The security surrounding networked devices is not as good as it could be. Some are completely unprotected. In order to change this, developers must quickly integrate security into the design of their products. And users should request secure IoT solutions.
Text: Urs Binder,
The security specialist, Bitdefender, conceived an April Fool's joke in which thousands of hacked internet-connected toasters in the United Kingdom all of a sudden refused to accept anything other than wholemeal bread, at the same time warning their owners of the health risks associated with white bread. However, some of the other incidents associated with the Internet of Things (IoT) are no laughing matter – and, as the title of the Gartner white paper "Musings from Def Con 23" suggests: "Internet of Things Risks Are Bad and Likely to Get Worse". Here are four examples:
The threat posed by the Internet of Things is very real. This is becoming increasingly true as a result of the explosion in the number of "connected things". Current forecasts by Gartner predict that there will be 6.4 billion IoT devices worldwide by the end of 2016, an increase of 30 per cent when compared with 2015. That number is expected to reach 21 billion by the end of 2020. According to Gartner, around 65 per cent of IoT devices are found in consumer environments, such as in home automation, and 35 per cent are used for industrial applications.
HP tested ten home automation devices, including heating thermostats, door locks and smoke alarms, in order to identify security issues; it reached a sobering conclusion: those ten devices presented a total of 250 weak points, i.e. 25 per device. It is hardly surprising that, according to a study conducted by the Ponemon Institute on behalf of HP, not even half of consumers believe that IoT offers more advantages than disadvantages. This is down to concerns regarding security and privacy. However, it is not just consumers, but also companies who are not just seeing the positive aspects of IoT. According to a survey carried out by the US provider AT&T, 58 per cent of the organisations surveyed have zero trust in the security of their IoT devices.
In practice, this is reflected in the fact that no safety measures whatsoever have been implemented for numerous IoT devices. One of the reasons behind this may be historical: embedded systems used in industrial settings were originally not networked at all, or were only networked within a single company, and were therefore separated from the internet zone. Today's consumer devices are often still based on platforms that do not offer integrated security, and the solutions that have been based on them, including software and cloud services are, as a result, not designed to provide data security and protection from attacks.
The firmware cannot be updated to the most recent version for some devices. Patch management remains a foreign concept in such cases. This is all the more serious given that the service life of IoT solutions is up to ten years and is therefore significantly higher than that of PCs and mobile devices; this is true of both consumer products and Industry 4.0.
Communication of sensors and actuators with hubs, gateways and cloud services is usually secured, even in the case of wireless protocols such as Zigbee, LoRaWAN, Bluetooth and WiFi. However, it is often the case that static keys are used for this, which are relatively easy to get hold of. Not only that, but users also retain the factory settings for passwords and other security features alarmingly often.
That is why it is so important that security becomes a matter of course, not just for the data transmission protocol, but at each individual level. To date, however, there are still no uniform security standards for end-to-end security in IoT systems. Unlike other industries, such as the banking, medical and automotive sectors, the IoT market is not regulated – a weak foundation for trustworthy solutions.
Various organisations are nevertheless currently working on frameworks and best practices for IoT security, including the IoT Security Foundation and the non-profit OWASP foundation with the "Internet of Things Project". and cloud service providers are increasingly offering platforms for secure communication between IoT devices and cloud services with features that are specifically tailored to the Internet of Things.
Such standards and platforms must provide a broad line of defence against cyber attacks. IoT security should be capable of recognising and repelling attacks; logging unauthorised access attempts; protecting data, both when it is being transferred and when it is being saved, as well as protecting it against subsequent alteration, and preventing counterfeit firmware from being uploaded onto the devices by means of secure booting.
This will only be possible with a combination of security measures implemented at all levels, from authentication and data communication through intrusion detection/prevention to management of the security regulations. Ideally, this will be supported by the hardware within the IoT devices. To this end, modern processors and SoC platforms also provide support at the level of the hardware, which will provide additional security and will help the developers of IoT solutions to make their products secure.
More on the topic