Witekio: Identifying the security issues in connected devices, and how to address them

December 07, 2016 // By Witekio

Identifying the security issues in connected devices, and how to address them

 

Contents:

Introduction

Part 1 — Protecting the Communications

Part 2 — Protecting the Resources

Part 3 — Protecting the System

Conclusion

 

 

The Internet is evolving. With every device that comes online its reach increases, and as those devices — or ’things’ — become more interconnected the Internet expands in not only reach but capability. This is really what the Internet of Things is all about.

With over 25 years of experience, the Internet’s backbone, the IT industry, is well practiced in identifying security risks and implementing effective protection. The same isn’t true of the IoT. Potential and actual security problems related to the IoT are increasing; identifying them isn’t the problem. Effective protection against security threats is, and compounding that problem is the fact that many (if not the majority) of OEMs developing connected products won’t have decades of IT-based security experience to draw from.

Indeed, even the IT industry would find it difficult to implement existing protection in IoT nodes, most of which will be highly embedded and possibly resource-limited devices that may bear little or no resemblance to devices found within an IT infrastructure. Could a connected car be equipped with the same level of protection as a cloud-based server?

Some believe that the sheer volume of connected devices expected to be deployed over the next five years will provide a level of protection against attack — there will simply be too many to target. But, given that many of the ‘things’ in question will be manufactured in very high numbers, and that the wireless footprint of a Wi-Fi connected lightbulb looks exactly the same as, say, a Wi-Fi connected server, then it’s clear that OEMs can’t really afford to be complacent about security.

Of course, the risk is still related to the potential value to the criminal element. In the case of a connected car the potential gain is obvious, but given that even a connected lightbulb could provide access to a home network or cloud services that may hold sensitive personal or financial information, is there really an acceptable level of risk in the IoT?

 

 

Part 1 — Protecting the Communications

 

In this section:

  • The challenge for embedded devices
  • The Man in the Middle
  • Common protocols and how to secure them

 

 

The challenge for embedded devices

Although the IT industry has over two decades of experience in combating malicious and unintended attacks on the Internet’s infrastructure, peripherals and access points, the IoT represents a much greater challenge.

At the enterprise level, where a person is normally present, the use of black/white lists, two-factor authentication (2FA) or password protection are commonplace. In the IoT, where many of the devices will be small and probably headless, these security techniques are hard to implement.

 

The use of multiple levels of protection is common within the IT world; firewalls, authentication, encryption, intrusion detection and security protocols are all used at the enterprise level to provide protection. The important point here is

The Internet is evolving. With every device that comes online its reach increases, and as those devices — or ’things’ — become more interconnected the Internet expands in not only reach but capability. This is really what the Internet of Things is all about.
Company: 
embedded, IOT, IIOT, security