IoT security

Little protection in the Internet of Things

The security surrounding networked devices is not as good as it could be. Some are completely unprotected. In order to change this, developers must quickly integrate security into the design of their products. And users should request secure IoT solutions.

Text: Urs Binder,

The security specialist, Bitdefender, conceived an April Fool's joke in which thousands of hacked internet-connected toasters in the United Kingdom all of a sudden refused to accept anything other than wholemeal bread, at the same time warning their owners of the health risks associated with white bread. However, some of the other incidents associated with the Internet of Things (IoT) are no laughing matter – and, as the title of the Gartner white paper "Musings from Def Con 23" suggests: "Internet of Things Risks Are Bad and Likely to Get Worse". Here are four examples:


  • In Germany, hackers managed to access the office network of a steelworks through a combination of spear phishing and social engineering – i.e. by exploiting the human weaknesses of staff members – and from there were able to access the production facilities; this was reported on by the Federal Office for Information Security in 2014. The attackers were able to jam various control components and installations. The consequence: a blast furnace was no longer able to undergo a controlled shutdown and its status remained undefined. The installation suffered severe damage.

  • At US retailer Target, hackers gained access to the network by remotely accessing the building automation system and succeeded in installing malicious code on the card terminals within the company's 1800 stores. This allowed the attackers to steal the card details of 40 million customers. According to Target, the resulting compensation costs amounted to 290 million dollars, not to mention the harm done to the company's image.

  • One Friday afternoon in late November 2016, the message displayed on the screens of ticket machines belonging to the San Francisco transport company, SF Muni, simply stated "You Hacked, ALL Data Encrypted". SF Muni was forced to leave the gates to the platforms open – free public transport for a day and a half. This was not even a targeted attack, as was subsequently revealed by the hacker, "Cryptom27": SF Muni's network was completely open.

  • Towards the end of October 2016, a large number of well-known websites, including Twitter, Amazon, Spotify and Netflix, experienced disruption as a result of a massive denial of service attack on the service provider, Dyn. This was apparently caused by a botnet made up of IoT devices. The security investigator, Brian Krebs, whose blog was also affected, spoke primarily of IP cameras and networked video recorders.

Real threat, little trust

The threat posed by the Internet of Things is very real. This is becoming increasingly true as a result of the explosion in the number of "connected things". Current forecasts by Gartner predict that there will be 6.4 billion IoT devices worldwide by the end of 2016, an increase of 30 per cent when compared with 2015. That number is expected to reach 21 billion by the end of 2020. According to Gartner, around 65 per cent of IoT devices are found in consumer environments, such as in home automation, and 35 per cent are used for industrial applications.

Making the Internet of Things safe

Hints and tips for users and developers of IoT solutions.

To Listical

Making the Internet of Things safe

Hints and tips for users and developers of IoT solutions.

To Listical

HP tested ten home automation devices, including heating thermostats, door locks and smoke alarms, in order to identify security issues; it reached a sobering conclusion: those ten devices presented a total of 250 weak points, i.e. 25 per device. It is hardly surprising that, according to a study conducted by the Ponemon Institute on behalf of HP, not even half of consumers believe that IoT offers more advantages than disadvantages. This is down to concerns regarding security and privacy. However, it is not just consumers, but also companies who are not just seeing the positive aspects of IoT. According to a survey carried out by the US provider AT&T, 58 per cent of the organisations surveyed have zero trust in the security of their IoT devices.

The weaknesses of IoT solutions

In practice, this is reflected in the fact that no safety measures whatsoever have been implemented for numerous IoT devices. One of the reasons behind this may be historical: embedded systems used in industrial settings were originally not networked at all, or were only networked within a single company, and were therefore separated from the internet zone. Today's consumer devices are often still based on platforms that do not offer integrated security, and the solutions that have been based on them, including software and cloud services are, as a result, not designed to provide data security and protection from attacks.

The firmware cannot be updated to the most recent version for some devices. Patch management remains a foreign concept in such cases. This is all the more serious given that the service life of IoT solutions is up to ten years and is therefore significantly higher than that of PCs and mobile devices; this is true of both consumer products and Industry 4.0.

Communication of sensors and actuators with hubs, gateways and cloud services is usually secured, even in the case of wireless protocols such as Zigbee, LoRaWAN, Bluetooth and WiFi. However, it is often the case that static keys are used for this, which are relatively easy to get hold of. Not only that, but users also retain the factory settings for passwords and other security features alarmingly often.

That is why it is so important that security becomes a matter of course, not just for the data transmission protocol, but at each individual level. To date, however, there are still no uniform security standards for end-to-end security in IoT systems. Unlike other industries, such as the banking, medical and automotive sectors, the IoT market is not regulated – a weak foundation for trustworthy solutions.

IoT security is on the up

Various organisations are nevertheless currently working on frameworks and best practices for IoT security, including the IoT Security Foundation and the non-profit OWASP foundation with the "Internet of Things Project". and cloud service providers are increasingly offering platforms for secure communication between IoT devices and cloud services with features that are specifically tailored to the Internet of Things.

Such standards and platforms must provide a broad line of defence against cyber attacks. IoT security should be capable of recognising and repelling attacks; logging unauthorised access attempts; protecting data, both when it is being transferred and when it is being saved, as well as protecting it against subsequent alteration, and preventing counterfeit firmware from being uploaded onto the devices by means of secure booting.

This will only be possible with a combination of security measures implemented at all levels, from authentication and data communication through intrusion detection/prevention to management of the security regulations. Ideally, this will be supported by the hardware within the IoT devices. To this end, modern processors and SoC platforms also provide support at the level of the hardware, which will provide additional security and will help the developers of IoT solutions to make their products secure.

More on the topic