The Internet of Things promises to connect products and industries – it’s in our cars, our cities and our homes, here to make our daily routine that little bit more convenient. The ongoing innovation by developers and manufactures, paired with the endless opportunity in the industry, shows to all that IoT certainly has huge headroom for growth.
However, with this eagerness to get hi-tech products to the masses, security models are unfortunately often overlooked and are fast becoming a major concern, holding back the rapid growth experts predict.
In recent years, there have been far too many privacy and security related incidents involving IoT devices. We’ve seen severe weaknesses in connected cars, prompting legislators to introduce legal security requirements for car manufacturers, to entire electrical grids and critical infrastructures suffering cyber-attacks through vulnerabilities in their computing systems.
Devices can be too easily modified and this opens up a variety of relatively easy avenues for attackers to try and find a way to exploit the hardware, seriously putting organizations’ private data and IP at risk and in turn destroying users’ privacy.
IoT risk vs. reward
Home automation systems are often found to be the most frequent to get hit with these cyber-attacks, as the audience they are targeted for are not tech savvy and at point of purchase are not aware of any security issues. Hackers can manipulate and expose a whole host of flaws with many new pieces of technology that we welcome into our homes. For example, it was reported a cloud-based baby monitor service which allowed users access to the device over the internet, had a vulnerability allowing hackers to easily extract the device’s serial number, subsequently allowing hackers the access to other cameras. Flaws such as this could have been prevented simply by implementing an authentication scheme on a per-account basis, sometimes it’s even as simple as not changing the default admin password.
IoT supports devices from a large number of manufacturers, who will implement ‘backdoors’ they can access to make changes like firmware upgrades and remote diagnostics. However, unless field devices use mutual authentication or other encryption techniques, firmware updates can be compromised. Even if individual devices are designed with device-level security, an interconnected architecture may still expose vulnerabilities.
Electronic devices in general have accessible interfaces such as JTAG ports and MAC addresses that provide an increased ‘attack surface’, making these devices highly vulnerable to invasive attacks that reverse engineer security. Devices that invariably share components and firmware across product lines could also allow a vulnerability detected in one system, to be exploited in another one using the same chipset.
Most IoT systems also have field sensors that can be subject to physical security issues. Critical sensors can malfunction if subjected to higher operating temperatures or voltage ranges, or they could simply be vandalized or even replaced with rogue devices connected to a cybercriminal’s Bot network.
Quite often, IoT devices are ‘watered down’ versions of more sophisticated systems, which may lead to vulnerabilities. For example, the consumer version of a thermostat made by an industrial HVAC manufacturer had security vulnerabilities not found in the industrial-grade version.
Protection and resilience
To ensure the public’s faith inIoT systems is not shaken to the detriment of future development, they must be designed to prevent attacks, be resilient under attacks and be able to detect and recover from such attacks. One example would be secure chips with secret keys, which can make it difficult for malicious actors to introduce rogue devices undetected. To make critical devices harder to reverse engineer, physical unclonable functions can be used to create unique identifiers that only exist when the chip is powered up.
When it comes to preventing attacks in the first place, identity is at the foundation of security – it’s equally important to create a robust and comprehensive notion of identity for IoT devices. Identity, analytics and visualization tools will help gain insights, via an easy-to-comprehend visual. These insights can also help create an advanced landscape of threats, especially for large-scale IoT systems.
Organisations are now taking notice of the security threats that come with IoT. With hackers constantly improving and developing new techniques to break down systems; IoT providers and industry bodies are working of a framework to allow sharing best practices as well as creating ‘security standards’ to ensure vunerabilities are identified and recified before these devices are available on the market. This should help establish a robust security model for IoT, removing the bottleneck preventing the explosive growth that experts predicted – without putting users’ privacy at stake.
Author: DJ Singh, Digital Strategy Architect at Wipro Digital