The future growth of IoT depends on how securely we can transfer the data from device sensors to cloud and across analytical platforms. The issue of “IoT security” has become more prominent in the wake of recent hacking attacks like Dyn server disintegration and “Wannacry” ransomware incident.
As the number of devices connected to IoT soar, they will become a more frequent target for hackers. Hackers are scanning for IoT vulnerabilities at a frenetic pace. E.g., in the case of the Dyn cyberattack, they were able to tap into the default SSID and password of factory mode IP cameras. Clearly, there are several transparency and privacy issues with IoT along with a wide range of security risks and challenges that IoT devices face, along with their platforms, operating systems, communications, and so forth.
Let’s explore some of the major security issues associated with IoT ecosystems.
- Points of vulnerability:
In any IoT ecosystem, the connected devices are naturally vulnerable to security threats, which use old and unpatched embedded operating systems and software. Due to Poor encryption and backdoors, there may be unauthorized access of connected devices which leads to potential risks.
- Data collection, protection and Authentication:
Sensors in IoT devices generate enormous amounts of data, so they require faster networks, larger storage capability and more bandwidth, but there is no such open ecosystem ready yet to host these devices to make them interoperable. The process of authentication is tasked with identifying connected devices in networks and restricting access to authorized persons and non-manipulated devices.
- Side-channel Attacks:
While communicating between IoT devices and internet, signals called “side channels” are generated which are vulnerable to security hacks. These signals show the levels of power consumption at any moment so an attacker can use it to his advantage to overcome the encryption that protects an IoT device which is known as a “side channel attack.” The target area of such attacks are less to do with information and more to do with how the information is presented such as, a DDoS attack, that jams the transmission of via a malicious node, refuses to route messages, or redirects them where they shouldn’t go.
- Hardware Issues:
These issues are found in perception/hardware layer mainly having different kind of devices like smart cards, RFID tags, readers and sensor networks with many varieties and high heterogeneity. There may be different issues like node capture, physical attack etc. In a physical attack, there may be attacks on the hardware with the intention to drain the battery, physical damages to the gateway, tampering with the expose serials or debug ports with the intention to get unauthorized data access.
- Chain of supply chain management:
IoT provides valuable modern conveniences but also raises insecurities regarding supply chain vulnerability, as there are no conventions dictating or communicating the security of IoT devices. In the absence of similar norms, customers can be exposed to unpredictable supply chain risks.
Our Recommendations on IoT Security
- Traditional parameters like Authenticity, Confidentiality, integrality, Privacy and availability can be used to secure an IoT ecosystem.
- To manage the security of interconnected devices, we need a truly open ecosystem with standardized application programming interfaces that enable interoperability with a reliable and automatic patching system. Cryptographic mechanisms are a more robust way of securing communication against counterfeiting, firmware tampering and illegal access.
- Highly secured Layered security to protect the data against malware attacks, vulnerabilities in networks and software applications.
- Hardware security can be implemented by introducing chip security in the form of TPMs (Trusted Perception Module), trusted terminal module and trusted network module. Secure booting can be used to ensure only verified software will run on the device.
- Network security can be achieved using Data-centric security solutions which ensure safety of data encryption while in transit or in rest. To detect unwanted intrusions and prevent malicious activities firewalls and intrusion prevention systems can be used.
- Application layer security refers to methods of protecting web applications from malicious attacks that may expose private information. It can be done by using Web application firewall, Application Delivery Controller, and Secure Web Gateway etc.
- There have to be national certifications or policies that certify electronic supply chain security.
On a summary note, it is important to not only secure the endpoints & networks but also the data which is transferred all across the network by creating a security paradigm. To protect IoT devices and platforms, security technologies will be required for both information attacks and physical tampering, to encrypt their communications, and to address new challenges. Also, device lifecycle management is critical in fencing your perimeters completely. Check out this blog for more details.