The Internet of Things (IoT) is a term that describes millions of devices equipped with sensors and connected over the internet. IoT revolution has created a lifestyle revolution that provides convenience. It is because of IoT that we have smart cities, wearable technology, driverless cars, smart home appliances, smart medical devices, among many other intelligent devices. According to Gartner, 20 billion devices will be interconnected by the year 2020. But despite the immense benefits that IoT brings, the increased interconnection brings a lot of cyber security risks. The increased demand for IoT devices and the quest for convenience have left data privacy and security as a second priority. Securing IoT devices require the input of both the users, device manufacturers, and government regulatory agencies.
Before diving into the risks associated with IoT Technology, you can also check various useful IoT articles:
- Top Hardware Platforms for Internet of Things (IoT)
- Selecting the Right Platform for your IoT Solution
- Top Open Source IoT Platforms to Cut Down Your IoT Development Cost
And to start building some real world Iot applications, there are many IoT based projects using Arduino, Raspberry Pi, ESP8266 and other platforms.
Challenges in securing the Internet of Things
Replication of devices is a significant challenge when it comes to securing IoT devices. Once an IoT device is manufactured, it is then replicated and mass-produced. Replication means that, if a security vulnerability is identified in one of the devices, all other devices can be exploited. This makes IoT cybersecurity incidences catastrophic. In 2016, Hangzhou Xiongmai Technology; a Chinese company was forced to recall millions of surveillance devices after a security vulnerability caused an attack on Dyn’s servers that houses Twitter and Netflix.
Negligence by security engineers. Majority of people believe that hackers do not target embedded systems. Cybersecurity is perceived as a problem for big corporations. As a result, security details are not a priority when it comes to the manufacturing of devices some years back. However, recent developments indicate that device manufacturers are prioritizing security in the life-cycle of manufacturing IoT devices.
IoT devices are not easily patched. IoT devices are released in millions and as consumers rush to purchase these devices, very few customers follow-up with device manufacturers to install software upgrades. Also, much of these devices use device-specific software with low usability making it difficult for users to update the software without an expert.
IoT devices use industrial specific protocols that other are not compatible or supported by the existing enterprise security tools. As a result, enterprise security tools such as firewalls and IDS do not secure these industrial specific protocols. Due to the interconnection of these devices, a compromise on the IoT device protocol makes the whole network vulnerable.
Lack of standardized security standards. Due to specialization, different manufacturers specialize in manufacturing a specific component of an IoT. Majority of these manufacturers are located in different countries, thus following industrial standards set in those countries. As a result, the components used to make a single IoT device might end up having different security standards. This difference in security standards might lead to incompatibility or induce vulnerability.
Critical functionality: with the emergence of smart cities, major government infrastructure relies on IoT. Currently, the transport infrastructure, smart communication systems, smart security surveillance systems, and smart utility grids all rely on IoT. Due to the crucial role played by these infrastructures, the security risk involved is also high due to the high interest by hackers.
What should users do to secure IoT Devices?
Users have a critical role in enhancing the security of IoT devices. Some of these responsibilities include;
Change default passwords: The majority of users do not bother to change the default password set by the manufacturer. Failure to change the default password makes it easy for intruders to access the network. The positive technologies released a report indicating that 15% of users use default passwords. What is not known to many users is that the majority of these passwords can be accessed using any search engine. Users should further implement strong and secure passwords to authenticate their devices.
Update the device software: the majority of IoT cyber-attacks occur due to failure by users to update the device firmware regularly. Where else there are devices that update automatically, other devices require manual update. Updating software helps to patch security vulnerabilities and get better performance from the upgraded software.
Avoid connecting to unknown internet connection: Majority of smart devices are designed to search and connect to any networks automatically. Connecting to an open network, especially in public places, is not safe and might expose your device to cyber-attacks. The best solution is to turn off automatic internet connection. Users should also switch off Universal plug and play. UPnP helps IoT devices automatically to connect to each other. Hackers can exploit UPnP by discovering these devices and connecting to them.
Implement guest networking: Network segregation is very crucial even in an organization. Giving access to visitors to your network allows them to access and share resources with the connected devices. Therefore, to avoid exposing your devices to insider threats and untrustworthy friends, it is essential to create a separate network for your guests.
IoT security strategies
API security: Developers and device manufacturers should adopt Application performance indicators (API) as a strategy of securing communication and data exchange between IoT devices and servers.
Incorporating IoT security in the development life-cycle: Developers and manufacturers of IoT devices and software should make security an integral part of the design and development process. Factoring security during the initial development process guarantees secure hardware and software.
Enhancing hardware management: Device manufacturers should adopt strategies to ensure devices are tamper-proof. Endpoint hardening guarantees that devices operating under harsh weather conditions can function even with minimal monitoring.
Use of digital certificates and Public Key Infrastructure: One strategy of enhancing IoT security is through the use of PKI and 509 digital certificates. Establishing trust and control among connecting devices is crucial for network security. Digital certificates and PKI guarantees secure distribution of encryption keys, data exchange, and identity verification over the network.
Implement an identity management system to monitor each connected device. An identity management systems assigns a unique identifier to each IoT device facilitating monitoring of the device’s behaviour making it easier to enforce the appropriate security measures.
Implement security gateways: IoT devices do not have enough memory or processing power to offer the required security. Using security gateways like Intrusion Detection Systems and firewalls can help offer advanced security features.
Team integration and training: IoT is an emerging field, and as a result, constant training of the security team is essential. Development and security team needs to be trained on emerging programming languages and security measures. The security and development teams need to work together and harmonize their activities and ensure security measures are integrated during development.
IoT Devices Security Features
Currently, there is no one size fits all security features that can be adopted by device manufacturers. However, the following security features can facilitate security of IoT devices;
Secure authentication mechanism: Developers should implement a login mechanism that uses secure protocols such as X.509 or Kerberos for authentication.
Enhance data security: implement data and communication encryption to prevent an authorised access.
Employ intrusion detection systems: Current IoT devices are not equipped with IDS that can monitor attempted logins. Even if a hacker attempts a brute force attack on the devices, there will be no alerts. Integration of an IDS will ensure that subsequent failed attempted logins incidences or other malicious attacks are reported.
Integrate IoT devices with device tampering sensors: Tampered IoT devices especially those under minimal supervision are vulnerable to cyber-attacks. Latest processor designs are integrated with tamper detection sensors. These sensors can detect when the original seals are broken.
Use of firewalls to prevent cyber-attacks: Integration of a firewall adds an extra layer of protection. A firewall helps in thwarting cyber-attacks by limiting network access to only the known hosts. A firewall adds an extra layer of protection against buffer overflow and brute force attacks.
Secure communication network: Communication between IoT devices should be encrypted through SSL or SSH protocols. Encrypting communication helps to prevent eavesdropping and packet sniffing.
Cyber-attack is one of the major hindrances to the success of IoT technology. Enhancing security requires all stakeholders to work in harmony to ensure the set standards are implemented and adhered to. The relevant bodies should introduce IoT industrial specific standards that are compatible and supported by other industry standards to enhance the operability of IoT devices across the board. IoT International regulations that cut across all countries should be enforced to guarantee seamlessness in the quality of manufactured IoT devices. Stakeholders should sensitize users on the need and ways of securing their devices and networks against cyber-attacks.
