Zachary Amos, Features Editor of ReHack Magazine runs through the major risks posed by unsupported IoT devices
The Internet of Things (IoT) has introduced unparalleled conveniences into society. Its data-collection abilities are remarkable, but the depth of its insights is also a cybersecurity risk. When people throw away their smart devices like watches, light bulbs and personal medical items, they open back doors for hackers in surprising ways. Here is what manufacturers and users can do to protect outdated IoT products after their disposal.
Lack of security updates
Companies stop supporting devices when they reach end-of-life stages. Even if the item is still operable, sunsetting services could mean it stops receiving updates that keep it safe from modern cyberthreats.
Suddenly, countless IoT devices are vulnerable to new exploits. The number of IoT endpoints was estimated at 14.5 billion by the end of 2022, clarifying how many millions could go into landfills or become defunct yearly. These are the best options for staying safe.
| What manufacturers can do | What users can do |
| Outline support life cycles for users at point of sale | Research or contact the manufacturer to determine cybersecurity reputation |
| Have an optional extended security support programme | Separate IoT devices from personal networks and accounts at end of life |
| Educate customers on how to decommission devices before discarding | Replace products with supported models |
Reliance on default credentials
When someone receives new tech, they are excited to get it up and running. They may speed through the setup, neglecting to finagle with settings in too much detail. The hype can lead to oversights, as many machines have factory-assigned usernames and passwords. These are searchable online, making them easy to access without requiring high-level skills. Here is how to overcome them.
| What manufacturers can do | What users can do |
| Force users to set new usernames and passwords during setup | Use unique logins and passwords for each device according to industry recommendations |
| Include other authentication protections like biometrics | Set reminders to change passwords regularly |
| Ensure credentials are not searchable online and only obtained through customer support | Educate friends and family to do the same |
Unsecured communications
As more people started working from home, they used their own devices and installed shadow IT. Including IoT in the mix can cause more problems. Incidents have risen around 23% since the work-from-home revolution, with some businesses stating attacks have doubled.
Even for personal use, the IoT is straightforward enough to intercept and start eavesdropping on a conversation or redirect data transmission. This is all possible even after a device has been discontinued.
| What manufacturers can do | What users can do |
| Employ strong encryption protocols | Do not connect to open networks |
| Address vulnerabilities in communications through frequent updates | Use a virtual private network to encrypt activity |
| Inform customers of the risks associated with connecting to unfamiliar networks | Change settings to only connect to the most secure protocols |
Vulnerable software components
Hackers know what operating systems and software IoT devices use — they keep track of them and how well-defended they are. Once planned obsolescence hits a line of products, they compromise any of these components with outstanding vulnerabilities. Customers may trust manufacturers for longer than the software is functional. However, a few actions go a long way in making them inaccessible to cybercriminals.
| What manufacturers can do | What users can do |
| Audit software components regularly, including devices about to go out of service | Install firmware and software updates, including before disposal if possible |
| Create an easy-to-use tool for customers to check for official updates even after the end-of-life date | Isolate devices from the Internet |
Recruitment for botnets
Botnet attacks are becoming more common, and it might be because it is easy to hijack stray IoT devices — even children can develop the necessary skills. Once threat actors secure enough devices in the botnet, they can launch distributed denial-of-service (DDoS) attacks and spread malware. Research shows the trend increased by 35% in 2021 alone. Prevent it from rising further.
| What manufacturers can do | What users can do |
| Incorporate defences targeted against botnets | Monitor network activity and device behaviour for anomalies |
| Stay informed about botnet and DDoS trends to develop new strategies | Restrict access with cyber hygiene practices like using strong passwords and firewalls |
| Recommend intrusion detection systems for customers | Destroy or dismantle equipment after use and send it to recycling to prevent unauthorised access |
Securing the IoT for its entire life cycle
An old smart doorbell or camera should not remain a security concern at the end of its life. Manufacturers and consumers can work together to eliminate these issues by raising awareness of how dangerous it is to let devices go unsupported while connected. Eventually, the future of the IoT will be behind nearly impenetrable walls, even when a customer upgrades to a new model.
Zac Amos is a freelance tech writer who specialises in IoT, cybersecurity, and automation. He is also the Features Editor at ReHack Magazine. Follow him on LinkedIn.
There’s plenty of other editorial on our sister site, Electronic Specifier! Or you can always join in the conversation by commenting below or visiting our LinkedIn page.