Cybersecurity is a major pain point for IoT network providers and operators. In this article, I'll show you how to secure IoT devices with a VPN. I want to bring attention to the ways in which this tried and true technology can reinforce IoT networks at scale.

Every time you connect a device to the internet, whether it’s a car or a security camera or a simple laptop, a plethora of security concerns arise. The connected device may be used at the office, at home, or both, but there’s always a risk of corporate or personal information falling into the wrong hands. Internet of Things (IoT) devices are prone to targeted attacks that can be hugely detrimental to businesses and people. In this article, after reviewing some common security threats to IoT networks, I’ll show you how to secure IoT devices with a VPN (Virtual Private Network) to mitigate these cybersecurity risks.

Major IoT Cybersecurity Concerns

The security risks inherent in using IoT devices are alarmingly broad, with the term “IoT security” even being dubbed an oxymoron. As the technology remains in its “creation phase,” there are no standard controls or protocols for developers to follow. What’s more, end users often aren’t equipped with the tools or knowledge to mitigate risks effectively themselves.

According to a 2018 Symantec study, there was a 600% increase in the number of IoT attacks between 2016 and 2017.

Image Credit: Symantec

Attacks involve various motives, including competition, retaliation, showmanship, protest, or extortion.

Here are some of the more common assaults on IoT networks against which a VPN might be able to defend:

1. Botnets

IoT devices are prime targets for botnets. A botnet is a series of internet-connected devices that—banded together by a hacker—can perform large-scale attacks, such as Distributed Denial of Service (DDoS) attacks at massive scale. Botnet malware can lie dormant until the attacker sends a command over the internet, and because IoT devices don’t typically have an antivirus protection layer, it can be difficult to detect and remove. A major issue is that many IoT devices are relatively simple compared to PCs and smartphones so complex security architecture is often not an option for device manufacturers.

DDoS attacks typically involve overflowing a network by bombarding it with traffic. A high-profile IoT DDoS attack occurred in 2016 when Dyn, a domain name system provider, was compromised. The attack involved up to 100,000 IoT devices infected with the Mirai malware. These formed a botnet that was used to cripple the company’s services.

The “Satori botnet” is another recent high-profile DDoS-style botnet attack against IoT networks. The (alleged) main perpetrator was recently apprehended for bragging to the media.

2. Man-In-The-Middle (MITM) Attacks

The basis of a MITM attack lies in an unauthorized third party managing to intercept communications and access information like a fisherman in a river. MITM attacks are an ideal way for a cybercriminal to view or change sensitive information and even hijack user accounts.

Any of these actions could have a catastrophic effect on the victim whether it’s an individual, a corporation, or a cloud network associated with numerous companies or brands. MITM attacks drive home the importance of encrypting traffic so that it’s unreadable in transit—even if someone intercepts it.

MITM attacks are especially effective against IoT devices that haven’t been properly secured by the manufacturer. Many solutions providers leave the manufacturer’s default passwords in place through deployment. Hacking into a device or gateway can be as straightforward as googling the default password for a given device model. Moreover, unlike a web browser in which you can check for “https” (secure) in the address bar to ensure a site is safe, IoT devices have no such standard protocol. They have no way to alert the user if a security certificate is expired or otherwise invalid.

3. General Snooping

When every device is connected to the internet, Internet Service Providers (ISPs) and government agencies controlling them have access to a vast amount of your data. With IP addresses in plain view and traffic easily readable, they can track all of your daily business activities. This is yet another reason to encrypt all of your internet traffic.

Image Credit: Cisco Systems

A VPN can go a long way toward mitigating the various risks associated with IoT networks. They’re old and trusted web structures, and we should carry them forward into the IoT revolution. When using a VPN, traffic flows from the device, through an intermediary server, and then continues on to its final destination. This masks the user IP address and replaces it with one from the VPN server.

Plus, when you connect a device to a VPN, all traffic flowing to and from the device is encrypted. The encryption used by top-rated VPN providers is typically 256-bit AES, which is considered military-grade encryption.

Of course, when it comes to mitigating all of the risks outlined previously, there are many pieces to the cybersecurity puzzle. Such problems include improving employee awareness and training while ensuring all operating systems are updated.

Why Secure IoT Devices with a VPN?

The standard application of VPNs across IoT networks could make those networks significantly more robust than they currently are. When a device is connected to a VPN, all of the traffic running to and from it is encrypted. Even if someone were to intercept network traffic they would be virtually unable to interpret it.

A VPN can help protect against DDoS attacks by shielding the user IP address, making it difficult for hackers to launch a targeted attack. Some providers such as PureVPN and TorGuard offer dedicated anti-DDoS servers to protect further against DDoS attacks.

Shielded or “masked” IPs also prevent intruders from tracking user activity. They also limit the attack options available to cybercriminals, which empowers cybersecurity teams better to predict the lines of attack an intruder might pursue in a given VPN-secured IoT network.

When it comes to circumventing MITM attacks, using only HTTPS sites is one of the best defenses as HTTPS sites provide encryption. However, this isn’t always an option; an even better idea is to use a VPN. This way, you would know that all traffic will always be encrypted and therefore unreadable to a third party.

The same goes for general snooping. Your ISP won’t be able to see the contents of your traffic or where it’s going. All that’s visible to the ISP is encrypted traffic going to and from a VPN server.

[bctt tweet=”The standard application of VPNs across #IoT networks could make those networks significantly more robust than they are currently. When an IoT device is connected to a #VPN, all of the traffic running to and from it is encrypted.” username=”iotforall”]

How to Connect IoT Devices to a VPN

If you’ve used a VPN before, VPNs can be implemented through everything from easy-to-use desktop clients and mobile apps to full-scale enterprise IT infrastructures.

So what about covering every device on an office network? Aside from it being impractical to install a VPN on each personal computer, it can also be impossible. Many smart devices, such as TVs, cash registers, and coffee machines, aren’t compatible with VPN software, so you can’t install native apps on them.

There’s a simple solution: use a VPN router. When your router is configured with a VPN, every device connected to that router will automatically be protected by that VPN. Most top-rated VPN providers have made it simple to set up a VPN router and many even offer routers pre-configured with a VPN.

Devices that leave the office, such as laptops and smartphones, will still need to have native VPN apps installed. Failing to protect devices that leave the primary secured area needlessly creates holes in the enterprise’s security architecture. Protecting those mobile devices is especially important if they’ll be used with public WiFi hotspots. Public Wifi is prime hacker territory. Using a VPN every time you connect to public WiFi is essential.

Factors to Consider When Choosing a VPN Provider

A VPN can be a key component in the IoT security solution, but not all VPN providers are made equal or made for every use case. There are hundreds from which to choose. It’s important to know what to look for to suit your unique use case.

As we’ve discussed, configuring a VPN at the router level will be a solid option for many businesses. As such, one of the first things to look for is that the VPN can be easily configured at the router level. Another factor is that you need a VPN provider that is used to dealing with enterprise customers. And last, make sure to choose a provider that’s renowned for speed.

For example, NordVPN offers solutions for businesses, and SaferVPN has a specialized business product: Perimeter 81.

Aside from those considerations, other things you need to take into account are:

Security Privacy Speed Reliability Price Additional features

Let’s take a look at these in more detail.

1. Security

Of course, with this article being about how to secure IoT devices with a VPN, security is priority number one. In addition to 256 AES encryption, you also want to look for additional features, such as DNS leak protection and a kill switch. The former will prevent some forms of IP address leaks; the latter will kill the internet connection if the VPN connections drop so that no data escapes the encrypted tunnel in the event of a breach.

As mentioned, some providers offer dedicated servers that will ensure protection against DDoS attacks. Other handy features include regular IP address switching, stealth protocols, and automatic wifi protection.

2. Privacy

We discussed earlier the potential that ISPs could be watching your every move while online. ISPs don’t necessarily have a vested interest in snooping on your data, but the fact that your unencrypted traffic is visible to them creates another potential security hole to worry about. Of course, when you go with a VPN provider, you’re entrusting them with your information as well. And while there are many reputable providers with solid privacy policies, others aren’t so trustworthy. You need to be careful in your search for a VPN provider.

Some VPN providers will track IP addresses along with destination IP addresses, which means complete records of your activity could be stored indefinitely and handed over to third parties without your knowledge. Be sure to choose a VPN with a strict no-logs policy.

3. Speed

One of the major downsides to using a VPN is that the encryption is likely to slow down your overall internet speed. VPN providers are always working to speed things up, but the reality is, some are still pretty slow. When selecting a provider, consider whether speed is mission critical for your use case.

4. Reliability

Aside from speed, you need to consider the reliability of a VPN. Dealing with overloaded servers and dropped connections simply isn’t good for business and in some IoT applications, dropped connections can cost money, time, and jeopardize business processes and assets. Finding a provider with a large and robust network will usually mean that it can handle high traffic volumes at peak times.

That being said, it’s inevitable that issues can pop up. You need to find a provider that offers prompt and knowledgeable customer support. Many offer 24/7 live chat which can be especially helpful when you’re in a pinch.

5. Price

Another area where VPN providers vary is in price. This will really come down to the size of your business and the number of devices you need to cover. Most standard plans enable you to connect three to ten devices on one subscription. Business plans may work differently and give you a price per team member. Some plans have data caps, so be sure to look at that as well.

6. Additional features

Most VPNs tend to offer a couple of additional features that don’t come standard. For example, “split tunneling” is a neat feature several top providers offer. The feature enables you to handpick which traffic goes through the VPN servers and which traffic travels over a regular internet connection. Split tunneling can be used to optimize IoT networks as operators can parse critical from non-critical data and kernels from abstract layers.

Conclusion

IoT development has a long way to go before fully-secured, standardized, and trustworthy devices are normalized in the market. As such, businesses need to step up their game to help protect against attacks and ensure information doesn’t fall into the wrong hands.

Using a VPN can be a big piece of that security puzzle and can help thwart various attacks. Just be sure to find the right provider that can offer you everything you need in terms of security, privacy, speed, reliability, support, and value.

Written by Paul Bischoff, privacy advocate at Comparitech.com.