Why Credentials Are the Achilles Heel of IoT Security
Guest WriterGuest Writer
The security of IoT devices hinges on the strength of their credentials. According to Verizon’s most recent Data Breach Investigations Report credentials are one of the hackers’ most sought-after targets—ahead of bank, medical and personal data. When you consider the plethora of digital accounts and connected technologies in use today it’s easy to understand why bad actors find credentials so appealing. What’s harder to grasp is why companies continue to fall victim to credential-based attacks. As IoT devices and systems become increasingly complex, it’s imperative that organizations take action to shore up this critical vulnerability. Understanding and addressing the following major credential security challenges is the first step.
Even with advances security for IoT technologies the best protection remains the same: strong credentials.
By 2029, Gartner expects that more than 15 billion IoT devices will be connected to enterprise infrastructure. While this trend brings numerous business advantages, it also introduces a new credential-related security challenge. Until relatively recently, many connected devices were shipped with a default password as standard. This was the case with 600,000 GPS trackers that were shipped in 2019 with a default password of 123456. This poor security practice put customers in a dangerous position that allowed hackers to easily gain access to spy on users, spoof the tracker’s location, or intercept emergency calls to family members or authorities. In addition, the use of default passwords also opened the manufacturer up to vulnerabilities—for example, bad actors could hijack the accounts, change passwords, and lock customers out, leading to customer support and reseller vulnerabilities.
While this trend has begun to change with the introduction of California’s IoT Law, it’s still a good security practice to update credentials prior to deploying IoT technologies. In addition, it’s essential that companies monitor the integrity of IoT credentials on an ongoing basis along with an automated response action if any sign of compromise is detected.
Another primary driver of credential security is peoples’ notoriously poor password habits. When faced with managing credentials for numerous online accounts and services employees typically create simple, easy-to-remember passwords. In addition, people often reuse the same password across multiple accounts or slight variations of the same root phrase—for example, “P@ssword1” and “P@$$word1.”
This isn’t a problem to be found solely among entry-level employees or those who work in non-technical fields. Nearly a quarter of IT security leaders in a recent survey admitted to using the same passwords across both work and personal sites. If any of these credentials have been exposed in a prior breach, it’s akin to rolling out the welcome mat for hackers. These bad actors have access to a treasure trove of compromised passwords via the Dark Web, cracking dictionaries, and other sources; it’s only a matter of time before they use them to infiltrate IoT devices and enterprise systems.
Another credential security challenge is understanding the limitations of the various emerging authentication mechanisms to determine which ones to use and how to best deploy them.
As the above underscores, when it comes to IoT credential security there is no substitution for securing the password layer. MFA and other authentication strategies certainly have their place, but unless companies can get a handle on password security, they will continue to fall victim to attack. So, what should organizations do?
One of the most cost-effective approaches is to implement automated credential screening that checks for compromised passwords both when a new password is created and on a daily basis. This takes the onus of creating overly complex passwords off of employees and helps companies eliminate the threat of compromised passwords without eating up significant IT resources.
Employees may be the ones creating passwords, but the responsibility of credential security ultimately lies with organizations. Bad actors will continue to target credentials as a means of attack, but with the right dynamic credential screening solution, companies can safeguard passwords and sensitive data while successfully warding off these attempts.
The Most Comprehensive IoT Newsletter for Enterprises
Showcasing the highest-quality content, resources, news, and insights from the world of the Internet of Things. Subscribe to remain informed and up-to-date.
New Podcast Episode
Related Articles