What is IoT Security?
Internet of Things Security (IoT Security) comprises protecting the internet-enabled devices that connect on wireless networks. IoT security is the safety component tied to the Internet of Things, and it strives to protect IoT devices and networks against cybercrime.
The data collected from IoT sensors contain a large amount of private information and needs to be preserved. There are two key issues privacy and security that need attention when it comes to IoT security.
Security Basics- Fundamentals
There are 5 major components of IoT:
- Data processing
- Feedback and control
- Cloud/Server (IoT platform)
Security and privacy are considered essential components and must be added to this list of components.
IoT security has been introduced to the industry and is used in various ways:
- Cyber-Physical Systems(CPS)
- Cyber Transportation Systems(CTS)
- Machine-to-Machine(M2M) Interaction
The security architecture comprises of four fundamental layers for security analysis:
1. Perceptual Layer
This layer is also referred to as the recognition layer, is the most basic level, which gathers all types of information with the help of physical equipment(sensors) and identifies and reads the external world. The information from the device's sensors includes the properties of the objects, or the things, the environment condition, and more. The physical equipment like RFID reader, GPS, all kinds of sensors, and other equipment comes under this layer. Though there are different components involved, the critical component in this layer is the sensors that use for capturing and representing the physical world, i.e., the data given by sensors connect to this layer.
2. Network Layer
The layer connected to broadcast data and data collected on numerous essential networks like mobile communication network, or the WiFi network, satellite network, and more. This layer is responsible for providing the dependable broadcast of data that we get from the previous layer. Most importantly, the data gathered from sensors broadcasts to the next level for it to be processed. The initial handling of data collected through the sensors, cataloging, and polymerization.
3. Support Layer
The layers act as the mediator between the upper layer and the lower layer. Consider it as the platform for setting up a proper application layer as it helps with merging the application layer upward and network layer downward. Grid and cloud computing uses all kinds of creative computing powers.
4. Application Layers
In this layer, the personalized delivery of application happens, whatever application the user wants, whatever application the user is presented with is taken care of in this layer. It can be from smart water, smart transportation, smart environment support, smart air system, and more. It can be done through computers, mobile devices, television and more.
Challenges in IoT Security
- Security approaches heavily relying on encryption is not a good fit for constrained devices as they cannot perform sophisticated encryption and decryption quickly. These protect with constrained resources are most vulnerable to side-channel attacks, and reverse engineering of the algorithm is possible.
- Device authorization, along with authentication, is critical when it comes to securing IoT products and systems.
- They must establish their identity before proceeding further with gateway access and other cloud-related activities.
- IoT platform with two-factor authentication and usage of strong passwords or certificates can help to solve this issue.
- They also help to determine which services or apps that each device has access to throughout the system.
- Device updates need to be managed effectively as well. Security patches to firmware or software would have several challenges, so they need to be updated effectively. Air updates may not be possible with all kinds of IoT devices. Device owners as well may not show much interest in applying an update to the system.
- The communication channel needs to be secured, as well. Using transport encryption and adopting standards like TLS is better than encrypting messages before transfer.
- The sensor data should be stored and proceed securely. Data integrity, including checksums or signatures, can help to make sure that the original raw data does not modify during transmission. Data that is not required should be disposed of or detected in a better way and should not be retained in any part of the system. Maintaining complaints about legal and regulatory frameworks is another challenge in this project.
- All applications and services should also be secured as the manager, process access IoT devices along with the sensor data.
Security vulnerabilities and breaches are inevitable, but measures need to be taken as much as possible to avoid conflicts of interest.
Best IoT Security Technologies
Mentioned below are the most popular IoT security technologies based on Forrester's analysis
1. IoT Network Security
IoT network security is challenging than traditional network security as communication protocols, standards, and device capabilities have a more extensive range, all of which pose significant issues and increased complexity. It involves securing the network connection that connects the IoT devices with the back-end systems on the internet. Capabilities include traditional endpoint security features like antivirus and antimalware as well as firewalls and intrusion prevention and detection systems. Sample vendors are Cisco, Darktrace, and Senrio.
2. IoT authentication
It grants users to authenticate IoT devices, including managing multiple users for a single device, ranging from multiple static passwords to more robust authentication mechanisms like two-factor authentication, digital certificates, and biometrics. Unlike most enterprise networks where authentication processes involve a human being entering a credential, many IoT authentication scenarios ar M2M based and do not involve any human intervention. Sample vendors: Baimos Technologies, Covisint, Entrust Datacard, and Gemalto.
3. IoT Encryption
Encrypting data at rest and transit between IoT edge devices and back-end systems using standard cryptographic algorithms, maintaining data integrity, and preventing data sniffing by hackers. Several IoT devices and hardware profiles limit the ability to have standard encryption processes and protocols. Further, all IoT encryption must be accompanied by equivalent full encryption key lifecycle management processes, since poor key management would reduce overall security. Sample vendors: Cisco, HPE.
4. IoT Security Analytics
This technology involves collecting, aggregating, monitoring, and normalizing data from IoT devices and providing actionable reporting and alerting on suspicious activity or when activity falls outside established policies.
These solutions add sophisticated machine learning, artificial intelligence, and big data techniques providing more predictive modeling and anomaly detection, but such capabilities are still emerging. IoT security analytics would increasingly be required to detect IoT-specific attacks and intrusions that are not identified by traditional network security solutions such as ï¬rewalls. Sample vendors: Cisco, Indegy, Kaspersky Lab, SAP, and Senrio.
5. IoT API Security
This technology enables us to authenticate and authorize data movement between IoT devices, back-end systems, and applications using documented REST-based APIs. API security protects the integrity of data transiting between edge devices and back-end systems, and applications using documented rested APIs as well as detecting potential threats and attacks against APIs. Sample vendors: Akana, Apigee/Google, Axway, CA Technologies, Mashery/TIBCO, MuleSoft, and more.
Industrial Hacks and Breaches of IoT (Internet of Things)
Stuxnet is a sophisticated computer worm that is designed to detect specific machinery used in the nuclear industry. Stuxnet has several safeguards that prevent it from being detected from machines running specific security programs like self-disable and self-erasing. Stuxnet begins to look for centrifuges (machines used to isolate isotopes of uranium) and reprograms them to perform varying cycles resulting in the centrifuges disintegrating. Centrifuges are a form of IoT device Stuxnet is one of the computer worm destroying real-world devices, rather than hacking them to perform software damage.
Marai is an IoT malware that gains access to IoT devices using common usernames and passwords. For instance, IoT devices like IP cameras, monitors, and loggers running Linux and accessing them with default credentials such as "admin" and "password," allowing the malware to access the system quickly and turn them into a bot. The combination of millions of devices allows the collection of bots termed botnet to perform DDoS (distributed denial of service) attacks on major networks as a single IoT device cannot perform much of the attack. One distinct feature about Mirai is that it is hardcoded to ignore specific IP ranges, even IP addresses owned by HP, GE, and the US Department of Defense. Mirai is a perfect example demonstrating how designers of IoT devices with integrated, publicly available software recognize that default login credentials should be changed and potentially abused by severe attacks.
3. Casino Data Leak
Hacking servers for sensitive information is mistaken to involve some clever infiltration of the central server either by backdoors or some smart security flaws, such as Heartbleed.
Hackers gain access to the network using a trivial vulnerability in the smart thermometer retrieves data and then extract the data back through the temperature sensor and into the cloud. The fact that even the most straightforward device with internet access can bring down the strictest networks makes this attack daunting. It takes an engineer to decide (or forget) not to implement security on something as simple as a temperature sensor.
4. The Jeep Hack
Two white hat hackers proved how a Jeep Cherokee was easy to hack remotely using the internet. The pair performed range from minor pranks, like turning on the A/C, to being able to steer the car and turn the engine off. The vulnerability came from the Jeep's use of a dashboard system called Uconnect, which provided an access point to rewrite the firmware on the hip. With the ability to rewrite the firmware, the chip could access the rest of the car controls via the CAN bus.
It is believed that many cars that utilize the Uconnect system are at risk as only a handful of cars are tested for this weakness. The vulnerabilities that come with it are not being heavily considered as the car manufacturers are desperate to integrate smartphone technology into their vehicles.
5. Medical Implant
FDA recalled nearly half a million pacemakers in 2017 in the fear that they could be hacked remotely. Though this did not see devices being removed from the patients, as the procedure could be dangerous, but rather, a firmware update was applied remotely by medical staff. Devices were controlled remotely with little security measures. The fear behind the recall was to change the firmware, for example, causing the battery to run flat. The example demonstrates the importance of security for the health and wellbeing of the patients. It also illustrates the complexity of these otherwise simple devices.
Top IoT Security Tools
1. M2MLabs Mainspring
M2MLabs Mainspring is an open-source application framework for building M2M (machine to machine) applications such as fleet management, remote monitoring, or smart grid. Its capabilities include device configuration, flexible modeling of devices, communication between application and devices, normalization and validation of data, data retrieval functions, long-term data storage, and. It's based on the Apache Cassandra NoSQL database and Java. Applications in M2M can be prototyped in hours rather than weeks and finally transferred to a high-performance execution environment built on top of a standard J2EE server and the highly-scalable Apache Cassandra database.
Flutter claim to fame is it's long-range, is a programmable processor core for electronics projects, designed for engineers, students, and hobbyists. Its is Arduino-based board has a wireless transmitter that reaches more than a half-mile. Plus, you don't need a router; flutter boards can communicate with each other directly. It includes 256-bit AES encryption, and it's easy to use.
3. Eclipse IoT Project
Heard of the Lua programming language, have you? Eclipse sponsors several different projects surrounding IoT. They include application frameworks and services, open-source implementations of IoT protocols, and tools for working with Lua, which is an ideal IoT programming language promoted by Eclipse. Eclipse-related projects include Mihini, Koneki, and Paho.
Kinoma is a Marvell Semiconductor hardware prototyping platform consisting of three different projects:
- Kimona Create is an open-source DIY construction kit to prototype electronic devices.
- Kimona Studio is open-source and provides a development environment that works with Create and the Kinoma Platform Runtime.
- Kimona Connect is a free iOS and Android app that links smartphones and tables with IoT devices.
Node-RED is a visual tool that wires together APIs, IoT hardware devices, and online services in exciting ways. Node-RED is built on Node.js, describes itself as "a visual tool for wiring the Internet of Things." It allows developers to connect devices, services, and APIs using a browser-based flow editor. It can run on Raspberry Pi, and more than 60,000 modules are available to extend its capabilities.
Pros and Cons of IoT
- It allows the ability to access information from anywhere at any time on any device by encouraging M2M communication. The physical devices are capable of staying connected; hence, total transparency is available with higher quality and minor inefficiencies.
- Transferring data packets over a connected network save time and money, as by allowing the data to communicate and shared between electronic devices and then translating it into our required way, IoT is making our systems efficient, thereby conserving and saving cost and energy.
- Automating tasks helps to improve the quality of business services and reduces the need for human intervention, owing to physical objects getting controlled and connected digitally with wireless infrastructure, there is a significant amount of automation and control in the workings.
- As there is the involvement of different devices and technologies, the number of connected devices increases, and more information shares between them. It increases the chances that a hacker could steal confidential information, which directly questions the security and privacy issues. Storage and data retrieval becomes a significant concern, as well.
- With all complex systems, the possibility of failure increases. Failures could be skyrocket in the case of the Internet-of-Things as enterprises may have to deal with massive numbers, maybe even millions of IoT devices, and collecting and managing the data from all those devices becomes challenging.
- If there's a bug in the system, every connected device would likely become corrupted.
- Since there's no international standard of compatibility for IoT, it isn't elementary for devices from different manufacturers to communicate with each other.
- Daily activities getting automated would eventually result in fewer requirements of human resources and less educated staff, which may create employment issues in society.
No doubt, IoT would change the development services process. Although moving with the latest technology is encouraged, but it's also advisable to study and analyze the negative aspect and be prepared for the outcome. Digital businesses need to understand that though the IoT-connected products provide effortless support, the same devices have become an attractive attack plane for hackers and cybercriminals seeking to cause disruption and exfiltrate sensitive data.
People are also reading: