This document discusses Internet of Things (IoT) security. It begins by defining IoT and describing common IoT applications in consumer, commercial, industrial, and infrastructure sectors. It then defines IoT security and explains that security is an important area due to the rapid growth of connected devices. The document outlines four layers of IoT security: device, communication, cloud, and lifecycle management. It identifies some of the main security issues like default passwords, unpatched systems, and access to APIs and data. Finally, it discusses best practices for IoT security including authentication, encryption, privacy controls, and firmware updates.
2. Internet Of Things
• The Internet of Things (IoT) is the network of
physical devices, vehicles, home appliances, and
other items embedded with electronics,
software, sensors, actuators, and connectivity
which enables these things to connect and
exchange data.
• It involves extending internet connectivity
beyond standard devices to any range of non-
internet-enabled physical devices and everyday
objects.
• Embedded with technology, these devices can
communicate and interact over internet and
they can be remotely monitored and controlled.
3. Applications
• Consumer Applications –
▫ Smart Home
▫ Elder Care
• Commercial Applications –
▫ Medical and Healthcare
▫ Transportation
▫ Building and Home Automation
• Industrial Applications –
▫ Manufacturing
▫ Agriculture
• Infrastructure Applications –
▫ Metropolitan Scale Deployments
▫ Energy Management
▫ Environmental Monitoring
4.
5. What is IoT security?
• IoT security is the area of endeavor concerned
with safeguarding connected devices and
networks in the Internet of things.
• There has been a rapid increase in IoT security
spending in past few years.
7. • Device: The device layer refers to the hardware level of the
IoT solution i.e., the physical “thing” or product. ODMs and
OEMs (who design and produce devices) are increasingly
integrating more security features in both their hardware and
software (that is running on the device) to enhance the level of
security on the device layer. Security components include:
physical security, data at rest, chip security, secure boot,
device authentication and device identity.
•
Communication: The communication layer refers to the
connectivity networks of the IoT solution i.e., mediums over
which the data is securely transmitted/received. Whether
sensitive data is in transit over the physical layer (e.g., WiFi,
802.15.4 or Ethernet), networking layer (e.g, IPv6, Modbus or
OPC-UA), or application layer (e.g., MQTT, CoAP or web-
sockets) unsecured communication channels can be
susceptible to intrusions such as man-in-the-middle
attacks. Security components include: access control,
firewall, IPS, IDS, and end-to-end encryption.
8. • Cloud: The cloud layer refers to the software backend of
the IoT solution i.e., where data from devices is ingested,
analyzed and interpreted at scale to generate insights
and perform actions. IoT cloud providers are expected to
deliver secure and efficient cloud services by default to
protect from major data breaches or solution downtime
issues. Security components include: data at rest,
platform and application integrity verification.
• Lifecycle management: Secure Lifecycle
Management refers to an overarching layer with
continuous processes required to keep the security of an
IoT solution up-to-date i.e., ensuring sufficient security
levels are in place from device manufacture, initial
installation to the disposal of things. Security
components include: risk assessment, policies &
auditing, activity monitoring, updates and patches,
vendor control, user awareness assessment, and secure
decommissioning.
9. The Real Problem
• The main problem is that because the idea of
networking appliances and other objects is
relatively new, security has not always been
considered in product design.
• IoT products are often sold with old and
unpatched embedded operating systems and
software.
• Furthermore, purchasers often fail to change the
default passwords on smart devices -- or if they
do change them, fail to select sufficiently strong
passwords.
10. Increased risks introduced by IoT
• More points of exposure: The growing number of connected devices,
applications, systems and end users mean more points of exposure.
• IoT devices themselves become new attack vectors: Every
compromised device becomes a new possible attack point, which by
definition means a higher probability of attacks.
• Increased impact of attacks: With more connected devices in many
applications (i.e., hundreds of different use cases which all build on
different standards, interact with different systems and have different
goals – for example, see the Enterprise IoT Project List for 640+ different
use cases), especially critical infrastructure applications where there is an
increased impact of attacks (i.e., damage to the physical world and
possible loss-of-life), the stakes are much higher for hackers which
increases the threat level.
• New threats from across the stack: In addition, a more complex
technology stack means new threats are possible from across the stack
which must be counteracted by the implemented cybersecurity measures
and by experienced security professionals.
11. Some Top Security Issues
• Consumer IoT
▫ Network Security
▫ APIs
▫ Data arrests
• Commercial IoT
▫ Cryptography
▫ Physical access
13. The five main types of IoT attackers today are:
• Amateur hackers:e.g., script kiddies, hobbyists.
• Petty criminals: e.g., low-level cyber criminals.
• Cyberespionage groups: e.g., organized syndicates or crime
groups such as Armada Collective, Black Vine, GreenBug.
• Terrorists / hacktivists: e.g., professional, non-state actors such
as Oxblood Ruffin or political hacktivists.
• State sponsored attackers: e.g., foreign espionage via state-
sponsored sabotage and traditional adversarial nation-states e.g.,
Russia, China.
Each class of attacker may have different abilities, capabilities, and
goals – whether on an individual or group basis (i.e., aggregating
resources to work together). Given the same tool different classes of
attackers may achieve different outcomes e.g., experienced cyber
criminals can evade deep packet inspection tools or IDS signature
detection tools whereas new hobbyists may not.
However, cyberespionage groups with vast resources and highly
skilled petty criminals are the most common type of IoT attacker. In
many cases, they have developed advanced malware with the ability to
mutate and evade detection for longer on IoT networks or they
leverage DDoS attacks as a means for blackmail.
14. Prevention is better than cure
• Authentication – Never create a product with a
default password which is the same across all
devices. Each device should have a complex random
password assigned to it during manufacturing
• Debug – Never leave any kind of debugging access
on a production device. Even if you are tempted to
leave access on a non- standard port using a hard-
coded random password, in the end it will be
discovered. Don’t do it.
• Encryption – All communications between an IoT
device and the cloud need to be encrypted. Use
SSL/TLS where appropriate.
15. • Privacy – Ensure that no personal data is
readily accessible should a hacker gain access to
the device. Use encryption for storing data along
with salts.
• Web Interface – Any web interface should be
protected against the standard hacker
techniques like SQL injections and cross-site
scripting.
• Firmware updates – Bugs are a fact of life,
often they are just nuisance. However security
bugs are bad, even dangerous. Therefore all IoT
devices should support Over-The-Air updates.
However those updates need to be verified.
16. The Big But ….
The tech might have been around for a while but these
kinds of attacks are brand new. As such there are no
agreed best practice protection methods for stopping
an IoT from turning against you.
At least, not ones that the experts can agree on. Some
believe you should apply a firewall in your home or
business and to regulate control of them to authorized
users. However, another method would be to apply a
certification approach: allowing only users with the
right security certificate to control the devices and
automatically barring any unauthorized profiles.
If in doubt, plug it.