Internet of Things includes everything connected to the Internet, which basically refers to a broad range of devices from simple sensor with limited capabilities, consumers’ wearable to smart appliances, home automation devices, manufacturing warehousing and industrial devices.
According to the results of a report published by Gartner Research, in 2020 will have more than 26 billion connected objects, a much larger number of devices than anything the current identity management can handle at the moment.
No doubt that IoT will improve customer experience, where connected objects think on our behalf, automate boring activities, make our lives better more comfortable and healthier which means access to more and more information and control devices remotely.
I would not mind if someone would check the status of my smart meter but would be concerned if someone could remotely control connected devices performing malicious activities. Hackers could monitor home doors or fences, get access to the home network, personal computer, laptop through a smart bulb. Smart teddy bears could be hijacked. A hacker could take car control by hacking systems remotely, sauna stoves can be controlled (started) by sending an SMS message. Worst of all, the power grid could be knocked offline by accessing Industrial control systems,
IoT implementation could be found in several areas such as logistics, farming, industry or home automation. However, its restriction becomes obvious as we connect systems from different vendors. Standards communicating with a lot of different protocols most of them are not HTTP adding application development in IoT more complexity and the” plug and play” mindset where many vendors by simply adding connectivity to devices introducing security holes in the way connected object are communicated, authenticated or managed. As usual, in the rush to launch the new smart system, car, wearable medical device; information security is still an after-thought. Apart from adapting communication protocols and addressing security issues, an overarching security framework is crucial for growing IoT. There is no overall framework driving the IoT Security
Your security is as strong as your weakest link/device!
Your light switch might have one level of encryption and your remote home appliance another. One may use Zigbee protocol, another Bluetooth, and yet another Wi-Fi. Bridges to connect across them will abound. Even if independent systems are secure, we will cobble together systems, and the chain will only be as strong as the weakest link.
The last headlines on security breaches related to IoT have highlighted many security issues not really addressed and challenges faced by large organizations or states
Access Control & Authentication
The common known challenge is that while a device most likely has an identity whether it can be an IP address, MAC address, serial number, device certificate, who controls the access to or to the information the device sends out?
Unauthorized persons might exploit security vulnerabilities and can put lives at risk and harm consumers, there are a lot of examples of connected insulin pumps hacked where settings have been changed to make them no longer delivered medicine, car Hacking and remote control of the vehicle’s engine and braking.
Strong and multiple factor authentication may not be applicable with IoT for instance 2FA (two-factor authentication) such biometry “something you are” and password “something you know” cannot be implemented in objects authentication context. Therefore, objects have to provide some sort of token or certificate. The Public Key Infrastructure can sort out these authentication weaknesses by using certificates and provide the flexibility needed when changing requirements, a cross-platform with a multiprotocol approach.
At the opposite of traditional forms of authentication, PKI can provide the scalability. Billions of IoT devices and systems can be provisioned with digital certificates, providing a unique private key to each device, a secure digital channel can be set which only authorized data flows, encrypted and secured from the view of hackers or intruders.
Vulnerabilities & Patch Management
Vulnerability and patch management are probably the most important issue. Many IoT devices are shipped from the factory not only with these vulnerabilities exposed but also without any effective way to fix them. They are still un-patchable, leaving consumers with unsupported or vulnerable devices shortly after purchase, a huge number of devices rely on weak and simple password 1234, hardcoded password, backdoors, insecure protocols.
There are situations where it’s impossible to patch the software or upgrade the components to the last version. Sometimes the complete source code is not available as many of the device drivers and other components are just “binary blobs” no source code at all which make in these cases the patching process technically not applicable.
Regulation and enforcing mechanisms need to be found to make embedded system vendors to design their systems better. We need standards, open-source driver software, and no more binary blobs. Third party vendors and ISPs can provide security tools and software updates for as long as the device is in use.
There is a lack of accountability for devices security, for many consumer devices, there is not a clear ownership on who owns the security. Manufacturer post firmware updates on their websites, it’s up to the consumers or users to download and update products, many coming with obscure instructions.
Ethical Hacking Training – Resources (InfoSec)
Security by Design and Full Lifecycle Requirements
To properly address the challenges of the IoT software update problem, it is essential to consider the full lifecycle of the IoT device. This begins during the design and manufacturing when the security credentials must be generated, allocated, and provisioned into the devices in a secure manner. It also incorporates the lifecycle of the device vendor who might be bought out or go bankrupt – we need to consider how to continue patching essential devices when the original manufacturer no longer exists. Finally, it ends with addressing various end-of-life scenarios such as how to decommission and recycle those devices that no longer can or should be supported.
A compromised IoT device could be used to launch a denial of service attack. The more devices compromised by the attacker, the more effective and destructive will be.
The last DYN DDOS attacks were made possible through thousands of unsecured IoT devices such as home routers, IP camera compromised by infected malicious code generating massive amounts of bogus traffic to the targeted Dyn servers; the use of default passwords on these devices enable hackers to gain access and launch the attack.
Anonymous attacker in October said to have only used 100,000 devices; imagine what could be done with one billion devices creating a network of insecure connections. The least IOT manufacturer must do is to put controls to detect these threats, disable IoT devices once an attack is spreading and commit to communicating the risks.
IoT development has not been followed by a legal framework to support and regulate IoT and protect consumer’s privacy, security, ownership of data (including the use of aggregated data), responsibility and legal liability.