Search

 

Major Challenges in Implementing IoT Security

March 23, 2018


Internet of Things has enabled users to do things differently in a never imagined fashion. IoT is growing at a very fast pace, IPV6, 4G and 5G technologies have added fuel to this growth.  Researchers estimate that by 2020, the number of active wireless connected devices will exceed 40 billion.

Advent of IoT has opened new possibilities to hackers. Less than 10 years ago, it was impossible to imagine that a microwave oven could be used to hack the Facebook account of a user or multiple refrigerators could be used as botnet to bring down an IT system, but it is happening today. IOT has penetrated our lives via these connected devices, which allow themselves to be controlled and operated remotely. Launching a “Denial of Service” attack is easier on embedded devices, as these devices are scarce on compute resources.  Untrusted code such as worms, viruses, spyware, and other malware can be easily installed on these devices by leveraging design flaws commonly found within embedded software.

Researchers have found critical vulnerabilities in a wide range of IoT baby monitors, which could be leveraged by hackers to monitor and control live feeds.  In another development [1], connected cars were compromised and hackers were able to take control of the entertainment system, unlock the doors and even shut down the car while in motion [3].

As newer IoT services are evolving, many of these services are dealing with critical control and user data. Security concerns for these systems are also becoming the fundamental design requirement.

Undoubtedly securing these IoT systems is a challenging task. Traditional security measures cannot be directly applied to these systems due to various factors specific to IoT ecosystem [5]. This paper discusses the major challenges/ concerns for providing security for IoT systems.

Large Attack Surface Area

Wikipedia defines attack surface as   “The attack surface of a software environment is the sum of the different points (the "attack vectors") where an unauthorized user (the "attacker") can try to enter data into or extract data from an environment. Keeping the attack surface as small as possible is a basic security measure.” [4]

Since an IoT system comprises of multiple edges and tiers it has a large attack surface area including device physical interfaces, device web interface, device firmware, network services interface, administrative interface, cloud web interface, vendor backend APIs etc.

All these attack surface areas need to be examined while devising a security solution for the system. Each attack surface opens an opportunity for hacker.

No Standard solution

There is no standard approach to IoT security as it is not just about the device, or the network, or the clients, but a combination of several of these. Providing a solution that caters to the security requirements of participating entities i.e. the device, cloud, mobile application, network interfaces, device firmware and the ecosystem at large is a challenge.

Multitude of Heterogenous Devices

IoT system comprises of large number of heterogenous connected devices with   each device being a potential risk to the system. It is important for the service provider to preserve the confidentiality and integrity of the data collected and sent across the network. Heterogenous nature of these devices makes the task of securing all these devices even more challenging. The weakness in one device could open access to other devices on the network [6]

Device Constraints

IoT devices are essentially embedded devices that have their own limitations the three most prominent limitations being:

  • Processing capability
  • Low Power
  • Low available bandwidth

These constraints imply that the same security features used in desktop computers can’t be used for IoT devices and alternate solutions are required. One of the alternatives is to use a central hub. These hubs link the long range network connections requiring large amounts of power like cell-networks, parabola-connections or Wi-Fi-connections while the shorter range network connections requiring low power are provided by technologies such as ZigBee, Z-Wave or Bluetooth Low Energy [2]. Edge devices report their data to the hub, and the hub forwards either processed or unprocessed data to central storage.

Physically Insecure Devices

Most of the time, IoT devices are installed and operate outside the physical possession of the service provider. Any comprise of the device can lead to introduction of rogue device within the network. Any unsecured storage or ports are targets for the hacker to tamper with the device. Security credentials stored within the device control all the security aspects of the device, hence utmost   priority needs to be given to securely store the security credential within the device.

Access Control and Authorization

IOT devices allow themselves to be controlled and operated remotely, thus robust authentication and authorization is required to prevent access by malicious users. Some strategies include certificate-based authentication, password/PIN based authentication, biometrics etc.

Since these devices are generally provisioned online, the device should have the capability to auto-update their credentials over the air without manual intervention.

For authorization, there is a need to implement a security strategy that safeguards users and data while providing granular control over data privileges, such as specifying what data can be copied to external devices.

Software/Firmware Security

Untrusted code, such as worms, viruses, spyware, and other malware installed on a device, often compromise the device. Device manufacturers need to implement security measures that stops untrusted code from launching and unauthorized changes from being made.

Holistic approach to security

Security is as strong as its weakest link, so providing best security for cloud, network and mobile application is not enough, one should essentially consider the vulnerabilities on the tiny embedded devices that are an integral part of the system. Any security solution catering to the security requirement should be able to understand the overall security requirement of the system. This is a challenge as it involves multiple stakeholders, device manufacturers, cloud platform provider, IOT Service provider etc.

HSC in IOT Security

As is evident from the above, providing a holistic solution is one of the major challenges in IoT security. HSC with its expertise in IoT, embedded and networking has the right mix of experience to put the pieces together and provide an end to end security approach for the IoT system. HSC’s solution aims to secure storage for storing the device credentials which could be used to authenticate and identify the device whenever it communicates with the cloud [7]. It also provides mechanism to securely update and provision the credentials of an IoT device.

The solution works in conjunction with the IoT server &device applications and supports credential management by managing x.509 based certificate lifecycle. One of the approached for secure storage is to use a UICC based solution as they are considered safe even when installed in hostile environment. Some areas of focus are:

  • Providing end to end solution for device security for IOT Service Provider.
  • Support standard secure element interfaces, e.g. UICC card and/or other HSM interface.
  • Manage credentials for IOT service provider using X.509 certificates.
  • Provide mechanism to provision and update security credentials for IOT Service Provider.
  • Portable solution with minimum integration points.

Reference

  1. HACKING IoT: A Case Study on Baby Monitor Exposures and Vulnerabilities - Mark Stanislav and Tod Beardsley(Rapid7)
  2. Security in Internet of Things Systems - Christian Dancke Tuen (Norwegian University of Science and Technology)
  3. Remote Exploitation of an Unaltered Passenger Vehicle - Charlie Miller,Chris Valasek
  4. https://en.wikipedia.org/wiki/Attack_surface
  5. https://www.owasp.org/index.php/OWASP_Internet_of_Things_Project
  6. https://securingtomorrow.mcafee.com/business/3-key-security-challenges-internet-things/
  7. GSMA Whitepaper - Solutions to Enhance IoT Authentication Using SIM Cards (UICC)





No Comments




Add Comment