Security Challenges in securing IoT

IoT is short for Internet of Things. The Internet of Things refers to the ever-growing network of physical objects that feature an IP address for internet connectivity, and the communication that occurs between these objects and other Internet-enabled devices and systems.The Internet of Things (IoT), also sometimes referred to as the Internet of Everything (IoE), consists of all the web-enabled devices that collect, send and act on data they acquire from their surrounding environments using embedded sensors, processors and communication hardware. These devices, often called "connected" or "smart" devices, can sometimes talk to other related devices, a process called machine-to-machine(M2M) communication, and act on the information they get from one another.

A lot of household appliances, including air conditioners (ACs), thermostats, water heaters, security cameras and lights, can gather data, be accessed remotely and communicate via the Internet.  Some IoT even have the capability to learn your patterns over time to change their settings or alert you when something suspicious happens. Connected garage doors and digital door locks can let you into your home with data from your phone instead of a traditional key. WiFi-enabled stoves and ovens can be monitored or turned off or on remotely.

Many IoT devices’ data and applications are highly sensitive and should be accessible only to authorized individuals. These applications are the computer programs that use real-time/near real-time conditions to ensure they do not fail, and they use consumption data to analyze and predict the future with artificial intelligence algorithms. IoT security should include more than just the IoT device itself. IoT devices have minimal security and many flaws. Many feel that IoT manufacturers are not prioritizing security and privacy. But, despite the security challenges, the spread of IoT is not stopping. Thus, it is a must for security practitioners and users to learn about it to provide more security

Features of IoT
IoT is a collection of devices attached to the Internet that gathers and exchanges data using nodes and controllers. loT can be defined as a network of uniquely identifiable physical objects or “things” that have the capability to sense and interact with themselves, with their external environment or both. Through controllers and cloud processing, these devices may have the ability to think and act autonomously and gather information for various reasons. The characteristics of many “things” are:

  • Fully embedded with or without an operating system (OS) to run
  • Collect mostly real-time data
  • Use all kinds of networks (local area network [LAN], low-power wide-area network [LPWAN], cellular LPWAN [narrowband IoT and LTE-M], and cellular)
  • Have permanent or intermittent connections to the cloud so there is a need to store data with a time stamp
  • Measure physical parameters
  • Capable of making decisions based on the data collected by these devices, which is necessary to achieve automated decision-making centrally

Benefits of IoT
The goal of IoT is to improve the quality of life and provide benefits to consumers and enterprises. IoT helps to achieve the following:

  • Reduction in energy consumption
  • Enhancements in safety and security
  • Improvements in automation of everyday tasks
  • Enhancements in quality of life

Security Challenges
There are many security challenges facing the implementation of IoT. IoT security is not just device security, as all elements need to be considered, including the device, cloud, mobile application, network interfaces, software, use of encryption, use of the authentication and physical security. The scale of IoT application services is large, covers different domains and involves multiple ownershipentities. There is a need for a trust framework to enable users of the system to have confidence that the information and services are being exchanged in a secure environment. The most frequent weaknesses in the data security of IoT applications, as stated in the Open Web Application Security Project (OWASP), are due to:

  • Insecure web interface
  • Insufficient authentication/authorization
  • Insecure network services
  • Lack of transport encryption
  • Privacy concerns
  • Insecure cloud interface
  • Insecure mobile interface
  • Insufficient security configurability
  • Insecure software/firmware
  • Poor physical security

IoT application security and end point security are the biggest concerns. Poorly secured IoT devices and applications make IoT a potential target of cyber-attacks. Application developers or manufacturers that create IoT products are not mature from a security standpoint. However, security is a critical dimension of every IoT design. Integrating security in IoT impacts both hardware and software design from the beginning. The technologies to secure devices and connectivity are changing very quickly. It is challenging; security is not just an add-on to existing systems, but an integral part of them. The scope of security should be end-to-end to support the device from the very beginning

Because many IoT devices are small with limited processing, memory, and power capabilities and resources, most current security methods, such as authentication, encryption, access control and auditing, are too complex to run on IoT devices. IoT devices are being used in urban areas where physical security is difficult to establish or achieve due to the density of structures and complex infrastructure, and this makes it easy for attackers to have direct physical access to the IoT devices. Additionally, denial-of-service (DoS) attacks can weaponize IoT devices and recruit them as part of a massive zombie army. Insecure loT databases or data stores are also a serious matter to consider.

IoT devices have a long shelf life and may possibly outlive support for the device, and outdated devices might be used in circumstances that make it difficult or impossible to reconfigure or upgrade, thus leaving them vulnerable to cyber security threats. Additionally, an improper data disposal practice without adequate wiping is a serious concern.

IoT devices have built-in functions such as microphones, cameras and night vision, and are the eyes and the ears of the device. These devices passively collect petabytes of data, sometimes without user knowledge, that can fall into the wrong hands, affecting user privacy. Undisclosed collection, distribution and use of data, and failure to provide clear, comprehensive disclosures regarding data collection, use and sharing, especially when such practices may be unexpected, places the collector in potential violation of various governance and data privacy laws.

IoT products often ship with insecure default credentials. This could include hard-coded passwords that cannot be changed and shared passwords across a family of devices, making it simple for attackers to compromise these devices. Many IoT devices have built-in default usernames and passwords. Malware seeks out IoT devices and generally tries to attack devices by using the default username and password. Once accepted, the malware is able to take over the device to participate in coordinated botnet attacks.
Security Controls
Generally, multiple layers of administrative, technical and physical controls are used to protect organizational assets against risk. This creates an organized defense that is intense and strong. Commitment and support from senior management are important for successful establishment and continuance of an information security structure. IoT’s significant potential requires management’s attention.

Manufacturers and vendors must include security in the design process. The most effective strategy for securing IoT is to focus on the fundamentals. IoT device manufacturers, IoT connectivity architects, IoT platform developers, IoT application developers, IoT service developers and IoT experience designers should work together to get this done. It is critical for all those who take part in developing IoT to add security features during the design phase of their IoT solution development. The best efforts to prevent attacks include designing for security, embedding firewall features to add an additional layer of defense, providing encryption capabilities and including tamper detection capabilities. If manufacturers do not thoroughly test their devices, consumer trust and safety may be at risk. It is important to ensure that security is purpose-built into every aspect of the ecosystem that is running a particular IoT product, service or device.

When building products for IoT, vendors should always employ good practice and aim for confidentiality, integrity and availability (the CIA triad). The main difference in IoT security compared to traditional IT security is the number of devices, the purpose of usage and the physical condition of the devices. And, perhaps, the main issue is that IoT device manufacturers still do not think of their devices as computers. Testing can provide assurance that the device and its protocols can cope with the ecosystem of the IoT by developing market-accepted test specifications. This helps introduce the time that it takes to get the product or protocol tested, and this helps to accept devices that can work with other IoT objects. Improving security configurability requires testing IoT web interface management, reviewing the IoT network traffic, analyzing the need ofphysical ports, and assessing authentication and interaction of devices with the cloud and mobile applications.

Segmenting IoT devices increases network security. So does developing IoT protocols that not only work together, but also ensure security and privacy. Unused services/ports must be shut down and closed, as these networking ports/services can expose the device to additional attack vectors. It is important to deactivate unnecessary services; these may go undetected, allowing an attacker to stealthily use them as a vector or target of an attack. It is also necessary to build in authentication between devices so that only trusted devices can exchange data. A solid password management tool to manage multiple IoT passwords must also be in place.

User awareness training encourages users and consumers to be aware of the vulnerabilities that the device may experience. When selecting an appropriate IoT device, consumers should require that the vendors have defended the device against common attacks.User data need to be processed and encrypted to remain safe. The entire communication channel from the sensors to the service providers must be secure. Some ways to address the huge gap in security include ensuring confidentiality by providing encrypted communication streams, ensuring integrity by providing encrypted data storage and using hash integrity checkers, providing authentication methods so that the devices arecommunicating with known and trusted entities, and providing security updates in the form of patches and bug fixes.

Regulations will force manufacturers and vendors to make security a priority and provide guidelines on the expectation from IoT developers and manufacturers. IoT regulations will give a level of transparency to consumers, or packaging can reflect the level of security of the IoT device. It is essential to create an adequate legal framework and develop the underlying technology with security and privacy in mind. Regulation will force manufacturers to upgrade and secure their products. IoT applications need to have some consideration for the EU General data Protection Regulation (GDPR). The GDPR introduced a general mandatory notification regime in the event of personal data breaches, data controllers are required to report personal data breaches to their supervisory authorities no later than 72 hours after becoming aware of such a breach and, in some cases, are also required to report such breaches to affected individuals. Data controllers using the IoT need to ensure that they are in a position to identify and react to security breaches in a manner that complies with the requirements of the GDPR.

Regular firmware updates and maintenance help protect the ecosystem and the ability of the IoT to handle virtually all functional operations. It should be possible to get updates of the firmware, the OS, or the specialized logic on stationary and mobile IoT devices. This requires maintenance interfaces toaccess the application runtime environment and the security settings for the apps themselves. It is important to have monitoring systems in place when an event occurs. Once the event has been detected, a responsive action must be triggered to prevent any malicious use of the device. A back-end application should have functionality in place that can log abnormalities in the data it is receiving. Monitoring and software maintenance are essential to minimizing the impact of any device downtime due to software bugs or any other potential problems.