Internet of Things (IoT): The Security Challenges

Print Friendly, PDF & Email

The Internet of Things (IoT) security is a paramount but commonly forgotten part of its development.

The Internet of Things (IoT) security is an important, but commonly neglected, part of its development. Here we explore the issues in detail and some of the challenges involved.

The Internet of Things (IoT) is ubiquitous in many applications we use daily, such as home automation, smart cars, smartwatches, and smart buildings. 

A single vulnerability in one of these applications can have adverse consequences, including privacy infringement, financial loss, and even physical damage. 

Many IoT developers, and even some IoT companies, underestimate though the risks associated with building IoT objects without integrating security measures. 

IoT Security: What are the risks?

Some may question what could go wrong if a hacker accesses a smart light bulb. It is just a light bulb, and not a big security issue. If the light bulb’s security measures are not properly implemented, however, hackers may gain access to your wireless network via the light bulb. 

Once hackers have gained access to the network, they can easily attack your other applications. In other words, the light bulb is not the primary target, but is used as a vector against your other applications.

Benefits and Downsides

There are benefits as well as downsides of connecting objects around us to the Internet. To mitigate the drawbacks of IoT connectivity and at the same time to increase its popularity, protection measures need to be integrated at the early stages of IoT development. However, implementing such countermeasures into IoT applications is not an easy task. 

IoT has its own multiple security challenges (SCs) that need to be considered.

SC1: Lack of secure development 

IoT developers in general focus primarily on the functional requirements of IoT systems. Security requirements were left as an after-thought to be handled at the end of IoT development. This procedure has been inadequate. By contrast, IoT applications should have security features integrated as part of the initial design.  

SC2: Tight resource constraints 

The hardware capabilities (for example, computational power, storage, and battery life) for IoT objects may vary from one object to another. Traditional security measures such as Advanced Encryption Standards (AES) can be directly implemented into some IoT objects with strong hardware capabilities (such as cell phones and tablets). However, this is not the case for some IoT objects that have very limited hardware, such as presence sensors and smoke detectors.

SC3: Designed for specific tasks 

IoT objects have been designed to accomplish several tasks by offering different functions and services in multiple environments. It is unrealistic to develop common security features or countermeasures for such heterogeneous objects.

SC4: Changes in security requirements 

The security requirements for an IoT object can change depending on the situation. For instance, a smart car may have several embedded sensors. Deciding which one of these sensors requires critical security depends entirely on the status of the car. If the car is moving, the most important one is an anti-lock braking sensor. If stationary, the most crucial is theft detection. 

 SC5: Update mechanisms

The security requirements of IoT objects depend on their update methods. IoT objects that get updated remotely through a server need more protection measures – such as a secure channel – compared to objects that get updated via a USB cable. 

SC6: Objects’ mobility

IoT objects are either static (stays in one place) or dynamic (changes physical position). A dynamic object needs more security measures than a static one for various reasons. The dynamic object due to its nature tends to be connected to different objects operating in different environments as it moves. As a result, these objects must be equipped with several protection layers. For instance, end-to-end security, tamper-proof mechanisms, and side-channel analysis are used to establish a secure link with other objects during its communication as well as firmware updates to prevent physical attacks and data leakage. In contrast, a static object tends to be always connected to trusted, already secured, objects. 

SC7: Uncontrolled environments

When deployed in remote environments and left unattended (for example, multiple sensors deployed in a forest to record environmental changes), IoT objects are susceptible to physical attacks. This is because anyone can easily take these objects to a lab for further analysis to hack their security configurations.  

The next article will address the IoT security goals and also discuss possible attacks against IoT applications that are not properly addressed in the above security challenges.

 

Further Reading:

The Internet of (Risky) Things by 

Sources:

Hezam, A.A.; Konstantas, D.; Nijdam, N. A Novel Methodology for Securing IoT Objects Based on their Security Level Certificates. Preprints 2020, 2020040362 (doi: 10.20944/preprints202004.0362.v1).

Abdul-Ghani, H.A.; Konstantas, D. A Comprehensive Study of Security and Privacy Guidelines, Threats, and Countermeasures: An IoT Perspective. J. Sens. Actuator Netw. 2019, 8, 22.

Abdulghani, H.A.; Nijdam, N.A.; Collen, A.; Konstantas, D. A Study on Security and Privacy Guidelines, Countermeasures, Threats: IoT Data at Rest Perspective. Symmetry 2019, 11, 774.

Hezam Akram Abdul-Ghani, Dimitri Konstantas and Mohammed Mahyoub, “A Comprehensive IoT Attacks Survey based on a Building-blocked Reference Model” International Journal of Advanced Computer Science and Applications(ijacsa), 9(3), 2018. http://dx.doi.org/10.14569/IJACSA.2018.090349

Image:

Canva

Akram Mohammed Akram Mohammed

Holding M.S. and Ph.D. degrees in software engineering from KFUPM University (KSA), and Geneva University (Switzerland – 2019) respectively, my research interests include: Internet of Things (IoT), security and privacy by design for IoT, cyber security, use and misuse models, and more importantly security and privacy guidelines for IoT.

Besides my educational background and having published four papers in peer-reviewed journals as well as a book, I also have more than four years’ experience in teaching and more specifically in software engineering.

Having taught various courses (e.g., introduction to information systems, Geneva University), I enjoy sharing my strong organizational skills, education and teaching background, as well as my ability to work well with people, within dynamic and stimulating environments.

Laisser un commentaire

Votre adresse e-mail ne sera pas publiée. Les champs obligatoires sont indiqués avec *

Ce site utilise Akismet pour réduire les indésirables. En savoir plus sur comment les données de vos commentaires sont utilisées.