Current technologies are not able to secure Internet of things (IoT) devices effectively. This is mainly due to the fact that an IoT device is, in practice, a system of systems, in which each child system is conceived with different standards and protocols. Engineers can mitigate the IoT risk of the child systems they are responsible for, but what happens when we connect two or more systems developed by different engineers? Don’t the vulnerabilities of one affect the overall security of the final smart IoT device? The answer is yes, they do!
For instance, closed-circuit cameras and smart-home devices could be hijacked by malwares and used by hackers to reach the central operating server – your computer.
The main challenges for IoT security come from the following factors:
- Many IoTs (with more devices interconnected) are poorly designed and use protocols that often conflict with one another.
- IoT privacy concerns are complex and not always easy to spot.
- The technologies for IoT are changing fast, making it difficult for security experts to keep up.
- There is a lack of standards and regulations for authentication and authorization involving IoT devices.
Although technologies such as Blockchain could solve the issues brought about by the IoT centralization aspect, many other issues, such as the lack of interoperability, remain unsolved.
Understanding IoT security – the IoT journey
To understand the security of IoT devices, one needs to take a holistic approach. Consider the complete journey of a functioning IoT device from the collection of data via its sensors to the maintenance required during its life cycle.
The IoT relies on sensors. Can you trust them? Security breaches can occur by fooling the sensors installed in the IoT. Think of corrupted card readers, for example, where you get your card cloned.
- Sensor connectivity
How are all the sensors interconnected?
- How much can you trust Bluetooth?
Hackers can pick Bluetooth energy locks from a kilometer away.
- What about CAN protocols, typically used in the automotive industry?
Well, hackers have developed cheap tools to penetrate devices via this protocol.
- And wired networks?
Hackers have become expert at reverse engineering network protocols.
- What about new trends?
Drones have been used to attack industrial wireless systems. Wireless mice have been used to inject keystrokes into a device under attack.
Do you get the picture?
- How much can you trust Bluetooth?
Once the data are collected by the sensors, they need to be aggregated. Aggregators act by consolidating large volumes of data into lesser amounts: clusters and weights. These could be attacked by denying them the ability to operate/execute or by feeding them compromised data.
- Upstream networks/protocols
Are the systems used to upload/download the aggregated data reliable? Hackers are able to clone 3G/4G cards with a PC and an oscilloscope! Internet-connected gas pump monitoring systems have also been hacked. Similarly, seismological networks have been exposed remotely. In practice, every Internet-facing piece of equipment can be hacked.
Where are the data stored once uploaded/downloaded? A physical hard drive on a computer? In the cloud? In either case, the physical data could be accessed and compromised.
- Data analysis
Where is the software analyzing the stored data operating? Hackers could install malware for the purpose of altering the data.
Who is taking care of the physical maintenance of IoT devices? Hackers could take advantage of planned maintenance moments to hack into a device.