The Internet of Things (IoT) security is an important, but commonly neglected, part of its development. Here we explore the issues in detail and some of the challenges involved.
The Internet of Things (IoT) is ubiquitous in many applications we use daily, such as home automation, smart cars, smartwatches, and smart buildings.
A single vulnerability in one of these applications can have adverse consequences, including privacy infringement, financial loss, and even physical damage.
Many IoT developers, and even some IoT companies, underestimate though the risks associated with building IoT objects without integrating security measures.
IoT Security: What are the risks?
Some may question what could go wrong if a hacker accesses a smart light bulb. It is just a light bulb, and not a big security issue. If the light bulb’s security measures are not properly implemented, however, hackers may gain access to your wireless network via the light bulb.
Once hackers have gained access to the network, they can easily attack your other applications. In other words, the light bulb is not the primary target, but is used as a vector against your other applications.
Benefits and Downsides
There are benefits as well as downsides of connecting objects around us to the Internet. To mitigate the drawbacks of IoT connectivity and at the same time to increase its popularity, protection measures need to be integrated at the early stages of IoT development. However, implementing such countermeasures into IoT applications is not an easy task.
IoT has its own multiple security challenges (SCs) that need to be considered.
SC1: Lack of secure development
IoT developers in general focus primarily on the functional requirements of IoT systems. Security requirements were left as an after-thought to be handled at the end of IoT development. This procedure has been inadequate. By contrast, IoT applications should have security features integrated as part of the initial design.
SC2: Tight resource constraints
The hardware capabilities (for example, computational power, storage, and battery life) for IoT objects may vary from one object to another. Traditional security measures such as Advanced Encryption Standards (AES) can be directly implemented into some IoT objects with strong hardware capabilities (such as cell phones and tablets). However, this is not the case for some IoT objects that have very limited hardware, such as presence sensors and smoke detectors.
SC3: Designed for specific tasks
IoT objects have been designed to accomplish several tasks by offering different functions and services in multiple environments. It is unrealistic to develop common security features or countermeasures for such heterogeneous objects.
SC4: Changes in security requirements
The security requirements for an IoT object can change depending on the situation. For instance, a smart car may have several embedded sensors. Deciding which one of these sensors requires critical security depends entirely on the status of the car. If the car is moving, the most important one is an anti-lock braking sensor. If stationary, the most crucial is theft detection.
SC5: Update mechanisms
The security requirements of IoT objects depend on their update methods. IoT objects that get updated remotely through a server need more protection measures – such as a secure channel – compared to objects that get updated via a USB cable.
SC6: Objects’ mobility
IoT objects are either static (stays in one place) or dynamic (changes physical position). A dynamic object needs more security measures than a static one for various reasons. The dynamic object due to its nature tends to be connected to different objects operating in different environments as it moves. As a result, these objects must be equipped with several protection layers. For instance, end-to-end security, tamper-proof mechanisms, and side-channel analysis are used to establish a secure link with other objects during its communication as well as firmware updates to prevent physical attacks and data leakage. In contrast, a static object tends to be always connected to trusted, already secured, objects.
SC7: Uncontrolled environments
When deployed in remote environments and left unattended (for example, multiple sensors deployed in a forest to record environmental changes), IoT objects are susceptible to physical attacks. This is because anyone can easily take these objects to a lab for further analysis to hack their security configurations.
The next article will address the IoT security goals and also discuss possible attacks against IoT applications that are not properly addressed in the above security challenges.
Hezam, A.A.; Konstantas, D.; Nijdam, N. A Novel Methodology for Securing IoT Objects Based on their Security Level Certificates. Preprints 2020, 2020040362 (doi: 10.20944/preprints202004.0362.v1).
Abdul-Ghani, H.A.; Konstantas, D. A Comprehensive Study of Security and Privacy Guidelines, Threats, and Countermeasures: An IoT Perspective. J. Sens. Actuator Netw. 2019, 8, 22.
Abdulghani, H.A.; Nijdam, N.A.; Collen, A.; Konstantas, D. A Study on Security and Privacy Guidelines, Countermeasures, Threats: IoT Data at Rest Perspective. Symmetry 2019, 11, 774.
Hezam Akram Abdul-Ghani, Dimitri Konstantas and Mohammed Mahyoub, “A Comprehensive IoT Attacks Survey based on a Building-blocked Reference Model” International Journal of Advanced Computer Science and Applications(ijacsa), 9(3), 2018. http://dx.doi.org/10.14569/IJACSA.2018.090349