IoT Device Security: Where Are We in 2024?

In 2024, the Internet of Things (IoT) has become deeply integrated into our daily lives. As an information security professional, I reflect on where we stand with IoT device security and what still needs improvement.

The Growth of IoT Devices

The number of connected IoT devices has exploded over the last decade. There are now over 30 billion IoT devices worldwide, compared to around 15 billion in 2019. This rapid growth is driven by:

• Decreasing costs of sensors, processors, and wireless connectivity.
• Innovation in IoT devices for homes, industries, utilities, transportation, healthcare, and more.
• Expanding cellular and low-power wireless networks to connect IoT devices.

Key types of IoT devices today include:

• Smart home devices – Smart speakers, lights, thermostats, appliances, security cameras.
• Wearables – Smart watches, fitness trackers, medical monitors.
• Industrial IoT – Sensors, actuators, controls in factories, energy grids, farms.
• Vehicle telematics – Fleet tracking, usage-based insurance, automated diagnostics.

With IoT playing an essential role across many sectors, the number of connected devices will likely continue growing. IHS Markit forecasts there will be 125 billion IoT devices by 2030.

The Evolution of IoT Device Security

In the early days of IoT, there was minimal focus on cybersecurity by device manufacturers. Many IoT devices had poor password practices, unencrypted network traffic, unpatched firmware vulnerabilities, and insecure software/firmware update mechanisms.

This resulted in major IoT botnets like Mirai in 2016, which infected over 600,000 IoT devices to conduct massive distributed denial-of-service (DDoS) attacks. The Mirai botnet was a wake-up call, demonstrating the dangers of weak IoT security.

Since then, we have seen meaningful improvements in IoT device security:

• Secure boot capabilities to verify firmware integrity.
• Device identity and authentication through hardware roots of trust.
• Encrypted communications and storage to protect data in transit and at rest.
• Secure update mechanisms to patch firmware remotely.
• Cloud security services to monitor devices and detect threats.

Major IoT platforms from Amazon, Google, Microsoft now offer robust device security capabilities. IoT device certification programs like UL 2900 also promote better security in the design process.

Remaining IoT Device Security Risks

Despite the progress, significant IoT device security risks remain today:

• Legacy/orphaned devices – Older devices still in use may lack updates.
• Consumer focus – Consumers prioritize features/cost over security.
• Supply chain risks – Vulnerabilities can be introduced from suppliers.
• Weak passwords – Devices with default passwords not changed.
• Lack of monitoring – Most consumers don’t monitor IoT threats.

Home IoT devices are a major area of concern, with billions of weakly-secured consumer devices deployed. The 2021 Mirai variant highlighted that major IoT botnets are still a threat.

IoT Security Recommendations for Organizations

For organizations implementing enterprise IoT, I recommend the following security best practices:

• Maintain a device inventory with hardware/firmware details.
• Enable role-based access control (RBAC) for users.
• Require multi-factor authentication (MFA) to access devices.
• Continuously monitor devices and network traffic for anomalies.
• Segment IoT networks from other IT systems.
• Work with vendors that prioritize secure design.
• Patch devices frequently using available updates.
• Replace legacy/insecure IoT devices when possible.

Following these recommendations will drastically improve an organization’s IoT security posture.

The Future of IoT Security

While IoT device security has come a long way, more progress is still needed. As IoT becomes ubiquitous, it presents a hugely enticing target for cybercriminals and nation-state hackers.

I believe several key technologies will shape the future of IoT security:

• Blockchain to authenticate devices and secure data provenance.
• AI-driven security to identify sophisticated IoT attacks.
• Quantum-resistant cryptography to protect against future quantum computing attacks.
• Lightweight cryptography optimized for resource-constrained IoT devices.
• IoT SBOMs and firmware transparency to improve supply chain security.

Advancing security research and collaboration between academia, private sector, and government will also be critical to get ahead of evolving IoT threats.

Overall, I am optimistic about the future of IoT security, though we still have challenges to overcome. With continued effort, IoT devices can become hardened targets rather than easy prey for attackers.