IoT is quickly becoming an exciting topic for both consumers and businesses. But like any IT subject, security cannot be neglected and in the near future, it will prove to become a key success factor for organisations. We discuss some of the ways to improve IoT security today.
-
While the IoT topic started several years back, the trend is rapidly gaining traction at this point in time. So it’s no surprise that IoT solution providers are finding all kinds of ways to get customers excited over having a more ‘connected’ environment. What many businesses seem to be overlooking though is the lack of IoT security, and how it can lead to costly security breaches.
IoT solutions tend to be insufficiently protected, making them attractive targets for abuse and direct attacks. The devices used – their hardware and software – often lack security or the IoT solutions built on them do not implement adequate protection. As IoT solutions are generally delivered under pressing time and cost constraints, security measures are often under-developed. Many times importance is attached to innovating new features and usability, instead of security.
IoT solutions tend to be insufficiently protected, making them attractive targets for abuse and direct attacks.
As a result, many of the current solutions can be breached using relatively simple tools. One example is fitness trackers that reward customers for physical activities. An attacker may simulate a tracker on the Bluetooth interface or build his own app to generate fraudulent activities data. Therefore when considering IoT security, it is crucial to consider aspects like data privacy and protection from manipulation.
Knowing this, what measures can organisations take to enhance security for their IoT solutions? The following are a few suggestions/ guidelines:
IoT devices must be carefully selected by considering the related ecosystem and specific security requirements. In practice, it has to be assumed that security at the hardware level does not take top priority when standard IoT devices are used. One exception is specialized hardware to meet regulatory requirements (which comes at significantly higher prices, making it unsuitable for most end-user applications). Therefore it also has to be assumed that hardware is not a safe enough platform to implement the IoT solution and that security mechanisms need to be implemented in the software. For this reason, it is essential that the software on IoT devices remain updatable.
Another important measure is to consistently assign a unique identity to each IoT device. IoT devices are authenticated much the same way as users are authenticated when logging into a system. This ensures that the system knows precisely which device the data is sent from. Unauthenticated devices can then be systematically excluded. In addition, it is possible to grant different access rights for different devices. For example, certain IoT devices are only granted write access. This means that they are allowed to provide but not to read data. Based on a tried and tested approach, access to data and services can be better protected and controlled with this approach.
IoT devices typically communicate over short distance wireless technologies, such as Bluetooth, the GSM network, IoT-specific wide area wireless networks, such as LoRa, or regular Internet connections. In any of these situations, it has to be assumed that the channel is not per se secure. Therefore when implementing the IoT solution, ensure that end-to-end communication between the IoT devices and the central system is secure.
The security measures "out in the field" are only useful if a solution's server infrastructure is also protected. In addition to physical protection, this includes protection on a network level and reliable identity and access management. Depending on the situation, further measures such as secure data storage (encryption) may be necessary as well.
When working with IoT devices, the organisation may need to reassess its own application requirements to ensure better security. There is always a risk of IoT devices being used as a springboard or, as in the case of DDoS attacks, misused as agents. For this reason, all security mechanisms provided by the platform used (chip) should be considered in the development. For confidential data or data with high requirements in terms of quality / origin, a stable identity management, possibly supported by hardware, must be implemented.
Given the high degree of networking, heterogeneity and price pressure, it has to be assumed that the measures described so far are not ironclad. Apart from that, there are always cases in which individual measures cannot be implemented. Therefore, it is advisable to put in place a monitoring system to detect security-relevant anomalies and enable providers to respond to them.
Even if the devices attacked are not damaged, providers of IoT solutions should pay attention to security. On the one hand, the provider's reputation may be damaged if his devices are used for attacks. On the other, attackers may get access to sensitive data by hacking such devices. End-users should also be aware of the fact that IoT devices may be used to collect confidential data or to attack third parties.
In the long run, binding security standards will be made mandatory for the secure use of IoT. Until then, users are encouraged to use secure passwords for IoT devices whenever possible, systematically disable any features and sensors that are not used and purchase devices from renowned, and thus reliable, manufacturers.
This article was adapted from the article, 'IoT – Today's Use Cases Call for Increased Security' by Tom Sprenger, Matthias Loepfe and René Rehmann
AdNovum
