Cybersecurity matters at every level — yet it's rarely taken seriously in the products that handle simple, everyday tasks: devices with no user interface, quietly forgotten in a corner of a home or office.

IoT, or the Internet of Things, captures a reality most people don't think about: a huge number of devices need network connectivity to do their jobs. That ranges from a refrigerator that alerts you when the door is left open to a temperature sensor deployed in the middle of a remote agricultural field.

Security Limitations in IoT Networks

Every communication channel has its constraints — highways, broadcast television, the internet — and the networks used for IoT are no different. Low-power IoT networks in particular face serious challenges when it comes to implementing effective security.

The microcontrollers at the heart of most IoT devices typically lack the processing power needed to run modern encryption. Encryption is the foundation of contemporary cybersecurity: SSL is what makes it safe to run a credit-card transaction over a public network.

In theory, intercepting a message in transit over the internet is straightforward. What makes it useless to an attacker or eavesdropper is encryption — without the right keys, the content is unintelligible. This model has held up well for decades.

Device obsolescence breaks it. Hardware that isn't updated automatically falls behind, and as computing power grows over time, older encryption methods become crackable. A refrigerator that hasn't been patched in years and is still running TLS 1.0 is an easy target.

Connected IoT devices: their apparent simplicity doesn't prevent them from becoming attack vectors.

Why Would Anyone Attack an IoT Device?

A single insecure device inside an otherwise secure network compromises the entire network. It becomes an entry point for attacks and unauthorized access — exactly the kind of exposure you can't afford on an office network.

The real danger scales with numbers. Thousands of compromised devices acting in concert can generate devastating attacks. This is the mechanism behind DDoS — distributed denial-of-service — where infected devices flood a single target with simultaneous requests until it buckles.

The October 2016 Attack

On a Friday in October 2016, a large-scale decentralized attack knocked Twitter, Spotify, and PayPal offline. The traffic came from thousands of connection points around the world, all routing through compromised IoT devices [3].

It started at 7 a.m. with an initial wave that triggered alarms across the industry. While investigators were still working to identify the cause, a second wave began building. By 11:50 a.m. a third and far larger wave hit, collapsing significant portions of the internet across multiple regions.

That third wave was so sustained that mitigation didn't begin until six hours later. By then the cause was clear: millions of devices were hammering AWS (Amazon) infrastructure with relentless requests until it gave out.

The organizers were never identified. The U.S. Department of Homeland Security launched investigations and issued guidance urging the industry to treat these attacks as the serious, recurring threat they are. No single countermeasure guarantees protection against DDoS at scale.

A coordinated DDoS attack launched from IoT devices can bring down critical internet infrastructure.

The Real Risk of IoT Devices

IoT devices can seem too small or too specialized to pose a serious threat. But any device that is, in practice, a general-purpose computer connected to a network carries real risk — even the most trivial one, once compromised.

The consequences range widely: from baby monitors hijacked for surveillance to life-saving medical equipment taken offline. Once attackers have control, they can steal data, disrupt services, or carry out any attack that would be possible from a conventional computer.

Compromised IoT infrastructure causes damage beyond data breaches and unreliable operations. It can cause physical damage to facilities — or worse, to the people who depend on them.

In the SCADA world, security implementations tend to be more thorough. They're not always airtight, but when security is built in from the start of a project, they're usually adequate. The problem is that insecure networks rarely attract attention until after an attack — and by then, it's too late.

OWASP and Security Initiatives

OWASP is a nonprofit foundation that publishes an annual list of the ten most common IoT vulnerabilities [2]. The goal is to give manufacturers, developers, and end users the information they need to deploy these technologies safely.

Innotica follows initiatives like OWASP and stays current on cybersecurity and data-transport developments.

The IoT sector is in an active period of improvement. Better services are being built on existing infrastructure — 3G, LTE — alongside newer technologies such as LoRa and Sigfox. Cloud platforms from Azure, Amazon, Google, and IBM are taking on the heavy lifting of deployment and security [4], letting teams focus on writing code and building solutions rather than managing the underlying infrastructure.

Oscar Calcaterra ocalcaterra@innotica.net

References

1. Survey finds security continues to be top priority in deploying IoT projects
2. OWASP
3. Someone attacked a major part of the internet's infrastructure
4. IoT security and cybersecurity — Azure