The fight to defend the Internet of Things

A primer on the Internet of Things security and how to protect it.

iot security ts

The Internet has entered a new chapter called the Internet of Things (IoT). It follows the fixed-Internet era characterized by connected PCs and laptops through the 1990s, and builds on the mobile-Internet era spearheaded by the proliferation of smartphones during the first two decades of this century. This new chapter has a new set of challenges and opportunities because it involves a broader diversity of devices — ranging from connected light bulbs, smart gas meters and smart speakers, to IP monitoring cameras, smart watches, drones, and robots. And while the connectivity and compute requirements of these IoT devices vary widely, they all have a common need: strong security.

Hackers are not only compromising servers, routers and PCs, but now they are exploiting vulnerabilities in other common devices like medical devices, baby monitors, webcams and cars. Nearly every online device can be a target, which leaves users and devices susceptible to spying, data theft, physical damage and participation on Internet infrastructure assaults.

One job of the IoT ecosystem, including technology, products, and service providers, is to protect millions (or even billions) of other people by introducing robust security capabilities into the wide variety of connected devices shipped everyday. A robot or IP camera might require advanced computer vision and data processing power, while a connected light bulb may only need basic connectivity and a simple microcontroller. But they all need to be protected. Security needs to be considered in every aspect of the IoT, whether that’s the device itself, the network, the cloud, the software, or the consumer.

Attacks are imminent. A study from AT&T, for instance, revealed a stunning 458 percent increase in vulnerability scans of IoT devices in the course of two years. Hackers usually exploit combinations of vulnerabilities to perform an attack. IoT security risks are varied, but for the most part they fall into these categories:

  • Code modification: When cybercriminals inject or modify code stored or running on the device.
  • Key compromise: When the secret key used to encrypt communications is stolen and is then used to read encrypted data.
  • Password-based vulnerabilities: When someone breaches a network or device connected to a specific network by guessing or stealing its password.
  • Man-in-the-middle: When a third entity steals the data being transmitted between two parties and/or devices, which can include sniffer attacks on unencrypted networks.

In the same way that attacks can be facilitated by a mix of vulnerabilities, a strong defense strategy requires a variety of security technologies designed to protect users and devices. These technologies, such as secure execution environment, secure boot, secure storage and crypto accelerators, are designed to safeguard the IoT across these dimensions:

  • Software integrity: Verifying that code is from an authentic source and has not been modified by an unauthorized party
  • Data protection: Protecting data stored on the device and data sent to the cloud from spying or tampering
  • Firmware upgrade and lifecycle management: Facilitating regular device firmware upgrades in a protected and tamperproof manner
  • Device-Cloud authentication and attestation: Ensuring that both cloud and device are who they say and are in a non-compromised state
  • User authentication, permissions, and roles: Establishing and enforcing strong login credentials, and separate permissions and roles per user

All defense technologies that address the requirements above need to be hardwired down to the silicon that powers IoT devices. Robust software is important, but virtually any software-only security approach can be circumvented.

A solid IoT security approach uses a combination of integrated hardware-based security features – all tightly integrated with the operating system, communication protocols, applications and the cloud, helping to deliver exciting new IoT products and services that also protect security and privacy.

What is evident is that the IoT has become an important part of our lives, and the fight to protect it is never-ending. The Internet of Things may never be 100 percent secure. But, we can be prepared through collaboration across stakeholders in hardware, software, network, and cloud to put the right technologies and measures in place.

Join the Network World communities on Facebook and LinkedIn to comment on topics that are top of mind.

Copyright © 2017 IDG Communications, Inc.