a subscription basis on the dark web. It’s also rumored that the Stuxnet worm that may have been deployed to destabilize Iran’s nuclear program, leveraged an M2M-connected water pump as the payload carrier.

No matter how innocuous the device, if it has the potential to serve as a bridge between the internet and a private network, it is of interest to someone and should be considered a target.

Security risks associated with IoT and M2M include

• Detection time: If logging and auditing of access to IoT devices does not happen or goes unchecked for long periods, security threats and vulnerabilities may go undetected. Savvy security practitioners always assume a breach has already taken place.
• Single-purpose IoT devices often don’t feature security at all: The unsophisticated single-task nature of many IoT devices, especially mass market consumer units, ignore security to keep costs low. You may need to reconsider device options, or look at how to implement security in deployment.
• Lack of certificate-based security: A related concern to the point above is that many IoT or M2M SIMs lack the capability for more advanced certificate-based security measures.
• Insecure data transmission: Many IoT and M2M SIMs available today send data via HTTP over public internet channels, and don’t make use of a private Access Point Name (APN) or Virtual Private Network (VPN) to provide a secure connection back to the organization’s cloud. This increases the risk of data being intercepted through man-in-the-middle attacks, lost through malicious or accidental means, or even Denial of Service (DoS) attacks.

Keeping up with IoT device security

Companies that excel at securing their IoT and M2M network use a variety of prevention techniques, including:

• Limiting connections: Limit the number of connections to your device, and ideally to a single secure, encrypted and certified connection to a trusted service endpoint.
• Consider NAT: NAT (network address translation) hides the real address information of a device by dynamically allocating a new port, and sometimes an address, each time it opens a connection to the internet. Note however this offers little protection from attacks originating from compromised devices on the private side of the network.
• IoT Firewalls are crucial: A fully fledged stateful inspection firewall may not be possible on a low power IoT device but allowlists and access rules paired with network based firewalls can build in appropriate security. By assuming the worst from all connections, identifying and verifying the trust relationship between your device and its associated IoT service layers will help improve the security of your IoT and M2M networks.
• Security against screwdrivers: Some IoT and M2M devices will be physically accessible, and either in publicly accessible or remote locations, making them vulnerable to opportunists and even more difficult to protect. An unsecured device could be physically exploited just by someone getting access to the device ports, or being able to read sensitive information from a sticker on the device that might contain its MAC address or login info.
• Intrusion detection: Set up intrusion detection capabilities on your network to pick up on attempts to access your device. Review logs regularly.
• Perform regular IoT device security updates: All devices run some kind of software, and that software should be patched and updated. The smallest bug in the externally facing components of your device has the potential to open all your devices up to a multitude of issues. By having a robust, efficient bug fixing and firmware updating process the length of time that any vulnerabilities are exploitable will be kept to a minimum.

Actions you can take to safeguard your IoT and M2M deployments

The Eseye AnyNet+ SIM is designed to combat the data security risks from your IoT and M2M deployments as well as delivering additional future-proofed functionality.

9 actions can help safeguard your IoT deployment

1. Only activate the features that you need when you need them. Unused services are easy to forget about.
2. Make use of allowlist and denylist capabilities to create something similar to a firewall for SMS services, allowing you to set devices to only send and receive SMS to and from pre-verified numbers.
3. International Mobile Equipment Identity (IMEI) lock allows you to lock your SIMs and devices together, meaning the SIM cannot be removed and used for another device.
4. Use secure private APNs, which ensure authorized connections only. .
5. “Location lock” effectively geo-fences a SIM to work only in a specified location.
6. Embedded SIMs can be installed on the printed circuit board (PCB) in the device to eliminate the risk of tampering.
7. VPN connections provide an additional layer of security and control against unauthorized access or viewing of the data in transit.
8. Ensure your device has an update and patching capability, to ensure that as risks change you are able to safegaurd against them
9. Ensure all open data ports are double checked and unused ports are closed

There’s no doubt that while IoT and M2M networks offer significant potential for business in terms of improving services, improving efficiency, and reducing costs, they significantly elevate the risk profile of an organization when not deployed with a security first approach.

Aside from the general inconvenience caused by devices being taken offline, there are significant and growing data privacy and safety concerns caused by the number and type of IoT devices being deployed in every industrial sector and facet of consumer lives.

Eseye

IoT Hardware and Connectivity Specialists

LinkedIn

Eseye brings decades of end-to-end expertise to integrate and optimise IoT connectivity delivering near 100% uptime. From idea to implementation and beyond, we deliver lasting value from IoT. Nobody does IoT better.

In this article