What are two attributes of IoT that make applying traditional security methods challenging choose two?

• PDFView PDF

The Internet of Things [IoT] has been one of the fastest developing technology trends in recent years. According to IoT Analytics, by 2025, there will likely be more than 27 billion connected devices in the world.

However, increasing security concerns like software vulnerabilities and cyberattacks can make many customers refrain from using IoT devices. Such Internet of Things security problems are especially significant for organizations that operate in healthcare, finance, manufacturing, logistics, retail, and other industries that have already started adopting IoT systems.

In this article, we explore what IoT security is and why it matters as well as the key IoT security challenges and attack vectors. We also discuss ways to secure devices, data, and networks within IoT environments. This article will be helpful for development teams who want to ensure the proper security of their IoT projects.

and

Elena Semeniak,

Market Research Specialist

Contents:

What is IoT and IoT security?

5 most common Internet of Things security challenges

Best practices for ensuring the security of IoT systems

Conclusion

What is IoT and IoT security?

The Internet of Things is a network of smart devices that connect to each other in order to exchange data via the internet without any human intervention.

The architecture of IoT systems usually consists of wireless networks, cloud databases for communication, sensors, data processing programs, and smart devices that interact closely with each other. IoT systems use the following components to exchange and process data:

• Smart devices that collect, store, and share data about the environment and other devices and components
• Embedded systems used by smart devices — which can include various processors, sensors, and communication hardware — whose goal is to collect, send, and act on data they acquire from environments
• IoT gateways, hubs, or other edge devices that route data between IoT devices and the cloud
• Cloud or on-premises data centers with remote servers that exchange data through wireless connections

IoT technologies are used within various industries: manufacturing, automotive, healthcare, logistics, energy, agriculture, and more. Smart devices can range from simple sensors to DNA analysis hardware depending on a particular IoT system’s goals. The most popular IoT use cases and devices are:

• Home automation systems monitor and control home attributes like temperature, lighting, entertainment systems, appliances, and alarm systems. Common smart devices for home automation include assistant speakers, thermostats, refrigerators, plugs, and bulbs.
• Healthcare. Medical IoT [MIoT] provides lots of opportunities for healthcare professionals to monitor patients, as well as for patients to monitor themselves. Smart devices for MIoT include wirelessly connected fitness bands, blood pressure and heart rate monitoring cuffs, and glucometers.
• Smart cities use data gathered by smart devices to improve infrastructure, public utilities, and services. Such devices can be connected sensors, lights, meters, waste bins, and air quality monitoring systems.
• Wearables are mostly used for healthcare and sports. Such devices include fitness trackers, electrocardiogram monitors, blood pressure monitors, and smart watches.
• Connected cars refer to vehicles equipped with access to the internet that can share that access and data with devices inside and outside the car. This technology allows people to remotely access vehicle functionality using a mobile app, improve security, and pay tolls automatically.
• Smart warehouses use automated and interconnected technologies to help businesses increase productivity and efficiency. Common components of a smart warehouse include robots, drones, radio frequency identification [RFID] scanners, artificial intelligence-driven programs, and complex warehouse management software.

Why does IoT security matter?

Such a wide application of IoT systems requires organizations to pay special attention to system security.

Any vulnerability can lead to a system failure or a hacking attack, which, in turn, can affect hundreds or thousands of people. For instance, traffic lights could stop working, causing road accidents; or a home security system could be turned off by burglars. Since some IoT devices are used for healthcare or human protection, their security can be crucial for people’s lives.

Another important reason to prioritize security when developing IoT systems is to keep their data safe. Smart devices gather tons of sensitive data, including personally identifiable information, which is required to be protected by various cybersecurity laws, standards, and regulations. The compromise of such information can result in lawsuits and fines. It can also lead to reputational damage and the loss of customer trust.

Internet of Things security is a set of approaches and practices towards protecting physical devices, networks, processes, and technologies that comprise an IoT environment from a broad spectrum of IoT security attacks.

The two key goals of IoT security are to:

1. Make sure all data is collected, stored, processed, and transferred securely
2. Detect and eliminate vulnerabilities in IoT components

However, developing secure IoT systems and keeping them protected from attacks is not an easy task. Let’s explore the key IoT security problems.

5 most common Internet of Things security challenges

From January to June of 2021, there were 1.51 billion breaches of IoT devices, while during all of 2020 Kaspersky reported 639 million breaches. Underestimating the importance of cybersecurity when developing IoT systems is unacceptable.

To understand how to secure IoT systems, it’s essential to explore potential cybersecurity risks first. Here’s a list of common security challenges with the Internet of Things:

1. Software and firmware vulnerabilities

Ensuring the security of IoT systems is tricky, mostly because a lot of smart devices are resource-constrained and have limited computing power. Thus, they can’t run powerful, resource-hungry security functions and are likely to have more vulnerabilities than non-IoT devices.

Many IoT systems have security vulnerabilities for the following reasons:

• Lack of computational capacity for efficient built-in security
• Poor access control in IoT systems
• Limited budget for properly testing and improving firmware security
• Lack of regular patches and updates due to limited budgets and technical limitations of IoT devices
• Users may not update their devices, thus restricting vulnerability patching
• With time, software updates might be unavailable for older devices
• Poor protection from physical attacks: an attacker can get close enough to add their chip or hack the device using radio waves

Malicious actors aim to leverage vulnerabilities they’ve found in a target IoT system to compromise its communications, install malware, and steal valuable data. For example, the use of vulnerable credentials like weak, recycled, and default passwords allowed hackers to hack Ring smart cameras. They even managed to communicate with victims remotely using the camera's microphone and speakers.

2. Insecure communications

Most existing security mechanisms were initially designed for desktop computers and are difficult to implement on resource-constrained IoT devices. That’s why traditional security measures aren’t as efficient when it comes to protecting the communication of IoT devices.

One of the most dangerous threats caused by insecure communications is the possibility of a man-in-the-middle [MitM] attack. Hackers can easily perform MitM attacks to compromise an update procedure and take control of your device if it doesn’t use secure encryption and authentication mechanisms. Attackers can even install malware or change a device’s functionality. Even if your device doesn’t fall victim to an MitM attack, the data it exchanges with other devices and systems can still be captured by cybercriminals if your device sends it in cleartext messages.

Connected devices are susceptible to attacks from other devices. For instance, if attackers gain access to just one device in a home network, they can easily compromise all other unisolated devices in it.

3. Data leaks from IoT systems

We’ve already established that by capturing unencrypted messages from your IoT system, hackers can get access to the data it processes. This might include even sensitive data like your location, bank account details, and health records. However, abusing poorly secured communications isn’t the only way attackers can gather valuable data.

All data is transferred via and stored in the cloud, and cloud-hosted services can also experience external attacks. Thus, data leaks are possible from both devices themselves and the cloud environments they’re connected to.

Third-party services in your IoT systems are another possible source of a data leak. For instance, Ring smart doorbells were found to be sending customer data to companies such as Facebook and Google without proper customer consent. This incident appeared because of third-party tracking services enabled in the Ring mobile app.

4. Malware risks

A recent study by Zscaler found that devices most at risk of being hacked by a malware attack were set-top boxes, smart TVs, and smartwatches.

If attackers find a way to inject malware into an IoT system, they may change its functionality, collect personal data, and launch other attacks. Moreover, some devices can be infected with viruses out of the box if manufacturers don’t ensure adequate software security.

Some organizations have already found ways to deal with the most famous IoT-targeted malware. For instance, an FBI agent shared how the agency stopped the Mirai botnet attacks, and Microsoft has released a guide on how to proactively defend your systems against the Mozi IoT botnet.

However, hackers keep inventing new ways to abuse IoT networks and devices. In 2021, researchers discovered that BotenaGo, malware written in Golang, can exploit more than 30 different vulnerabilities in smart devices.

5. Cyberattacks

Apart from the malware and MITM attacks discussed above, IoT systems can also be susceptible to various cyberattacks. Here’s a list of the most common types of attacks on IoT devices:

1. Denial-of-service [DoS] attacks. IoT devices have limited processing power, which makes them highly vulnerable to denial-of-service attacks. During a DoS attack, a device’s ability to respond to legitimate requests is compromised due to a flood of fake traffic.
2. Denial-of-sleep [DoSL] attacks. Sensors connected to a wireless network should continuously monitor the environment, so they’re often powered by batteries that don’t require frequent charging. Battery power is preserved by keeping the device in sleep mode most of the time. Sleep and awake modes are controlled according to the communication needs of different protocols, such as medium access control [MAC]. Attackers may exploit vulnerabilities of the MAC protocol to carry out a DoSL attack. This type of attack drains battery power and thus disables the sensor.
3. Device spoofing. This attack is possible when a device has improperly implemented digital signatures and encryption. For instance, a poor public key infrastructure [PKI] may be exploited by hackers to “spoof” a network device and disrupt IoT deployments.
4. Physical intrusion. Though most attacks are performed remotely, physical intrusion of a device is also possible if it’s stolen. Attackers can tamper with device components to make them operate in an unintended way.
5. Application-based attacks. These types of attacks are possible when there are security vulnerabilities in device firmware or software used on embedded systems or weaknesses in cloud servers or backend applications.

With these challenges in mind, let’s proceed to Internet of Things security best practices that can help you protect your IoT system.

Best practices for ensuring the security of IoT systems

IoT security best practices can help you increase the protection of three main components of IoT systems: devices, networks, and data. Let’s start by discussing ways to secure smart devices.

1. Secure smart devices

• Ensure tamper-resistant hardware. IoT devices may be stolen by attackers in order to tamper with them or access sensitive data. To secure device data, it’s necessary to make your product tamper-proof. You can ensure physical security by using port locks or camera covers as well as by applying strong boot-level passwords or taking other approaches that will disable the product in case of tampering.
• Provide patches and updates. Ongoing device maintenance entails additional costs. However, proper product security can be ensured only with constant updates and patches. It’s best to establish automatic and mandatory security updates that require no actions from end users. Inform consumers about the timespan during which you’ll support the product and tell users what they should do after the end of this period. Once your system is released, make sure to keep an eye on upcoming vulnerabilities and develop updates accordingly.
• Run thorough testing. Penetration testing is your main tool for finding vulnerabilities in IoT firmware and software and reducing the attack surface as much as possible. You can use static code analysis to find the most obvious flaws, and you can use dynamic testing to dig up well-hidden vulnerabilities.
• Implement device data protections. IoT devices should ensure the security of data both during and after exploitation. Make sure that cryptographic keys are stored in nonvolatile device memory. Additionally, you can offer to dispose of used products or provide a way to discard them without exposing sensitive data.
• Meet component performance requirements. IoT device hardware has to meet certain performance requirements in order to ensure proper usability. For example, IoT hardware should use little power but offer high processing capabilities. Moreover, devices must ensure robust authorization, data encryption, and wireless connections. It's also preferable for your IoT solution to work even if its connection to the internet is temporarily disrupted.

2. Secure networks

• Ensure strong authentication. This can be achieved using unique default credentials. When naming or addressing your products, use the latest protocols to ensure their functionality for a long time. If possible, provide your product with multi-factor authentication.
• Enable encryption and secure communication protocols. Communication between devices also requires security protection. However, cryptographic algorithms should be adapted to the limited capacities of IoT devices. For these purposes, you can apply Transport Layer Security or Lightweight Cryptography. An IoT architecture allows you to use wireless or wired technologies such as RFID, Bluetooth, Cellular, ZigBee, Z-Wave, Thread, and Ethernet. Moreover, you can ensure network security with optimized protocols such as IPsec and Secure Sockets Layer.
• Minimize device bandwidth. Limit network traffic to the amount necessary for the functioning of the IoT device. If possible, program the device to limit hardware and kernel-level bandwidth and reveal suspicious traffic. This will protect your product from possible DoS attacks. The product should also be programmed to reboot and clear code in case malware is detected, as malware can be used to hijack the device and use it as part of a botnet to perform distributed DoS attacks.
• Divide networks into segments. Implement next-generation firewall security by separating big networks into several smaller ones. For this purpose, use ranges of IP addresses or VLANs. For secure internet connections, implement a VPN in your IoT system.

3. Secure data

• Protect sensitive information. Install unique default passwords for each product or require immediate password updates on the first use of a device. Apply robust authentication to ensure that only valid users have access to data. To go the extra mile for better privacy protection, you can also implement a reset mechanism to allow the deletion of sensitive data and clearing of configuration settings if the user decides to return or resell the product.
• Collect only necessary data. Ensure that your IoT product collects only data necessary for its operation. This will reduce the risk of data leakage, protect consumers’ privacy, and eliminate risks of non-compliance with various data protection regulations, standards, and laws.
• Secure network communications. For better security, restrict your product’s unnecessary communication within the IoT network. Don’t rely entirely on the network firewall, and ensure secure communication by making your product invisible via inbound connections by default. Moreover, use encryption methods optimized to the needs of IoT systems, such as the Advanced Encryption Standard, Triple DES, RSA, and Digital Signature Algorithm.

Apart from the practices mentioned above, make sure to follow recommendations like the NIST guide on IoT device cybersecurity, released to address challenges raised in the IoT Cybersecurity Improvement Act of 2020.

Conclusion

When building IoT projects, it’s vital to start thinking about security from early research and development stages. However, ensuring robust cybersecurity of devices, networks, and data in IoT environments is challenging because of frequent cyberattacks and the complexity of searching for potential system vulnerabilities.

Implementing robust security features in IoT projects can be difficult. Apart from running up against hardware limitations, implementing security features may increase a solution’s cost and development time, which is definitely not desirable for businesses.

Developing secure IoT products requires the skills of expert IoT software developers and quality assurance specialists with experience in penetration testing. At Apriorit, we’ve gathered teams of professionals in embedded and IoT solutions development, engineering for cybersecurity projects, and security testing.

Contact us to start working on efficient and secure IoT projects!

What are the 2 main risks when using IoT devices?

What are the challenges in IoT security?

Which is the more challenging for IoT security?

What are the potential challenges of IoT in terms of security ethics and privacy?