IoT devices can become security threats – how to manage the risk

The washing machine that tells you when electricity is cheapest, the industrial robot that tells you when it's time for maintenance, and the security alarm that tells a worried relative where an elderly parent is. IoT is everywhere, making our everyday lives better, easier and cheaper...  

But in reality, the technology is also creating security gaps large and small in our homes, cities, industries, agriculture and transport.

Tomas Bodeklint, Research and Business Developer at RISE and responsible for the institute's Cyber Test Lab test and demonstration environment, explains how an ordinary office printer can be used as a tool for a large-scale hacking attack:

"Cybercriminals scan the Internet for unprotected devices. When they find a connected, unprotected printer, they implement software that allows them to use the printer for purposes other than those for which it was intended. It can become part of a 'botnet', an army of devices that work together to launch denial-of-service attacks. In this case, the infected IoT devices are used to bring down specific servers.

Cost focus leads to limited security thinking

 The Swedish Defence Research Agency, FOI, was commissioned by the Swedish Civil Defence Agency, MSB, to map the risks of IoT. One of the conclusions was that much of the IoT equipment has been designed without security in mind*. Tomas Bodeklint believes there is a simple explanation for this.

"A big part of the problem is that many IoT devices must not cost too much for the end user. Manufacturers focus more on functionality and ensuring that a product does what it is marketed to do, rather than ensuring security. This is an issue that has become more acute as cybercriminals and state-sponsored actors use digitalisation to influence society in different ways," says Bodeklint.  

The threat has been addressed at EU level, with the Radio Equipment Directive and the forthcoming Cyber Resilience Act (CRA) in the Union's toolbox of countermeasures, which together cover all types of products that contain some form of software. The aim is to prevent devices with security vulnerabilities from reaching consumers.

"Manufacturers need to consider cybersecurity at the design stage. It is often difficult to add security features after the fact. A good start is to review the threat landscape for your product and analyse the risks and possible attack vectors. Then you can apply various solutions to prevent them, such as encryption and multifactor authentication," says Tomas Bodeklint.  

Disruptions can jeopardise road safety 

RISE helps companies with this type of threat and risk analysis and conducts penetration tests to find weaknesses in IoT products. Among other things, vehicles and charging points have been examined to identify potential security holes. Electromagnetic compatibility (EMC) was also measured. The latter tests whether the electronic product interferes with or is interfered with by other devices and equipment in the vicinity.  

"We have seen it in the past, and we are seeing it now, that the electronics in a car are affected by radio interference. If you haven't thought about EMC issues before, consider the following scenario: your children are in the back seat watching a children's programme on their tablets and suddenly the car crosses the road. Or you're sitting in a traffic jam talking on the phone when the car accelerates into the car in front of you. The more automated the technology in the car, the more complex the risks become," says Tomas Bodeklint.  

"The car is one example of many connected products that have a positioning function. This also increases vulnerability. MSB has identified 'antagonistic electromagnetic threats' to the satellite navigation system as an emerging risk. In the winter of 2023/2024, several jamming incidents were reported in Sweden, with Russia identified as the source." 

"We help the industry with positioning in their products with simulated spoofing and jamming tests - jamming and deceiving the GNSS signals (see box). "This type of testing will of course become increasingly important as we move towards fully automated driving," says Mr Bodeklint.

"It's not enough to plug a hole" 

There have long been requirements for electronic products to be electrically safe to prevent people from being injured. In addition to an overarching legal text, rules and standards have been added to describe how this should be ensured.

"In the future, we will need legal requirements, methods and structures to ensure cybersecurity in all areas. At the same time, we need to raise the level of knowledge. It is not just the engineer building a product who needs to think about security in the design phase, but the whole organisation needs to think about cybersecurity all the time. And plugging a hole is not enough. Hackers are always finding new ways in," says Tomas Bodeklint.  

*Sources: Swedish Defence Research Agency, FOI. https://www.foi.se/nyheter-och-press/nyheter/2018-10-08-sakernas-intern…  
Swedish Civil Defence Agency, MSB. https://rib.msb.se/filer/pdf/29057.pdf https://rib.msb.se/filer/pdf/30061.pdf