Security Challenges For Internet Of Things

Benefits of IoT

Discuss about the Security Challenges for Internet of Things.

In Today’s developed world more and more devices are getting Smart and are getting connected through internet. Through embedded tags, sensors and actuators devices are able to communicate to each other and the Intelligence embedded in these equipments are able to generate vast amount of valuable data that can be collected, networked and analysed for a wide range of activities. Or in other words, by making these objects more intelligent and internet enabled, we can renovate the physical world with the digital information, products in the vast network of Internet shared across globe. This is the concept of Internet of Things.

A New dimension: the Internet of Things (IoT) way

• New operational efficiencies
• Improved safety & security
• Distribute intelligence & control
• Faster & better decision making
• New business opportunities & revenue streams

However, in spite of several benefits that IoT has to offer, security and data privacy plays a key role and needs to be addressed exhaustively which will be the key theme in subsequent heads.

Below is copy of the three research report used and analysed:

URL: https://www.snia.org/sites/default/files/DSS-Summit-2015/presentations/Liwei-Ren_Iot_Security_Problems_Challenges_revision.pdf

URL: https://www.windriver.com/whitepapers/security-in-the-internet-of-things/wr_security-in-the-internet-of-things.pdf

URL: https://www.iab.org/wp-content/IAB-uploads/2011/03/Turner.pdf

Securing the Internet of Things (IoT) involves a change of mindset among current information security practitioners. The upsurge in technological innovation that permits unprecedented access to data for visibility and initiates physical actions (automation) has also raised complexity levels and coordination requirements, resulting in an increase in the “surface of threat” across technologies and processes. New security thinking must incorporate the blurring of the physical and digital lines of businesses and society itself by gathering and using data about the physical and digital business, effecting physical and digital changes as well.

The reports listed in the Research Highlights section each reflect principles of risk and resilience in one or several ways based on the themes of the reports. Each provides key findings in digital security for organizations, highlights major changes to come for securing IoT, and delivers practical advice in planning, networking and accessing the IoT, with risk and resilience issues in mind. Securing the Iot represents security at the increasingly pervasive edge — a digital presence that has embedded itself deep into the physical edge of the organization and connected that edge to the deepest portions of the traditional IT core, transforming both into a form of digital security that requires new approaches to risk and resilience.

Below is a brief diagrammatic representation of the way IoT works.

From the above data flow we can observe that most of the data is in common shared internet pool services like cloud and are part of network. This exposes the IoT world to security breaches. While  cost  and  ease  of  use  are  two  great  benefits  of  IoT,  there  are  significant  security  concerns  that  organizations  are  worried about  and  which  need  to  be  addressed  when considering the movement of critical applications. Below are top security concerns

• What data? – IoT devices may contain vital information in order to perform the expected application functionality. Companies collect irrelevant, extra information which is easy target for hackers.
• Unauthorised Access – the devices have security loopholes with regard to software and hardware implementation leading unauthorised access to information
• Regulatory Violations – IoT products developed violate the regulatory requirements like controls ISO  27002,  Safe  Harbor, data minimization, ITIL,  and  COBIT
• Unsecured interfaces – The IoT devices have unsecured cloud and mobile interfaces exposing them to security threats
• Poor configuration – TCP connection are not encrypted with SSL/TL, leading open points for attackers to access.

In the above section, we have highlighted gaps in the implementation/ configuring of IoT products. These gaps have lead to various security breach incidents. Here we have highlighted few security issues in real world that have impacted real life.

• In July, 2015 ‘Chrysler’, a leading automobile manufacturer, had to recall 1.4 million cars. A flaw in the design had led to scope of hackers able to remotely control the cars leading to risk of human life. This vulnerability exposed the car to hack and had to be remediated, this being one classic example of impact of threat and security breaches.
• Late 2014, Sony Playstation and Microsoft Xbox gaming networks were hacked and as a result were down for quite some time. As per investigation conducted there threats were possible because of common factory default setting of username and passwords.
• Vulnerability in a camera design, which was advertised as an ideal device to monitor babies, was exploited by a hacker to should abuse on a child A hacker was able to shout abuse at a two-year-old child by exploiting. Using monitoring equipment can help in child safety but we should also adhere to extreme precaution as devices attached to internet increase the potential vulnerability.
• In Nov 2013, Symantec found a worm in IoT world by the name Linux.Darlloz. It targets Intel x86 based computers. It also attacks on devices running on ARM, Power PC and MIPS model, which are usually found on routers and set-top boxes. According to analysis, the author focused on making money with the worm.
• In Jan 2014, security researchers uncovered a cyber attack on the Internet of Things (IoT) based devices, in which more than 100k Refrigerators, Smart TVs and other smart household digital appliances were remotely controlled and hacked to dispatch many malicious spam emails (approx~750,000).

Research reports

Digital security is the risk- and resilience-driven expansion of current cyber security practices to protect the pervasive digital presence in business, government and society. As shown in Figure below titled ‘Trust and Resilience in Digital Security’, it requires security practitioners to establish six key principles to address digital security consistently and effectively.

Business outcomes: A focus on business outcomes — rather than on technology — in identifying what must be secured in an IoT-enhanced organization will be a vital requirement for digital security practitioners. An IoT device is often found at the production or “operations “edge” of a business. The outcomes resulting from IoT device participation in the business process will be the goal — not technological support alone.

Facilitator: Digital security practitioners become facilitators rather than tax collectors or overhead necessities, particularly in providing long-lasting resilient infrastructure and services for IoT projects.

Detect and respond: The focus in digital security projects is moving toward detection and response. While prevention remains a cornerstone of IoT security, the increased complexity—caused by the introduction of millions of devices, subsequent data generation and new people— requires a multifaceted approach.

People-centric: The move to the physical edge, especially in consumer-based IoT security, ensures that the decisions related to privacy and safety are people-centric. These decisions also must consider the implications of protecting IoT devices on behalf of those who use and depend on them. Integrators need special training and monitoring to ensure that networks and devices are properly configured.

Data flow: Data scientists will flow data through whatever systems they need to get the job done. Digital security requires an emphasis on data flow rather than on the static nature of data itself when determining the level and type of protection of, and access to, data required.

Risk-based: The dramatic increase in the scale, diversity and function of IoT devices in the pervasive digital presence also ensures that a prioritization method for digital security is risk driven to use available resources in the most cost-effective manner.

Conclusion

By employing IoT devices, a pervasive digital presence has been created throughout business process and operations. This presence has provided insight into business operations and production automation for all organizations. Along with these devices come data scientists and integrators unskilled in risk management. This presence creates a digital security “superset” that seeks to employ major principles of risk and resilience when creating, configuring, deploying and operating these devices, and working with the new specialists.

References

Narendra,N and Misra, P.(March 8, 2016). Research Challenges in the Internet of Mobile Things. Retrieved on 16th Sept from https://iot.ieee.org/newsletter/march-2016/research-challenges-in-the-internet-of-mobile-things.html

Goldman, D.(July 24, 2015).Chrysler recalls 1.4 million hackable cars. Retrieved on 16th Sept from https://money.cnn.com/2015/07/24/technology/chrysler-hack-recall/

Krebs,B.(August 2015). Six Nabbed for Using LizardSquad Attack Tool. Retrieved on 16th Sept from https://krebsonsecurity.com/2015/08/six-nabbed-for-using-lizardsquad-attack-tool/

Lee, D. (August 2013).Hacker ‘shouts abuse’ via Foscam baby monitoring camera. Retrieved on 16th Sept from https://www.bbc.com/news/technology-23693460

Hayashi,K. (March 19, 2014). IoT Worm Used to Mine Cryptocurrency. Retrieved on 16th Sept from https://www.symantec.com/connect/blogs/iot-worm-used-mine-cryptocurrency

Storm, D. (Feb 11, 2015).Of 10 IoT-connected home security systems tested, 100% are full of security FAIL. Retrieved on 16th Sept from https://www.computerworld.com/article/2881942/cybercrime-hacking/of-10-iot-connected-home-security-systems-tested-100-are-full-of-security-fail.html

Daniel. (Dec 29, 2015).Wearables IoT – Security, Privacy and Safety Concerns. Retrieved on 16th Sept from https://www.appcessories.co.uk/wearables-iot-security-privacy-and-safety-concerns/

Greenberg,A and Zetter,K.(Dec 29, 2015).How the Internet of Things Got Hacked. Retrieved on 16th Sept from https://www.wired.com/2015/12/2015-the-year-the-internet-of-things-got-hacked/

Ungerleider, N. (Jan 27 2015).U.S. Gov’t: The Internet of Things Is A Security Disaster Waiting To Happen. Retrieved on 16th Sept from https://www.fastcompany.com/3041532/us-govt-the-internet-of-things-is-a-security-disaster-waiting-to-happen

Lomas,N.(Jan 27, 2015).UK Regulator Sets Out Priorities For Growing The Internet Of Things. Retrieved on 16th Sept from https://techcrunch.com/2015/01/27/ofcom-iot-priorities

Bauer, M. (2011).Introduction to the Architectural Reference Model for the Internet of Things. Retrieved on 16th Sept from https://www.iot-a.eu/public/public-documents/copy_of_d1.2/at_download/file

FTC Staff Report. (Jan 2015). Privacy & Security in a Connected World. Retrieved on 16th Sept from https://www.ftc.gov/system/files/documents/reports/federal-trade-commission-staff-report-november-2013-workshop-entitled-internet-things-privacy/150127iotrpt.pdf.

Paganini,P. (January 19, 2014). IoT – Discovered first Internet of Things cyberattack on large-scale. Retrieved on 16th Sept from https://securityaffairs.co/wordpress/21397/cyber-crime/iot-cyberattack-large-scale.html

Ren, L. (Sept 2015).IoT Security: Problems, Challenges and  Solutions. 2015 SNIA Data Storage Security Summit Wind River Systems, Inc. (2015). Lessons from the Past for the Connected Future. SECURITY in the Internet of Things.

Polk,T & Turner,S. (Feb 2011). Security Challenges For the Internet Of Things.