Securing IoT Devices

Why "good enough" security doesn't get the job done

May 2019
Contents
Introduction............................................................................................................ 3
Risk 1: Polluting data and compromising business insights .................................... 5
Are we generating revenue from our data?..................................................................................................5
Are we investing in machine learning or artificial intelligence models?...............................................5

Risk 2: Using hacked devices for malicious activity.................................................... 6

Could our devices cause physical harm or lead to litigation?.................................................................7
Could our devices invade privacy and damage our brand?.....................................................................7
Could our devices be used to attack critical infrastructure and make us financially liable?...........7

Risk 3: Bricking devices or holding them for ransom................................................ 8

Will device downtime hurt our revenue? ......................................................................................................9

Risk 4: Stealing private data to sell or use.................................................................... 9

Could our devices expose consumer data and cost us business?........................................................ 10
Could our devices expose corporate data and intellectual property?................................................10

Risk 5: Compromising devices to infiltrate corporate networks............................ 11

Could our devices be used to infiltrate our network and steal our data?..........................................12

Conclusion..............................................................................................................13
Introducing Azure Sphere................................................................................................14
Introduction

The Internet of Things has moved past hype The 2016 Mirai botnet attack is only one high-
and into the mainstream, ushering in a new profile example of what can occur if devices
era of connectivity and insights. Companies enter the market with unintentional security
use IoT to transform their business, develop risks, and since then the IoT attack surface
new revenue streams, improve customer has expanded. By the early 2020s, there will
satisfaction, and drive innovation. IoT be an estimated 25 to 30 billion IoT devices
investments are climbing, and IDC predicts worldwide3, and 25% of cyber-attacks will
spending will maintain a double-digit annual target IoT devices. Mirai compromised 100,000
growth rate, surpassing $1 trillion USD devices and took down the internet for much
worldwide by 2022.1 Much of this growth is of the eastern United States; we can only
driven by the availability of network-capable imagine what an army of billions of devices
microcontrollers (MCUs), the small, general- could achieve.
purpose computers powering devices ranging
While many companies may realize IoT
from toys to consumer appliances to industrial
security is a necessity for protecting consumers
equipment. As connectivity becomes less
and customers, the issue can quickly
expensive, companies are connecting both
become complicated. Since the industry
new and legacy devices to capitalize on the
is still maturing, there is a distinct lack of
insights and efficiencies that IoT enables.
best practices and guidelines for securing
Yet, as things become increasingly connected, connected products, and IoT device security
bad actors are uncovering more and more comes with unique challenges. Most devices
vulnerabilities. Without effective security, are distributed across disparate networks and
the general-purpose processors powering locations, making them difficult to service
devices can quickly become weaponized by in person. They also operate within a wide
an attacker once connected to the internet.2 spectrum of physical security—while some
devices are located in protected physical
environments, others operate out in the

25%
of cyber-attacks will
world, leaving them exposed. Intrusions are
hard to detect, because unlike an enterprise
application or PC, IoT devices often have
target IoT devices by
the early 2020s.4 Securing IoT Devices // 3
“The industry will need
to acknowledge IoT’s
pervasive presence and
adopt new strategies that
consider our digital world”6
Earl Perkins
Research Vice President
Gartner

limited user interaction or oversight and may

not actively communicate their security state.
In addition, many IoT devices are always on
to collect telemetry data but may capture
sensitive data unintentionally. And if your
devices are critical to business operations,
attacks could cause unexpected downtime
that impacts revenue. Given these challenges,
defining the right approach to IoT security
often seems daunting—according to Bain,
security is still the most significant barrier to
IoT adoption.5

At Microsoft, we’ve noticed a consistent

trend emerges when discussing IoT security
with our industry-leading customers and
partners: “good enough” security doesn’t
get the job done. That’s because IoT security
shouldn’t be a one-time checklist—it’s a
process that requires ongoing consideration.
“The industry will need to acknowledge IoT’s
pervasive presence and adopt new strategies
that consider our digital world,” advises Earl
Perkins, Research Vice President at Gartner.6
With new security threats constantly surfacing,
businesses need to shift to a holistic, proactive
approach that factors prediction, prevention,
detection, and response into every layer of the
IoT ecosystem, no matter where your devices
live.

Securing IoT Devices // 4

In this paper, we’ll discuss five common risk How would data pollution impact your
scenarios where “good enough” IoT security business? Ask yourself:
falls short, leaving businesses open to risk.
We’ll also outline key questions you can ask Are we generating revenue from
to assess the business impact of each risk our data?
and provide best practices and mitigation
Organizations that bill customers based on
strategies to help you develop a security-
sensor data should be especially wary of data
first approach that ensures your products are
pollution. If end users can circumvent the
protected and built to last.
metering system by altering the sensor data
attached to their account, companies have no
RISK 1: Polluting data means of determining if their billing is accurate

and compromising or not, potentially impacting revenue or

leading to expensive litigation.
business insights Are we investing in machine learning
(ML) or artificial intelligence (AI)
Though it’s common knowledge hackers will models?
try to steal data, a lesser-known risk is data
pollution—the practice of injecting false For businesses that feed IoT data into ML and
information into your data. Data pollution can AI models, data pollution can compromise
cause just as much damage as data theft and the quality of their intelligence. If you’re like
be equally lucrative for bad actors. Gartner other forward-thinking organizations and use
predicts that by 2020, there will be a black IoT insights to make data-driven engineering
market exceeding $5 billion USD dedicated to
selling fake sensor and video data to enable
criminal activity.7 While false telemetry data
may initially seem harmless, it could have
serious downstream safety and business
implications, potentially negating the benefits
of IoT altogether.

We’ve already seen these attacks play out on

the global stage. The Stuxnet virus fed fake
data into Iranian nuclear centrifuges, making
them spin out of control and break down. In
healthcare, bad actors can use false data to
add or remove cancerous growths from CT
scans8 and alter pacemaker settings, posing
risks to patients and health systems alike. Fake
sensor data can also destabilize electrical
grids or adversely influence the moisture and
humidity settings that help farmers grow their
crops.9 The sheer breadth of these examples
shows how easily data pollution can affect any
business in any industry.
Securing IoT Devices // 5
or strategy decisions, false data may impact By developing a more proactive security
your business well into the future. ML and AI approach rooted in robust authentication and
models are also valuable from an intellectual attestation protocols, your business will be
property (IP) standpoint, and if polluted, they better positioned to avoid data pollution and
could affect your ability to monetize or scale. keep your device data accurate and reliable.

Identifying a few fake data points amidst RISK 2: Using hacked

petabytes or zettabytes of IoT data is like devices for malicious
searching for a needle in a haystack. As a
result, our customers have found the best activity
way to mitigate this risk is by keeping false
information out of their data in the first
place. With a proactive security approach
that includes attestation so that devices Thanks to widely publicized intrusions like the
only run safe software and certificate-based Mirai botnet attack, most business leaders
authentication to prove device identity, are aware their devices can be co-opted by
organizations help ensure only the right hackers and used for malicious purposes.
devices running the right software connect to However, this risk extends well beyond botnets.
their services. With the right access, hackers can take control
of almost any device to cause numerous
problems. Smart washing machines could
flood homes, for instance, or IoT-enabled
security cameras could be used to invade
privacy.

These types of attacks are easily carried out

when devices ship to market with known
vulnerabilities or are unable to adapt to new
threats in the security landscape. In 2008,
a fourteen-year-old in Poland infiltrated a
connected railway system and made several
trains change tracks, causing multiple injuries.10
Seven years later, more than one million
connected cars were recalled after a hacker
demonstrated how simple it was to take
over a car, remotely turn the steering wheel,
shut down the engine, and even disable the
brakes.11 While this may seem far-fetched,
compromised IoT devices can generate real-
world consequences for companies, people
and infrastructure.

How would a bad actor gaining control of your

devices impact your business? Ask yourself:

Securing IoT Devices // 6

Could our devices cause physical by Greenberg Strategy, 36% of consumers
harm or lead to litigation? identified either government spying, personal
privacy, or physical safety as their top security
Most devices could be used for malicious concern with IoT products.12 Companies that
activity in the wrong hands, but organizations want to preserve their reputation should take
whose devices have any type of heating protection seriously or risk losing customers to
element, access to a gas or water line, or more trusted brands.
operate in a potentially dangerous context
need to give this risk careful consideration. Could our devices be used to attack
Especially in the case of heavy equipment, critical infrastructure and make us
such as a smart mechanical arm on a financially liable?
production floor or connected backhoe in the
field, bad actors could infiltrate the device and The Mirai attack crippled internet access for
cause serious injury. Ensuring employee safety most of the Eastern Seaboard, and it was
is imperative for all businesses. Additionally, created by an undergraduate student.13 If a
such incidents can lead to costly litigation or student can achieve this level of disruption,
public relations woes. it’s not difficult to imagine the damage an
entity with more resources, such as a nation-
Could our devices invade privacy and state, could accomplish with a similar attack.
damage our brand? Unfortunately, these attacks are becoming
more common, increasing in frequency by
Any IoT device with a camera or microphone
40% in 2018.14
raises privacy questions, and businesses
trying to protect their IP aren’t the only ones As malicious source code becomes readily
concerned. With hackers making threats via available, it poses significant risks to
baby monitors and gaining unauthorized infrastructure and could cost millions. Health
glimpses into homes through security cameras, systems use IoT sensors to gather real-time
it’s no surprise that security is a top priority data on patients and deliver customized care,
for consumers as well. In a recent study first responders rely on location-based services

Securing IoT Devices // 7

to coordinate their efforts, and cities use IoT
devices to support traffic management and
RISK 3: Bricking devices
citizen services. If your company possesses a or holding them for
ransom
large number of IoT devices, a coordinated
botnet attack could bring any of these critical
lifelines to a halt, potentially leaving you
financially responsible for fines and reparations.
Although most IoT attacks may leave you with
a functional (though compromised) device,
The most common way for hackers to some attacks will shut your devices down
take control of your devices is by forcing for good—a process known as permanent
them to run malicious applications and denial of service (PDoS) or bricking. PDoS
access unapproved IP addresses. This is attacks continue to grow in frequency, and
another scenario where prevention is key, if your operational technology is targeted
as devices under attack will be harder to and bricked, you may face revenue loss from
recover in real time. You should ensure your production delays or even risk a shutdown.
security architecture always blocks unsigned Additionally, ransomware can be used to
applications and unauthorized internet hold devices hostage with threats of bricking,
addresses. Your hardware and operating exacerbating an already costly attack.
systems should also be equipped with robust According to Symantec, ransomware shifted
device monitoring and failure reporting. And targets from consumers to enterprises in 2018,
flagging abnormal behavior for decision where infections rose 12%.15
makers will enable them to initiate device
In 2017, a strain of malware known as
recovery as needed.
BrickerBot bricked IoT devices around the
By keeping malicious code out of your world by exploiting devices with default login
IoT devices, your business can be a better credentials. Upon gaining access, an attack
corporate citizen and safeguard the public. script rendered the devices inoperable in

Securing IoT Devices // 8

seconds. While the BrickerBot attack wasn’t Most PDoS attacks target the critical
carried out for material gain, other hackers components of IoT devices to render it useless.
have taken a different approach. That same BrickerBot, for example, deployed a series
year, the WannaCry ransomware cryptoworm of commands to corrupt IoT device storage,
locked users out of more than 200,000 disrupt internet connectivity, and ultimately
computers and cost the United Kingdom’s cripple device performance. As a result, our
National Health Service £92 million in canceled customers often find the best way to protect
appointments, cleanup costs, and IT system against bricking is by compartmentalizing the
upgrades.16 Ransomware is often a highly device operating system, limiting access to
effective attack for hackers—despite the most important parts of the platform,
having backup systems in place, and tightly controlling access to
many businesses decide paying device memory. In addition,
the ransom is cheaper than your security architecture
conducting a full system should regularly push
recovery or replacing automatic over-the-air
bricked devices.17 (OTA) updates to renew
Whether your devices device security as soon
are held for ransom as new vulnerabilities
or bricked, either are revealed.
outcome will likely have
By maintaining strict
major ramifications.
control of your devices
How would a PDoS and minimizing your
attack impact your attack surface, your
business? Ask yourself: business can reduce the risk
of PDoS attacks or ransomware
Will device downtime hurt and ensure production continues
our revenue? uninterrupted.

If your devices are bricked, you’ll likely

experience downtime until the affected devices RISK 4: Stealing private
are replaced and production is restored.
For instance, if you operate a national chain data to sell or use
of casual diners and your entire network
of connected deep fryers gets bricked or
held captive by ransomware, the cumulative
Perhaps the most common concern with IoT
revenue loss could be disastrous. The same
devices is the threat of a data breach. When
scenario extends across industries—consider
left unsecured, IoT devices can become the
manufacturing production lines, connected
perfect entry point for a bad actor looking to
medical equipment, or IoT-enabled services.
steal sensitive data. Take medical devices, for
Bricked devices can also have safety
example. Medical information can be worth
implications; if a piece of heavy machinery or
ten times more than credit card numbers on
an important safety device suddenly becomes
the deep web18, and medical device reliance
inoperable, employees could be injured.
on legacy systems makes them a prime target
for attackers.19 In 2018, the United States
Securing IoT Devices // 9
Department of Health and Human Services social media accounts, email addresses, and
received over 400 reports of medical data other personal information that could enable
breaches20, affecting more than 11 million fraud or identity theft. As global digitization
patient records.21 efforts continue to generate groundbreaking
volumes of data, the risk to consumers
Not only are data breaches costly to a
and businesses only grows. Consumers are
company’s reputation, they place consumers
becoming more educated on this topic and
and customers at risk of fraud, identity theft,
our research indicates they’re voting with their
and other serious repercussions. High-profile
wallets—65% of consumers said they wouldn’t
intrusions continue to make headlines, and
purchase a smart device from a brand that
with the average breach in the United States
had experienced a security breach.23 If your
costing businesses $7.9 million22 before added
business manages consumer data, it’s vital
costs of litigation, clean-up, reparations, and
to take security seriously—otherwise you risk
fines, no brand wants to make headlines for
losing customers.
the wrong reasons.

How much would a data breach impact your Could our devices expose corporate
business? Ask yourself: data and intellectual property?
While consumer data is an ideal target for
Could our devices expose consumer
hackers looking for a quick payday, corporate
data and cost us business?
data can be a major commodity for companies
Though credit card information may be the hoping to outstrip the competition. By
most well-known target for hackers, recent attacking IoT devices, hackers are employing
attacks have also captured medical records,

Securing IoT Devices // 10

a new method of corporate espionage. If can become a viable target for hackers when
the right device is compromised—consider deployed in an interesting ecosystem. What if
a machine that makes highly sensitive silicon the refrigerator were located in the break room
chips, for instance—competitors could steal of an enterprise datacenter, for instance?
the design and use it to displace you or
These back-door attacks can leverage any
your customers in the market. If you want
IoT device connected to your network. For
to protect your competitive advantage and
example, many hackers have targeted office
keep customer data safe, securing data is an
printers because their security is often minimal.
essential step.
Once inside, the attacker can use the printer’s
memory to access print jobs containing files
and steal network passwords to compromise
Although IoT devices may seem to have less the entire ecosystem.24 This concern extends
access to data than traditional information to consumer environments as well—now
technology, they’re equally important to that smart televisions make up over 69%
secure. A device itself may not have access of television sales in North America, there's
to valuable data, but if it connects to your growing concern hackers will infiltrate them
network or the internet, it can put your and take over entire smart home networks,
environment at risk. To prevent data breaches, controlling everything from connected stoves
your devices need hardware security to make and washing machines to smart speakers and
them resistant to physical attacks, and signed, security cameras.25
authenticated software to prevent malware-
based attacks. How much damage could a hacker do with a
compromised device? Ask yourself:
By securing all IoT devices regardless of their
business significance, you can rest easier
knowing that sensitive data remains under lock
and key.

RISK 5: Compromising
devices to infiltrate
corporate networks

Most of today’s companies understand that

better device security protects the data stored
on devices themselves, yet there’s another
important reason to secure IoT devices:
protecting the corporate network. Otherwise,
clever hackers can use an unsecured IoT
device as a back door and steal valuable data
or compromise critical workloads. Even an
innocuous device like a connected refrigerator
Securing IoT Devices // 11
Could our devices be used to infiltrate Preventing attackers from using a
our network and steal our data? compromised device as an entry point to your
network starts with understanding device
When all your devices live in the same identity. Companies must be able to determine
ecosystem, even your simplest IoT devices which devices belong to their network to avoid
needs robust security. No one thought fish accidently responding to an attacker. You
could cause a security breach, for instance, should also have mutual authentication, where
until hackers infiltrated a casino’s network a device verifies the identity of the cloud,
through a connected thermometer in their and the cloud likewise verifies the identity of

the device. And always ensure your devices

initiate communication with the cloud—not
fish tank.26 Using the thermometer as an entry vice-versa. Just like a door that ignores any
point, hackers were able to gain network knock and can only be opened from the
access and move to internal databases, inside, a device that rejects messages from
exporting 10GB of private high-roller data.27 conversations it didn't start will ignore inbound
Since any device on your network can become communications that may originate from
an entry point, it’s important to approach bad actors.
device security with the mindset that if it’s
By locking down your devices and shutting the
connected, it must be secured.
door to your network, you can keep hackers
out of valuable business systems and achieve
peace of mind.

Securing IoT Devices // 12

Conclusion Instead of attempting to combine point
solutions, our successful customers have
chosen to implement a tightly integrated
end-to-end solution for their IoT devices. This
Throughout this paper, we’ve discussed five new approach starts with executive leadership
common IoT security risks across your IoT recognizing the vulnerabilities posed by
ecosystem and offered tactical guidance for IoT and making a commitment to prioritize
addressing them. While some businesses device security. And while the intricacies of
may be tempted to stitch solutions together IoT security may seem overwhelming, you
and assume it will reduce their exposure to don’t have to navigate them on your own.
these risks, every new integration point is a The right technology partner can help reduce
potential back door for attackers. Bad actors complexity and bring expert guidance to
are clever, and if there’s a hole in your security, secure devices at every stage of development,
they’ll find it. “The infrastructure of the future deployment and management. By leaving the
will literally be only as secure as the weakest hard work to the experts, your business can
link,” advises Microsoft President, Brad Smith.28 focus on what matters most: bringing your IoT
Not to mention, a piecemeal approach can vision to life.
be a significant drain on valuable resources,
infrastructure, and the bottom line.

Securing IoT Devices // 13

Introducing Azure Sphere
Device security doesn’t have to be a barrier to achieving your IoT goals. Microsoft’s Azure Sphere
delivers end-to-end IoT security that responds to emerging threats—so you don't have to. Azure
Sphere is a comprehensive solution to help you create highly secured, connected MCU-powered
devices. With Azure Sphere, Microsoft brings together the best of our expertise in cloud, software, and
device technology to provide a unique security approach that starts in the silicon and extends to the
cloud. To learn more, visit the Azure Sphere website or connect with one of our experts today.

© 2019 Microsoft. All rights reserved. This white paper is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS DOCUMENT.
This document is provided"as is.” Information and views expressed in this document, including URL and other Internet website references, may change without notice. You bear the risk of using it. This document does not provide you with any legal
rights to any intellectual property in any Microsoft product. You may copy and use this document for your internal, reference purposes

1
IDC Forecasts Worldwide Spending on the IoT to Reach $745 Billion in 2019. IDC, 2019 15
Internet Security Threat Report. Symantec, 2019
2
Anatomy of a secured MCU. Microsoft Azure, 2018 16
WannaCry cyber attack costs the NHS £92m as 19,000 appointments cancelled. The Telegraph, 2018
3
IOT Security: A Coming Crisis? TRUSTLOOK, 2017 17
US hospital pays $55,000 to hackers after ransomware attack. ZDNet, 2018
4
IoT Device Security is Being Seriously Neglected. ABERDEEN, 2018 18
NHS Cyber Attack: Why stolen medical information is so much more valuable than financial data.
5
Unlocking Opportunities in the Internet of Things. Bain & Company, 2018 Independent, 2017
6
Navigating the Security Landscape in the IoT Era. Gartner, 2016
19
IoT Devices, Ultrasound Machines Pose Risk to Health IT Netowork. Health IT Security, 2019
7
Why fake data is a serious IoT security concern. CSO, 2018
20
Hackers are stealing millions of medical records – and selling them on the dark web. CBS News, 2019
8
Hospital viruses: Fake cancerous nodes in CT scans, created by malware, trick radiologists. The
21
Hackers are stealing millions of medical records – and selling them on the dark web. CBS News, 2019
Washington Post, 2019 22
Calculating the Cost of a Data Breach in 2018, the Age of AI and the IoT. SecurityIntelligence, 2018
9
Why fake data is a serious IoT security concern. CSO, 2018 23
New smart devices security research: Consumers call on manufactures to do more. Microsoft
10
Hacking the IoT: Vulnerabilities, Dangers, and Legal Responses. Duke Law, 2018 Azure, 2019
11
Hacking the IoT: Vulnerabilities, Dangers, and Legal Responses. Duke Law, 2018
24
The 7 Craziest IoT Device Hacks. Radware Blog, 2018
12
New smart device security research: Consumers call on manufactures to do more. Microsoft
25
The 7 Craziest IoT Device Hacks. Radware Blog, 2018
Azure, 2019 26
Hackers once stole a casino’s high-roller database through a thermometer in the lobby fish tank.
13
The Mirai botnet explaine: How teen scammers and CCTV cameras almost brought down the internet. Business Insider, 2018
CSO, 2018 27
How a fish tank helped hack a casino. The Washington Post, 2017
14
DDoS Attacks Increase 40% Year on Year Confirms Corero Netowkrs. Corero, 2019 28
Microsoft’s IoT Push Continues Apace with Azure Sphere Redmond Channel Partner, 2018

Securing IoT Devices // 14