IoT Security Challenges

What is IoT Security? Internet of Things (IoT) is a collection of many interconnected objects, services, humans, and devices that can communicate, share data, and information to achieve a common goal in different areas and applications.

IoT has many implementation domains like transportation, agriculture, healthcare, energy production and distribution. Devices in IoT follow an Identity Management approach to be identified in a collection of similar and heterogeneous devices.

By 2025, it is expected that there will be more than 30 billion IoT connections, almost 4 IoT devices per person on average and that also amounts to trillions of sensors connecting and interacting on these devices. State of the IoT 2020: 12 billion IoT connections (iot-analytics.com). According to The McKinsey Global Institute, 127 new devices connect to the internet every second.

IoT mainly operates on three layers termed as Perception, Network, and Application layers. Each layer of IoT has inherent security issues associated with it.

• Perception Layer
• Network Layer
• Application Layer

Cybersecurity Threat: Average household hit with 104 threats each month

An active attack directly stops the service while the passive kind monitors IoT network information without hindering its service. At each layer, IoT devices and services are susceptible to Denial-of-Service attacks (DoS), which make the device, resource, or network unavailable to authorized users.

Typical security goals of Confidentiality, Integrity, and Availability (CIA) also apply to IoT. However, the IoT has many restrictions and limitations in terms of the components and devices, computational and power resources, and even the heterogeneous and ubiquitous nature of IoT that introduces additional concerns.

IoT Security Challenges can be broadly divided into two classes, Technological challenges and Security challenges. There are different mechanisms to ensure security including but not limited to:

• The software running on all IoT devices should be authorized.
• When an IoT device is turned on, it should first authenticate itself into the network before collecting or sending data.
• Since the IoT devices have limited computation and memory capabilities, fire-walling is necessary for the IoT network to filter packets directed to the devices.
• The updates and patches on the device should be installed in a way that additional bandwidth is not consumed.

Do not use universal default passwords. To increase security, multi-factor authentication, such as the use of a password plus OTP procedure, can be used to better protect the device or an associated service. Device security can further be strengthened by having unique and immutable identities.

• Implement a means to manage Vulnerability Reporting. In the IoT industry, CVD is currently not well-established, CVD provides companies with a framework to manage this process. This gives security researchers an avenue to inform companies of security issues, puts companies ahead of the threat of malicious exploitation, and gives companies an opportunity to respond to and resolve vulnerabilities in advance of public disclosure.
• Keep Software Updated. Developing and deploying security updates in a timely manner is one of the most important actions a manufacturer can take to protect its customers and the wider technical ecosystem. It is good practice that all software is kept updated and well-maintained.
• Securely store sensitive security parameters. Sensitive security parameters in persistent storage must be stored securely by the device. Provisioning a device with unique critical security parameters helps to protect the integrity and authenticity of software updates as well as the communication of the device with associated services. If global critical security parameters are used, their disclosure can enable wide-scale attacks on other IoT devices such as to enable the creation of botnets.
• Communicate Securely. The consumer IoT device must use best-practice cryptography to communicate securely. Confidentiality and integrity protection can be achieved using an encrypted communication channel or payload encryption. This is often done using protocols or algorithms at least as strong as the key material transmitted, however other mitigations, such as the need for close proximity, are available.
• Minimize exposed attack surfaces. The “principle of least privilege” is a foundation stone of good security engineering, applicable to IoT as much as in any other field of application. Security-relevant information can be exposed over a network interface as part of the initialization process. When security-relevant information is shared by a device when establishing a connection, it can be used by attackers to identify vulnerable devices. Disable all unused network and logical interfaces.
• Ensure Software Integrity. IoT devices should verify their software using secure boot mechanisms. The ability to recover remotely from unauthorized changes can rely on a known good state, such as locally storing a known good version to enable safe recovery and updating of the device. This will avoid denial of service and costly recalls or maintenance visits, whilst managing the risk of potential takeover of the device by an attacker subverting update or other network communications mechanisms.
• Ensure that personal data is secure. The confidentiality of personal data transiting between a device and a service, especially associated services, should be protected, with best-practice cryptography.
• Make systems resilient to outage. Resilience should be built into consumer IoT devices and services, taking into account the possibility of outages of data networks and power.
• Examine system telemetry data. If telemetry data is collected from IoT devices and services, such as usage and measurement data, it should be examined for security anomalies. Examining telemetry, including log data, is useful for security evaluation and allows for unusual circumstances to be identified early and dealt with, minimizing security risk and allowing quick mitigation of problems.
• Make it easy for users to delete user data. The user shall be provided with functionality such that user data can be erased from the device in a simple manner. Such functionality is intended for situations when there is a transfer of ownership, when the consumer wishes to delete personal data, when the consumer wishes to remove a service from the device and/or when the consumer wishes to dispose of the device. It is expected that such functionality is compliant with applicable data protection law, including the GDPR.
• Make installation and maintenance of devices easy. Security issues caused by consumer confusion or misconfiguration can be reduced and sometimes eliminated by properly addressing complexity and poor design in user interfaces. Clear guidance to users on how to configure devices securely can also reduce their exposure to threats.
• Validate input data. The IoT device software must validate data input via user interfaces or transferred via Application Programming Interfaces (APIs) or between networks in services and devices.

Talk to a Cybersecurity Trusted Advisor to learn how you can effectively mitigate these Security Threats and Risks.