Another look at IoT security
The Internet of Things market is perhaps one of the most attractive for technological investments today. Of course, you should be aware that in many respects its excessive activity is far-fetched and, in addition, in reality, such technologies have been around us for a long time. In some cases, IoT is also perceived as a beautiful combination of letters promising to turn your project assembled on the knee into a round sum in a bank account. We will not go into details from the point of view of the economy of this process, we only note that most of the expectations of investors are based on beautiful figures for forecasts of market volume in five to ten years. One option looks like "15 billion devices this year - 200 billion devices in five years." How can one not be glad for the growth rate ... Unfortunately,
However, there is one question that has occupied the minds of developers, manufacturers and end users of information technology products for more than a dozen years - security. Today, when the number of smart devices per user has grown significantly, it is becoming even more important. You can find a lot of information on this topic on the net, but as they say, “There is never much security,” and we hope that this material will be useful to our readers.
In fact, one can argue almost endlessly on this topic and cite many “scary stories”, from hacking wireless networks to getting remote access to the car control system. And at first glance it might seem that this does not threaten us because of the relatively low level of technology penetration. However, in practice this is not so, and relevant examples can be found almost everywhere. In particular, you can look at the alarm systems of apartments and houses with support for SMS-communication channels. Often installers do not even program passwords and control numbers of proxies, so it’s quite possible for anyone who knows the system model and phone number of the card installed in it to completely disarm the system. The second quite real example - listening to wireless switches or Bluetooth can determine the fact of your absence in the house. In this case, the violator does not need any specialized or very expensive equipment.
In the market of the Internet of things, wearable electronics and automation systems, the security situation today in the most optimistic version is rated as "everything is bad." In a technology race, developers, most likely encouraged by marketers, pay more attention to consumer performance and do not provide security requirements that are often very difficult to explain to the end user. At the same time, the development of new segments often leads to completely new threats. But perhaps the most unpleasant in this situation is that the implementation of protection technologies clearly contradict such popular characteristics as reducing the cost of end products and lowering the power consumption of stand-alone devices.
Another feature that negatively affects security in this segment is the need to ensure compatibility with certain legacy products. This is especially true for previously implemented automation systems of past generations. In particular, we can recall the famous KNX, whose capabilities to protect traffic in the physical network present on each device from the switch to the relay are very limited.
IoT today is found not only in the private sector, but also in many commercial areas, including transportation, automation systems, environmental monitoring and medicine. In each of them, consumers can face unique threats. For example, vehicle tracking can reveal the company's business strategies, and incorrect sensor readings can lead to accidents and damage to expensive equipment.
In general, a system diagram using IoT consists of end devices, optional gateways, a network, and data centers. If we assume that the existing infrastructure of servers and basic communications already implements all the necessary technologies, in particular for corporate networks and databases, then for IoT you need to think about a strategy for protecting endpoints, gateways and their communications.
Endpoints most often operate under limited resources, including computing power, memory, and power consumption. For them, it can be very difficult or even impossible to use technologies such as dedicated security chips, privilege control, memory protection, or virtualization. In addition, lack of resources can lead to poor resistance to denial of service attacks.
The issue is further complicated by the fact that more and more devices are based on their own rather complex microcontrollers and support remote firmware update. So there are tasks to ensure control of the correctness of the code working on devices. As one of the options, systems for providing a trusted execution environment based on hardware and software solutions are proposed here.
An additional layer offered by some companies in the form of local gateways in certain situations can help increase security. In this case, the end devices are not directly connected to the network, but communicate exclusively with the bridge, which simplifies the protection of their local communications. At the same time, the gateway, possessing significantly greater computing resources, is already able to implement traditional technologies for protecting communications when exchanging data with a computer center.
When it comes to secure communications, you should consider such an important factor as ease of use. It is highly desirable to ensure the establishment of connections without complicated manual configuration, but without compromising the level of protection, in accordance with security policies and under the control of an IT management system. To solve this problem, modern protocols for authentication and encryption of traffic can be proposed, however, they need adaptation to increase the efficiency of work on IoT platforms.
Note that in preparing the new version of iRidium software, these issues were given special attention. In particular, secure protocols are used to communicate panels and servers with each other. We will talk about this in more detail in the following publications.
In this case, the solution should correctly work out emergency situations, for example, loss of communication. Given the increasing spread of specialized algorithms and analytics, it is important here to ensure the correctness and consistency of the received data.
In addition to the two issues described above, there is one more, possibly no less important. It's about the product life cycle. Security technologies are needed at all stages - from development and creation, during operation to disposal.
For the business segment, the key here will be convenient and efficient tracking of all devices in the system, monitoring their status and diagnostics. The administrator must monitor, in particular, issues such as software installed on devices and their configuration. Here the solution for IoT should take into account the following features - scalability for use in the system of hundreds, thousands or more devices, installation of endpoints in remote uncontrolled places, ensuring the required level of availability and physical security.
If we talk about automation systems for individuals, the most important of the issues described above are ensuring access control to the system, secure communications between its elements, as well as resistance to attacks. At the same time, for financial reasons, one often has to compromise between the cost of equipment and the level of protection. Unfortunately, adequately assessing the risks, especially when it comes to life support systems at home, is very difficult in this case.
In addition, it is worth noting the desirability of using reliable communication channels and redundant communication lines, the flexible capabilities of the system when working offline, as well as ensuring confidentiality. Another issue, which, unfortunately, is rarely solved by manufacturers of mass equipment, is the monitoring of work, analysis and notification of emergency situations.
The confidentiality of personal data is often discussed today in applications to many areas, but perhaps it is in modern gadgets and wearable electronics that things are quite sad. In particular, the vast majority of fitness trackers work together with their own cloud services for storing and processing data, and users can only agree with all multi-page documents with the terms of use of the services if they want to use this device. Probably the only thing they can influence is to refuse to publish their achievements on social networks.
Despite the fact that the distribution of IoT solutions and products today can be considered widespread, one of the key issues - security in a broad sense - remains unresolved. Many large manufacturers are paying him a lot of attention today and I hope that the situation can change. In the meantime, we recommend that you take a closer look at the solutions and services provided and evaluate the capabilities of the products in relation to your own requirements.
However, there is one question that has occupied the minds of developers, manufacturers and end users of information technology products for more than a dozen years - security. Today, when the number of smart devices per user has grown significantly, it is becoming even more important. You can find a lot of information on this topic on the net, but as they say, “There is never much security,” and we hope that this material will be useful to our readers.
In fact, one can argue almost endlessly on this topic and cite many “scary stories”, from hacking wireless networks to getting remote access to the car control system. And at first glance it might seem that this does not threaten us because of the relatively low level of technology penetration. However, in practice this is not so, and relevant examples can be found almost everywhere. In particular, you can look at the alarm systems of apartments and houses with support for SMS-communication channels. Often installers do not even program passwords and control numbers of proxies, so it’s quite possible for anyone who knows the system model and phone number of the card installed in it to completely disarm the system. The second quite real example - listening to wireless switches or Bluetooth can determine the fact of your absence in the house. In this case, the violator does not need any specialized or very expensive equipment.
In the market of the Internet of things, wearable electronics and automation systems, the security situation today in the most optimistic version is rated as "everything is bad." In a technology race, developers, most likely encouraged by marketers, pay more attention to consumer performance and do not provide security requirements that are often very difficult to explain to the end user. At the same time, the development of new segments often leads to completely new threats. But perhaps the most unpleasant in this situation is that the implementation of protection technologies clearly contradict such popular characteristics as reducing the cost of end products and lowering the power consumption of stand-alone devices.
Another feature that negatively affects security in this segment is the need to ensure compatibility with certain legacy products. This is especially true for previously implemented automation systems of past generations. In particular, we can recall the famous KNX, whose capabilities to protect traffic in the physical network present on each device from the switch to the relay are very limited.
IoT Security Issues in the Business Segment
IoT today is found not only in the private sector, but also in many commercial areas, including transportation, automation systems, environmental monitoring and medicine. In each of them, consumers can face unique threats. For example, vehicle tracking can reveal the company's business strategies, and incorrect sensor readings can lead to accidents and damage to expensive equipment.
In general, a system diagram using IoT consists of end devices, optional gateways, a network, and data centers. If we assume that the existing infrastructure of servers and basic communications already implements all the necessary technologies, in particular for corporate networks and databases, then for IoT you need to think about a strategy for protecting endpoints, gateways and their communications.
Endpoints most often operate under limited resources, including computing power, memory, and power consumption. For them, it can be very difficult or even impossible to use technologies such as dedicated security chips, privilege control, memory protection, or virtualization. In addition, lack of resources can lead to poor resistance to denial of service attacks.
The issue is further complicated by the fact that more and more devices are based on their own rather complex microcontrollers and support remote firmware update. So there are tasks to ensure control of the correctness of the code working on devices. As one of the options, systems for providing a trusted execution environment based on hardware and software solutions are proposed here.
An additional layer offered by some companies in the form of local gateways in certain situations can help increase security. In this case, the end devices are not directly connected to the network, but communicate exclusively with the bridge, which simplifies the protection of their local communications. At the same time, the gateway, possessing significantly greater computing resources, is already able to implement traditional technologies for protecting communications when exchanging data with a computer center.
When it comes to secure communications, you should consider such an important factor as ease of use. It is highly desirable to ensure the establishment of connections without complicated manual configuration, but without compromising the level of protection, in accordance with security policies and under the control of an IT management system. To solve this problem, modern protocols for authentication and encryption of traffic can be proposed, however, they need adaptation to increase the efficiency of work on IoT platforms.
Note that in preparing the new version of iRidium software, these issues were given special attention. In particular, secure protocols are used to communicate panels and servers with each other. We will talk about this in more detail in the following publications.
In this case, the solution should correctly work out emergency situations, for example, loss of communication. Given the increasing spread of specialized algorithms and analytics, it is important here to ensure the correctness and consistency of the received data.
In addition to the two issues described above, there is one more, possibly no less important. It's about the product life cycle. Security technologies are needed at all stages - from development and creation, during operation to disposal.
For the business segment, the key here will be convenient and efficient tracking of all devices in the system, monitoring their status and diagnostics. The administrator must monitor, in particular, issues such as software installed on devices and their configuration. Here the solution for IoT should take into account the following features - scalability for use in the system of hundreds, thousands or more devices, installation of endpoints in remote uncontrolled places, ensuring the required level of availability and physical security.
Key threats in IoT for individuals
If we talk about automation systems for individuals, the most important of the issues described above are ensuring access control to the system, secure communications between its elements, as well as resistance to attacks. At the same time, for financial reasons, one often has to compromise between the cost of equipment and the level of protection. Unfortunately, adequately assessing the risks, especially when it comes to life support systems at home, is very difficult in this case.
In addition, it is worth noting the desirability of using reliable communication channels and redundant communication lines, the flexible capabilities of the system when working offline, as well as ensuring confidentiality. Another issue, which, unfortunately, is rarely solved by manufacturers of mass equipment, is the monitoring of work, analysis and notification of emergency situations.
The confidentiality of personal data is often discussed today in applications to many areas, but perhaps it is in modern gadgets and wearable electronics that things are quite sad. In particular, the vast majority of fitness trackers work together with their own cloud services for storing and processing data, and users can only agree with all multi-page documents with the terms of use of the services if they want to use this device. Probably the only thing they can influence is to refuse to publish their achievements on social networks.
Conclusion
Despite the fact that the distribution of IoT solutions and products today can be considered widespread, one of the key issues - security in a broad sense - remains unresolved. Many large manufacturers are paying him a lot of attention today and I hope that the situation can change. In the meantime, we recommend that you take a closer look at the solutions and services provided and evaluate the capabilities of the products in relation to your own requirements.