IoT and security issues
The Internet of Things (Internet of Things, IoT), like any high-growth technology, is experiencing a number of "growing pains", among which the most serious is the problem of security. The more “smart” devices are connected to the network, the higher are the risks associated with unauthorized access to the IoT system and the use of its capabilities by attackers. Today, the efforts of many companies and organizations in the field of IT are aimed at finding solutions that will minimize the threats hindering the full implementation of IoT.
The development of the concept of the Internet of Things and its implementation in various areas involves the presence of tens of billions of autonomous devices. According to the Statista portal , in 2017 there are already more than 20 billion, and by 2025 no less than 75 billion are expected. All of them are connected to the Network and transmit the data corresponding to their functionality through it. Both data and functionality are targeted by intruders, and therefore must be protected.
For IoT devices, security lies primarily in the integrity of the code, the authentication of users (devices), the establishment of ownership rights (including the data they generate), and the ability to repel virtual and physical attacks. But in fact, most of the IoT devices that are working today are not equipped with security elements, have externally accessible management interfaces, default passwords, that is, they have all the signs of a web vulnerability.
We still remember the events a year ago, when the Mirai botnet, by selecting combinations of default logins and passwords, hacked a large number of cameras and routers, which were later used for the most powerful DDoS attack on the UK Postal Office, Deutsche Telekom, TalkTalk, KCOM and Eircom networks. At the same time, the “bootforce” of IoT devices was carried out using Telnet, and routers were hacked through port 7547 using the TR-064 and TR-069 protocols.
But the most resonant, perhaps, was the attack that laid the DNS operator DYN, and with it almost the “half Internet” of the United States. To attack the botnet was used the easiest way through the default logins and device passwords.
These events clearly demonstrated the gaps in IoT-systems and the vulnerability of many "smart" devices. It is clear that failures of someone else’s “smart” watches or fitness trackers will not do much harm, except for the disorder of their owners. But hacking IoT devices that are part of M2M systems and services, in particular, integrated into critical infrastructure, is fraught with unpredictable consequences. In this case, the degree of their security should correspond to the importance of a particular infrastructure: transport, energy or other, on which people's livelihoods and the work of the economy depend. Also at the household level - failures and attacks on the same “smart” home system can lead to local communal or other emergency and dangerous situations.
Of course, threats to infrastructure existed in “pre-Internet” times, for example, due to the same natural disasters or design errors. However, with the advent of devices connected to the Network, another one was added, and probably an order of magnitude more serious - a cyber attack.
The existing security problem of IoT devices did not arise because of the technical stupidity or carelessness of their developers. Here, the ears of a sober calculation “stick out”: the speed of entering the market gives an advantage over competitors, even if only for a short time, and even at the expense of a low threshold of protection.
Most manufacturers do not bother to spend time and money on the development and testing of codes and security systems of their "smart" products.
One of the ways to get them to reconsider their attitude towards the safety of their IoT products can be certification. The idea is not new, but still deserves attention, at least it is at least some way to solve the problem. The certification procedure for IoT devices should not be bureaucratic and provide the buyer with a guarantee that it has a certain degree of protection against hacker attacks. To begin with, the need for a security certificate can be indicated in the implementation of government and corporate procurement.
Today, several private companies also deal with certification issues. In particular, the company Online Trust Alliance (OTA) has launched an initiative to solve the problem of IoT security at the level of states and manufacturers, releasing the IoT Trust Framework- A list of criteria for developers, device manufacturers and service providers, which aims to improve the security, privacy and life cycle of their IoT products. First of all, it focuses on connected home, office and wearable devices and is a kind of recommendatory code of conduct and the basis for several certification and risk assessment programs.
This year, an independent division of Verizon - ICSA Labs launched a programsecurity testing and certification of IoT devices. According to its developers, it is one of the first of its kind, and tests such components as notification / logging, cryptography, authentication, communication, physical security, and platform security. Devices that have been certified will be marked with a special ICSA Labs approval mark indicating that they have been tested and vulnerabilities have been fixed. Also, certified devices will be monitored and periodically tested throughout their life cycle to maintain their safety.
In turn, the testing and certification programUL Cybersecurity Assurance (CAP) aims to ensure the safety of products and systems. CAP certification certifies that a product or system provides a reasonable level of protection against risks that may result in unintended or unauthorized access, alteration or failure. In addition, CAP also confirms that future patches, updates, or new software versions for a certified product or system will not reduce the level of protection existing at the time of the evaluation.
However, many IoT security experts believe that the greatest benefits of such certification programs will be when testing not only a specific device, but the entire ecosystem: its infrastructure, applications, etc. After all, a tested and secure IoT device can fail in the process of interaction within the system.
With unconditional advantages for the development of IoT, certification programs have a downside. The mere fact that a device passes the test and the availability of a certificate cannot be a 100% guarantee of its safety, since it is very likely that it still has certain flaws. Excessive faith in the security certificate can play a cruel joke with users who have individual needs and different uses for devices, and therefore their own risks and threats. And, of course, the likelihood of abuse is not excluded. Surely there will be manufacturers who will pay for “quasi-certification”, pursuing purely commercial goals.
It turns out that for a global solution to a security problem through certification, some kind of unifying solution is needed, a common incentive for all manufacturers to release protected devices, and consumers not to buy those whose safety is not confirmed. How he should be - legislative, economic or punitive - has yet to be decided. Ultimately, the result should be the security of the global Internet of Things.
The security of the Internet of Things has become one of the first areas of use of blockchain technology. Thanks to the technology of the distributed registry, it became possible to provide a high level of security for IoT devices on the network and to eliminate the existing restrictions and risks for IoT associated with centralization.
It allows you to quickly and safely save the exchange protocols and the results of the interaction of various IoT devices in a decentralized system. It is the distributed architecture of the blockchain that guarantees a sufficiently high security of the entire IoT system. But if a part of the network devices is still subject to hacking, in general, this will not affect the overall operation of the system. The use of “smart” devices that work in IoT systems by botnets has become possible due to their weak security. The distributed type of trust relationship allows you to get rid of the hacked device without appreciable damage to the whole model of interaction between “healthy” objects.
In the context of security today, the blockchain can be used in a number of areas where the Internet of things is developing most intensively. For example, it is management of authentication, check of working capacity of different services, ensuring the indivisibility of information and others. At the beginning of the year, a number of leading companies, including Cisco, BNY Mellon, Bosch, Foxconn and a number of others, formed a consortium that will find solutions for using the blockchain to increase security and improve the interaction of IoT products. The main task that its members set for themselves is the development of blockchain-based technology of a distributed database and an information exchange protocol between IoT devices.
Note that in January 2017, DHS USA began using blockchain technology to protect, transfer and store data collected by the agency from surveillance cameras and various monitoring sensors. The technology is also being tested by DARPA, a division of the US Department of Defense, which oversees the development of new technologies for the army. In addition, one of the agencies conducting research under the roof of the Pentagon, has signed a contract worth several million dollars with software-company Galois, engaged in developments in the field of security based on the blockchain.
Today it is already obvious that it will be difficult to implement all the features that the IoT concept can provide to users without solving security and privacy problems. The above methods of protecting IoT, of course, are not exhaustive, many groups, companies and enthusiasts are working on solving the problem. But above all, the high level of security of Internet of Things devices should be the main task of their manufacturers. Reliable protection should initially be included as part of the product functions and become a new competitive advantage, both for manufacturers and suppliers of integrated IoT solutions.
Smart but Vulnerable
The development of the concept of the Internet of Things and its implementation in various areas involves the presence of tens of billions of autonomous devices. According to the Statista portal , in 2017 there are already more than 20 billion, and by 2025 no less than 75 billion are expected. All of them are connected to the Network and transmit the data corresponding to their functionality through it. Both data and functionality are targeted by intruders, and therefore must be protected.
For IoT devices, security lies primarily in the integrity of the code, the authentication of users (devices), the establishment of ownership rights (including the data they generate), and the ability to repel virtual and physical attacks. But in fact, most of the IoT devices that are working today are not equipped with security elements, have externally accessible management interfaces, default passwords, that is, they have all the signs of a web vulnerability.
We still remember the events a year ago, when the Mirai botnet, by selecting combinations of default logins and passwords, hacked a large number of cameras and routers, which were later used for the most powerful DDoS attack on the UK Postal Office, Deutsche Telekom, TalkTalk, KCOM and Eircom networks. At the same time, the “bootforce” of IoT devices was carried out using Telnet, and routers were hacked through port 7547 using the TR-064 and TR-069 protocols.
But the most resonant, perhaps, was the attack that laid the DNS operator DYN, and with it almost the “half Internet” of the United States. To attack the botnet was used the easiest way through the default logins and device passwords.
These events clearly demonstrated the gaps in IoT-systems and the vulnerability of many "smart" devices. It is clear that failures of someone else’s “smart” watches or fitness trackers will not do much harm, except for the disorder of their owners. But hacking IoT devices that are part of M2M systems and services, in particular, integrated into critical infrastructure, is fraught with unpredictable consequences. In this case, the degree of their security should correspond to the importance of a particular infrastructure: transport, energy or other, on which people's livelihoods and the work of the economy depend. Also at the household level - failures and attacks on the same “smart” home system can lead to local communal or other emergency and dangerous situations.
Of course, threats to infrastructure existed in “pre-Internet” times, for example, due to the same natural disasters or design errors. However, with the advent of devices connected to the Network, another one was added, and probably an order of magnitude more serious - a cyber attack.
Device certification
The existing security problem of IoT devices did not arise because of the technical stupidity or carelessness of their developers. Here, the ears of a sober calculation “stick out”: the speed of entering the market gives an advantage over competitors, even if only for a short time, and even at the expense of a low threshold of protection.
Most manufacturers do not bother to spend time and money on the development and testing of codes and security systems of their "smart" products.
One of the ways to get them to reconsider their attitude towards the safety of their IoT products can be certification. The idea is not new, but still deserves attention, at least it is at least some way to solve the problem. The certification procedure for IoT devices should not be bureaucratic and provide the buyer with a guarantee that it has a certain degree of protection against hacker attacks. To begin with, the need for a security certificate can be indicated in the implementation of government and corporate procurement.
Today, several private companies also deal with certification issues. In particular, the company Online Trust Alliance (OTA) has launched an initiative to solve the problem of IoT security at the level of states and manufacturers, releasing the IoT Trust Framework- A list of criteria for developers, device manufacturers and service providers, which aims to improve the security, privacy and life cycle of their IoT products. First of all, it focuses on connected home, office and wearable devices and is a kind of recommendatory code of conduct and the basis for several certification and risk assessment programs.
This year, an independent division of Verizon - ICSA Labs launched a programsecurity testing and certification of IoT devices. According to its developers, it is one of the first of its kind, and tests such components as notification / logging, cryptography, authentication, communication, physical security, and platform security. Devices that have been certified will be marked with a special ICSA Labs approval mark indicating that they have been tested and vulnerabilities have been fixed. Also, certified devices will be monitored and periodically tested throughout their life cycle to maintain their safety.
In turn, the testing and certification programUL Cybersecurity Assurance (CAP) aims to ensure the safety of products and systems. CAP certification certifies that a product or system provides a reasonable level of protection against risks that may result in unintended or unauthorized access, alteration or failure. In addition, CAP also confirms that future patches, updates, or new software versions for a certified product or system will not reduce the level of protection existing at the time of the evaluation.
However, many IoT security experts believe that the greatest benefits of such certification programs will be when testing not only a specific device, but the entire ecosystem: its infrastructure, applications, etc. After all, a tested and secure IoT device can fail in the process of interaction within the system.
With unconditional advantages for the development of IoT, certification programs have a downside. The mere fact that a device passes the test and the availability of a certificate cannot be a 100% guarantee of its safety, since it is very likely that it still has certain flaws. Excessive faith in the security certificate can play a cruel joke with users who have individual needs and different uses for devices, and therefore their own risks and threats. And, of course, the likelihood of abuse is not excluded. Surely there will be manufacturers who will pay for “quasi-certification”, pursuing purely commercial goals.
It turns out that for a global solution to a security problem through certification, some kind of unifying solution is needed, a common incentive for all manufacturers to release protected devices, and consumers not to buy those whose safety is not confirmed. How he should be - legislative, economic or punitive - has yet to be decided. Ultimately, the result should be the security of the global Internet of Things.
Blockchain technology
The security of the Internet of Things has become one of the first areas of use of blockchain technology. Thanks to the technology of the distributed registry, it became possible to provide a high level of security for IoT devices on the network and to eliminate the existing restrictions and risks for IoT associated with centralization.
It allows you to quickly and safely save the exchange protocols and the results of the interaction of various IoT devices in a decentralized system. It is the distributed architecture of the blockchain that guarantees a sufficiently high security of the entire IoT system. But if a part of the network devices is still subject to hacking, in general, this will not affect the overall operation of the system. The use of “smart” devices that work in IoT systems by botnets has become possible due to their weak security. The distributed type of trust relationship allows you to get rid of the hacked device without appreciable damage to the whole model of interaction between “healthy” objects.
In the context of security today, the blockchain can be used in a number of areas where the Internet of things is developing most intensively. For example, it is management of authentication, check of working capacity of different services, ensuring the indivisibility of information and others. At the beginning of the year, a number of leading companies, including Cisco, BNY Mellon, Bosch, Foxconn and a number of others, formed a consortium that will find solutions for using the blockchain to increase security and improve the interaction of IoT products. The main task that its members set for themselves is the development of blockchain-based technology of a distributed database and an information exchange protocol between IoT devices.
Note that in January 2017, DHS USA began using blockchain technology to protect, transfer and store data collected by the agency from surveillance cameras and various monitoring sensors. The technology is also being tested by DARPA, a division of the US Department of Defense, which oversees the development of new technologies for the army. In addition, one of the agencies conducting research under the roof of the Pentagon, has signed a contract worth several million dollars with software-company Galois, engaged in developments in the field of security based on the blockchain.
Today it is already obvious that it will be difficult to implement all the features that the IoT concept can provide to users without solving security and privacy problems. The above methods of protecting IoT, of course, are not exhaustive, many groups, companies and enthusiasts are working on solving the problem. But above all, the high level of security of Internet of Things devices should be the main task of their manufacturers. Reliable protection should initially be included as part of the product functions and become a new competitive advantage, both for manufacturers and suppliers of integrated IoT solutions.