IoT security: recognising and closing security gaps

Internet of Things security encompasses all technical and organisational measures that protect networked devices and their communication channels from unauthorised access. This includes, for example, encrypted data transmission, device authentication and the targeted partitioning of sensitive network areas.

In contrast to traditional IT security, IoT security not only considers servers and software, but also physical components such as machines, sensors or vehicles. As many of these devices can neither be managed centrally nor updated regularly, conventional protection measures often reach their limits here.

The aim of IoT security is to effectively protect internet-enabled devices, their data streams and the underlying infrastructures from threats. A comprehensive security strategy therefore forms the decisive basis for the successful and trustworthy use of IoT in companies.

The number of networked devices is growing rapidly: According to a study by the Ponemon Institute from 2022, the average company already manages around 135,000 end devices. This enormous number presents companies with considerable security challenges. One of the biggest challenges is to ensure complete visibility and control over all
IoT devices in use. Without comprehensive knowledge of your own infrastructure, security gaps often remain undetected and cannot be closed effectively. This creates a risky security gap, especially in complex environments with multiple locations or externally integrated devices. To effectively protect IoT systems, companies therefore need an expanded understanding of network security as well as complete transparency of all active components.

Many of these devices also come from different manufacturers with differing security standards. What's more, numerous IoT devices communicate via classic Internet protocols such as TCP/IP - protocols that were not originally developed for today's security requirements. This makes robust IT security for TCP and IoT networks, which also specifically secures these basic communication channels, all the more important.

• DNS vulnerabilities: IoT devices often use DNS systems that are susceptible to spoofing, DDoS attacks and DNS tunnelling.
• IoT botnets: Unprotected devices are frequently recruited into botnets and misused for DDoS attacks.
• Ransomware attacks: IoT devices are increasingly used as entry points for ransomware attacks, where data can be encrypted or sensitive information stolen.
• Insecure MQTT connections: MQTT is a commonly used protocol in IoT environments, enabling fast and lightweight data transfer – but it poses security risks if operated without encryption or authentication. Without proper protection, attackers can intercept, manipulate or inject messages.

In practice, typical security gaps often arise due to a lack of basic protection measures. These include

Technical vulnerabilities at device level

• Standard passwords: Devices with preset access data (e.g. "admin/admin") are a frequent gateway and jeopardise the security of IoT devices, especially when they are used in large numbers.
• Unencrypted communication: Many IoT devices transmit sensitive data unencrypted. If there is no end-to-end encryption, manipulation and data theft are easily possible.
• Lack of update capability: Some devices cannot be updated or do not receive manufacturer updates, meaning that known IoT security vulnerabilities remain permanently.
• Low hardware security: For cost reasons, some devices only have minimal security functions. A lack of TPMs, open interfaces or unsecured memory areas make these devices more susceptible to attacks.

External threats and protocol risks

• DNS vulnerabilities: IoT devices often use DNS systems that are susceptible to spoofing, DDoS attacks and DNS tunnelling.
• IoT botnets: Unprotected devices are often part of botnets and misused for DDoS attacks.
• Ransomware attacks: IoT devices are increasingly being used as entry points for ransomware attacks in which data can be encrypted or sensitive information stolen.
• Insecure MQTT connections: MQTT is a frequently used protocol in IoT environments. It enables fast, lean data transmission, but poses security risks if it is operated unencrypted or without authentication. Without protection, attackers can read and modify messages or infiltrate their own commands.

Structural weaknesses in administration and architecture

• Lack of transparency and shadow IoT: Without a complete overview of IoT components, security gaps cannot be recognised or closed. Shadow IoT devices that are not officially managed are beyond any control.
  Physical manipulation: In many industries, IoT devices are freely accessible and therefore vulnerable to direct access, data theft or manipulation.
  Insufficient monitoring: Without real-time monitoring, suspicious activities remain undetected for a long time, which increases the risk.
  No end-to-end encryption strategy: If there is no systematic encryption, devices remain vulnerable.

• Standard passwords: Devices with preset access data (e.g. "admin/admin") are a frequent gateway and jeopardise the security of IoT devices, especially when they are used in large numbers.
• Unencrypted communication: Many IoT devices transmit sensitive data unencrypted. If there is no end-to-end encryption, manipulation and data theft are easily possible.
• Lack of update capability: Some devices cannot be updated or do not receive manufacturer updates, meaning that known IoT security vulnerabilities remain permanently.
• Low hardware security: For cost reasons, some devices only have minimal security functions. A lack of TPMs, open interfaces or unsecured memory areas make these devices more susceptible to attacks.

• Lack of transparency and shadow IoT: Without full visibility of all IoT components, vulnerabilities cannot be identified or addressed. Shadow IoT devices that are not officially managed fall completely outside of control.
• Physical manipulation: In many industries, IoT devices are freely accessible and therefore prone to direct access, data theft or tampering.
• Insufficient monitoring: Without real-time monitoring, suspicious activities often go unnoticed for a long time – increasing the risk.
• Missing end-to-end encryption strategy: Without a consistent encryption approach, devices remain exposed to attacks.

An effective IoT security strategy combines technical measures and binding standards at all levels - from the device to the cloud. The following best practices help to close vulnerabilities in a targeted manner:

• Strong passwords and access protection: Avoid standard passwords. Instead, use complex, regularly updated access data and supplement this with two-factor authentication or role-based access rights.
• Network segmentation: Operate IoT devices in separate network areas (VLAN or dedicated mobile network) to contain attacks.
• Certified devices: Use standards such as ETSI EN 303 645 and the BSI test specifications and conformity tests to rely on tested quality when selecting secure components.
• Inventory of all IoT components: Completely record all devices in order to monitor and protect them in a targeted manner.
• Comprehensive encryption: Encrypt data both during transmission and on the devices.
• Automated monitoring and vulnerability scans: Real-time monitoring and automated scans enable rapid risk detection and elimination.
• Conduct regular security audits: Technical audits and penetration tests help to detect IoT security vulnerabilities at an early stage and continuously monitor the security level.
• Establish awareness and training: Raise your employees' awareness through regular training to minimise risks when handling IoT devices.
• Protection against physical access: Security measures such as a robust housing with tamper protection or access restrictions help to better protect freely accessible devices against physical access.
• Embedding security governance: Clear responsibilities, binding guidelines and regular training form the foundation of a sustainable IoT security strategy.

The more intensively companies use IoT technologies, the more important it becomes to secure them. Even a single compromised device can jeopardise entire processes. IoT security must therefore be an integral part of any digital strategy. Companies that rely on clear standards, secure architectures and certified components at an early stage improve their competitive position in the long term.

Deutsche Telekom offers suitable infrastructure solutions for this, such as high-performance IoT connectivity via mobile communications and scalable, secure network solutions.