Your smartwatch is so cool and has so many useful functions! But what if I told you that hackers could use it to spy your location? Or that it is possible to hack driverless cars? Even nuclear power plants. Sounds rather scary, doesn’t it? The rapid extension of IoT introduces many security risks, which may make you think of futurological scenarios by Isaac Asimov. Would you deny all the benefits of IoT and never ever use those dreadful connected devices? I don’t think you would. So, we have to face the IoT security challenges and find the cures for them.
IoT has turned around the business processes and every aspect of our lives. The number of connected devices is rapidly growing every year: from 8.7 billion in 2012 to estimated 50.1 billion in 2020! This is a huge attack surface for cyber threats. The issues of security in internet of things are crucial, as possible hacker attacks may result in huge time and money losses and even take lives.
IoT Security Challenges Hit the Headlines
The Internet of Things Study carried out by Hewlett Packard last year found out that 80% of devices raised privacy concerns. 6 out of 10 devices were vulnerable to a range of issues such as persistent XSS and weak credentials. This research found about 20 vulnerabilities per device among those having been analysed.
Another report published by Veracode included a range of always-on consumer IoT devices, such as Internet-based remote control for electrical outlets, interior switches and garage doors, central control devices for home automation sensors. It has shown the same worrying results. Only one device of six included into the study did not have serious vulnerabilities.
Internet of Nothings, Internet of Fail, Internet of Crappy Things, The Risk of Things… As we can see, these headlines are rather sceptic about the state of things. Such well-known stories as car hacks or nuclear plants cyber-attacks only support these apprehensions. But admiring the problem is far easier than finding solutions. We will start with defining the principal vulnerabilities compromising the security in IoT. Upon that we will review the best practices helping to mitigate the IoT security challenges.
Top 10 IoT Security Vulnerabilities
Open Web Application Security Project (OWASP) lists the following principal IoT security vulnerabilities:
- Insecure Web Interface
- Insufficient Authentication/Authorization
- Insecure Network Services
- Lack of Transport Encryption/Integrity Verification
- Privacy Concerns
- Insecure Cloud Interface
- Insecure Mobile Interface
- Insufficient Security Configurability
- Insecure Software/Firmware
- Poor Physical Security
Apply Security Best Practices
Now the IoT security challenges have become a question of highest concern. At the government level – FBI has issued consumer protection recommendations. As for the security firms, they are using their experience to find the solutions to address IoT security challenges. For example, digital security company Gemalto is working on Secure Element technology for automotive and industrial companies. Microsoft has issued the Internet of Things security best practices, so did IBM.
The survey carried out by Quocirca in December 2015 shows that 47% of respondents already perform regular scanning of IoT devices. Another 29% are planning to do the same. As for DoS protection, 39% of respondents have already implemented it and 31% plan to do so. Other security measures implemented by the respondents of this survey are the use of closed IP networks, device firmware scanning, “hub and spoke” model adoption and pattern matching.
The security in Internet of Things must be taken into account at all stages of the IoT software development lifecycle. Here are some tips for design, coding and testing stages addressing the IoT security challenges.
Start with Security
Designing the security functions from scratch is always easier then implementing them later. “Top to bottom” security assessment of the future IoT application must be an integral part of the design stage. This approach helps to reduce the costs and duration of the application development, and also increases the security level.
To avoid trouble spots that have already been resolved by platform vendors, use a well-engineered platform for IoT apps development. For example, the IoT platforms proposed by Thingworx or Xively propose a comprehensive strategy required to ensure the Internet of Things security. They allow conntecting the existing products, as well as creating new IoT projects from scratch. Another exemple is Blumix Cloud Platform proposed by IBM. This platform offers a range of services aimed to secure mobile and web applications. It follows the best ptactices of Internet of Things security, such as threat modeling, dynamic scanning, automated source code scanning, and penetration testing.
Small IoT Dictionary
What is a threat model? – It is a structured representation of security aspects of an app. In other words, it is a set of the app’s vulnerabilities.
What is dynamic scanning? – It is a software analysis which is performed in a runtime environment. During dynamic scanning the developper compares the actual output of software to the expected output and analyzes its functional behaviour.
What is a penetration test? – It is an attempt to break the software security aimed to identify its weaknesses.
Security by Design
Password based authentication is not secure enough due to memorability factor. So, foresee two-factor authentication, especially if your IoT application deals with confidential data received from untrusted networks. We recommend you to combine password protection with biometric authentication, such as fingerprint recognition or gesture based authentication.
The Information Networking Institute of Carnegie Mellon University in Pittsburgh has made an interesting research on multi-factor authentication for security in Internet of Things. It proposes six mechanisms of authentication to supplement the password protection. These are facial recognition, fingerprint recognition, retina scan, voice recognition, gesture based authentication and security tokens. The study describes the way in which a combination of these authentication procedures can be used in the context of smart homes, smart offices, smart cars and smart airports. It also makes a comparison between these authentication procedures using such factors as efficiency, speed, learnability, memorability and user preference.
Design the secure account management. Foresee an appropriate account customization level and a strong password reset procedure. The incorrect account configuration by users can cause serious security holes. So, consider to separate the administrator and user accounts. Also think about secure storage of passwords: avoid storing plain text passwords in databases. Instead, use salted password hashing which does not allow to convert the passwords back into plain text.
In 2016, Internet of Things security spending worldwide was increased by 24% as compared to 2015
Document and justify all intended personal information storage. First and foremost, avoid collecting unnecessary personal or confidential data. If this information is indispensable, use proper encryption to protect the data. Consider using routines or ready solutions, such as SSL/TLS, that encrypt and anonymize all personal data that is stored and transferred over networks. On top of that, make personal data collection, processing and storage clear to the consumer. Your privacy agreement should explain all personal data usage in the application and request user’s explicit consent.
Check the user inputs to prevent the attacks coming from incorrect user data entry validation. This coding practice is basic, but very important, since it prevents buffer overflows, as well as introduction of malicious scripts and database queries.
Do not use too explicit application error messages: these can give the intruders a hint on how to hack the application. For example, a simple message “User password is incorrect” suggests that they succeeded to guess the account name.
Do not invent your own encryption routines for confidential or personal data. Use ready-made libraries with tried and tested algorithms and procedures. The examples of such libraries can be Crypto++ written in C++, WolfSSL written in ANSI C or RelicToolKit for a wide variety of platforms. Yet at the same time verify the security of external libraries and check them regularly for security vulnerabilities. For instance, recently security vulnerabilities have been found in the open source library OpenSSL, which contains tools for encryption of data communications. To handle this issue the authors have released an update of the library.
Mobile apps have some additional security concerns as compared to web applications. Verify the integration of the features and functions of your operating system and mobile platform into the app. They give more possibilities to secure the mobile app authentication and usage (for example, biometric authentication), but keep in mind that the authentication system can be disabled. So, do not rely on it solely and foresee additional protection.
As for the device software, use the most recent version of firmware and check it regularly for updates and notifications on security vulnerabilities. Update the IoT application with security patches which must be signed and verified before installation.
Code review is an effective technique to detect security holes at the development stage. Although this step might appear to be costly and time-consuming, it is indispensable before the deployment of any IoT app. Otherwise, retesting and post-release security patches can turn out to induce more costs and damage your reputation. The code writers performing the review must be suitably qualified and independent of the application development.
Perform penetration tests after any important code change, before the application release and after it on regular basis. It prevents such widespread vulnerabilities as cross-site request forgery and scripting, SQL injection, buffer overflow attacks. Involve for this task real hackers because they know how to hack your app, a handred percent. You may easily find them at special web postals as Hackerlist or NeighborhoodHacker . Ensure that they have enough experience to show the developers the security holes they have found and explain their method of exploitation.
Updates and Patches for Security of Internet of Things
It is very important to update the IoT software on a regular basis to reduce the risk of cyber-attacks. However, the Global State of Information Security Survey performed by PricewaterhouseCoopers shows that only 49% of companies supply their IoT products with remote updates. One among many reasons for it is the economic factor. As a result, soon after the purchase the consumers are left with an IoT device that can have many security shortcomings and without support.
Another reason is the lack of technical expertise to produce the updates. Sometimes the companies prefer to leave it to the consumers to download the patches and to install them on their devices. However, some of the users find it difficult to do that or even do not know at all that these patches exist. Remote delivery of patches is more effective and convenient for the consumers.
Educate Your Users
The IoT security challenges excite the future users of IoT devices. However, when they’ve got one, they do not take any actions to protect themselves from hackers and malware. The users rarely realize that the connectivity option can have an impact on their physical environment. The survey held by BullGuard in 2016 has discovered that 72% of respondents did not even know how to configure their routers to protect the home network! 63% of them have never changed the router’s password and 49% said they do not know how to change it.
You should educate the consumers through the user’s guide on secure use of these devices. Emphasize that they should treat seemingly common objects, like smartwatches, driverless cars or healthcare devices, as computing devices and take care of their security. This includes changing the password on the regular basis, locking the device and securing routers. Give them instructions on how to configure the router and how to choose a strong password. Advice them to take the device offline or to turn it off when not in use.
Facing IoT Security Challenges
In the context of rapid advancement of IoT industry, we need to analyze IoT security challenges in view to ensure safety of use of these devices. With rapid growth of the number of IoT devices worldwide, this question becomes more and more vital. Neglecting the issue of security in IoT can lead to disastrous outcomes.
How can we deal with IoT security challenges? Apply security best practices at all steps of IoT software development to reduce the risks of hacking. Minimize the storage of personal data on IoT devices, encrypt the confidential information and protect the data transfers. It is also important to make aware the users about the risks of security breaches. They must know how to avoid them and how to secure the use of their smart devices.
Interested in the topic of IoT technologies? So, you’ll probably appreciate our recent article How Much Does IoT Development Cost? More articles are coming on this subject soon, so subscribe to our blog and do not miss them!
Receive all popular articles, tips and how to’s from our blog