Major Challenges in Implementing IoT Security

March 23, 2018

Internet of Things has enabled users to do things differently in a never imagined fashion. IoT is growing at a very fast pace, IPV6, 4G, and 5G technologies have added fuel to this growth. Researchers estimate that by 2022, the number of active wireless connected devices will exceed 40 billion.

The advent of IoT has opened new possibilities to hackers. Less than 10 years ago, it was impossible to imagine that a microwave oven could be used to hack the Facebook account of a user or multiple refrigerators could be used as a botnet to bring down an IT system, but it is happening today. IoT has penetrated our lives via these connected devices, which allow themselves to be controlled and operated remotely. Launching a "Denial of Service" attack is easier on embedded devices, as these devices are scarce on computing resources. Untrusted code such as worms, viruses, spyware, and other malware can be easily installed on these devices by leveraging design flaws commonly found within embedded software.

Researchers have found critical vulnerabilities in a wide range of IoT baby monitors, which could be leveraged by hackers to monitor and control live feeds. In another development [1], connected cars were compromised and hackers were able to take control of the entertainment system, unlock the doors, and even shut down the car while in motion [3].

As newer IoT services are evolving, many of these services are dealing with critical control and user data. Security concerns for these systems are also becoming a fundamental design requirement.

Undoubtedly securing these IoT systems is a challenging task. Traditional security measures cannot be directly applied to these systems due to various factors specific to the IoT ecosystem [5]. This blog discusses the major challenges/ concerns for providing security for IoT systems.

Large Attack Surface Area

Wikipedia defines attack surface as "The attack surface of a software environment is the sum of the different points (the "attack vectors") where an unauthorized user (the "attacker") can try to enter data into or extract data from an environment. Keeping the attack surface as small as possible is a basic security measure." [4]

Since an IoT system comprises of multiple edges and tiers, it has a large attack surface area, including device physical interfaces, device web interface, device firmware, network services interface, administrative interface, cloud web interface, vendor backend APIs etc.

All these attack surface areas need to be examined while devising a security solution for the system. Each attack surface opens an opportunity for a hacker.

Lack of Encryption

Man in the Middle (MitM) attacks are very common when devices communicate via plain text version protocol. MitM is a general term for when an attacker secretly positions himself between an application and the user to access and/or relay the altered communication. Furthermore, along with encrypted communication, the data stored on the devices should also be properly encrypted.

A Multitude of Heterogeneous Devices

IoT system comprises of a large number of heterogeneous connected devices with each device being a potential risk to the system. It is important for the service provider to preserve the confidentiality and integrity of the data collected and sent across the network. The heterogeneous nature of these devices makes the task of securing all these devices even more challenging. The weakness in one device could open access to other devices on the network [6] 

Device Constraints

IoT devices are essentially embedded devices that have their own limitations the three most prominent limitations being:

  • Processing capability
  • Low Power
  • Low available bandwidth

These constraints imply that the same security features used in desktop computers can't be used for IoT devices and alternate solutions are required. One of the alternatives is to use a central hub. These hubs link the long-range network connections requiring large amounts of power like cell-networks, parabola-connections or Wi-Fi connections, while the shorter-range network connections requiring low power are provided by technologies such as ZigBee, Z-Wave or Bluetooth Low Energy [2]. Edge devices report their data to the hub, and the hub forwards either processed or unprocessed data to central storage.

Physically Insecure Devices

Most of the time, IoT devices are installed and operate outside the physical possession of the service provider. Any compromise of the device can lead to the introduction of a rogue device within the network. Any unsecured storage or ports are targets for the hacker to tamper with the device. Security credentials stored within the device control all the security aspects of the device, hence utmost priority needs to be given to securely store the security credential within the device.

Access Control and Authorization

IoT devices allow themselves to be controlled and operated remotely thus robust authentication and authorization is required to prevent access by malicious users. Some strategies include certificate-based authentication, password/PIN-based authentication, biometrics etc.

Since these devices are generally provisioned online, the device should have the capability to auto-update their credentials over the air without manual intervention.

For authorization, there is a need to implement a security strategy that safeguards users and data while providing granular control over data privileges, such as specifying what data can be copied to external devices.

Software/Firmware Security

Untrusted code, such as worms, viruses, spyware, and other malware installed on a device, often compromise the device. Device manufacturers need to implement security measures that stop the untrusted code from launching and unauthorized changes from being made.

Also, software bugs and vulnerabilities can lead to undesired functionalities, aiding attackers in extracting sensitive information. Thus, it is a good practice to follow proper guidelines and agile methodologies to avoid any software vulnerabilities.

Vendor Security Posture

Whenever a vulnerability is detected, it is the vendor's duty to mitigate the risk and minimize the consequences. Thus, how well prepared a vendor is to deal with a risk greatly determines the severity of the impact. The vendor must have processes and procedures in place to prevent, protect and respond to security threats.

Counterfeit IoT devices

The rapid increase in the installation of rogue and counterfeit IoT devices in networks makes the management of the network an uphill task. Not only do these fake products cause revenue losses to OEMs but can also be configured to function as rogue access points and thus pose a security threat. They can cause malfunctions an can be used to tap into company networks.

A Holistic Approach to IoT Security

Security is as strong as its weakest link, so providing the best security for cloud, network and mobile applications is not enough, one should essentially consider the vulnerabilities on the tiny embedded devices that are an integral part of the system. Any security solution catering to the security requirement should be able to understand the overall security requirement of the system. This is a challenge as it involves multiple stakeholders, device manufacturers, cloud platform providers, IoT Service providers etc.

HSC in IoT Security

As is evident from the above, providing a holistic solution is one of the major challenges in IoT security. HSC, with its expertise in IoT, embedded and networking has the right mix of experience to put the pieces together and provide an end-to-end security approach for the IoT system. HSC's solution aims to secure storage for storing the device credentials which could be used to authenticate and identify the device whenever it communicates with the cloud [7]. It also provides a mechanism to securely update and provision the credentials of an IoT device.

The solution works in conjunction with the IoT server &device applications and supports credential management by managing x.509-based certificate lifecycle. One of the approaches for secure storage is to use a UICC-based solution as they are considered safe even when installed in a hostile environment. Some areas of focus are:

  • Providing an end-to-end solution for device security for IoT service providers.
  • Support standard secure element interfaces, e.g. UICC card and/or other HSM interfaces.
  • Manage credentials for IoT service providers using X.509 certificates.
  • Provide a mechanism to provision and update security credentials for IoT Service providers.
  • Portable solution with minimum integration points.

View this blog as an infographic.

major challenges in implementing IoT Security


  1. HACKING IoT: A Case Study on Baby Monitor Exposures and Vulnerabilities - Mark Stanislav and Tod Beardsley(Rapid7)
  2. Security in Internet of Things Systems - Christian Dancke Tuen (Norwegian University of Science and Technology)
  3. Remote Exploitation of an Unaltered Passenger Vehicle - Charlie Miller,Chris Valasek
  7. GSMA Whitepaper - Solutions to Enhance IoT Authentication Using SIM Cards (UICC)

No Comments

Add Comment


We use cookies (including third party cookies) to ensure you get the best experience while visiting our website. Click "Accept All Cookies" to accept the cookie usage. Click "Cookie Settings" to adjust cookie settings.

Mandatory Cookies

These cookies cannot be disabled

These cookies are necessary for the website to function and cannot be switched off.

  • __RequestVerificationToken
  • authentication
  • dnn_IsMobile
  • language
  • LastPageId
  • NADevGDPRCookieConsent_portal_0
  • userBrowsingCookie

Analytics Cookies

These cookies allow us to monitor traffic to our website so we can improve the performance and content of our site. They help us to know which pages are the most and least popular and see how visitors move around the site. All information these cookies collect is aggregated and therefore anonymous. If you do not allow these cookies we will not know when you have visited or how you navigated around our website.

  • _ga
  • _gat
  • _gid

Functional Cookies

These cookies enable the website to provide enhanced functionality and content. They may be set by the website or by third party providers whose services we have added to our pages. If you do not allow these cookies then some or all of these services may not function properly.

  • __atuvc
  • euconsent

Targeting Cookies

These cookies may be set through our site by our advertising partners. They may be used by those companies to build a profile of your interests and show you relevant adverts on other sites. They do not store directly personal information, but are based on uniquely identifying your browser and internet device. If you do not allow these cookies, you will experience less targeted advertising.


Not used.