No one will argue that IoT security is a serious issue. There are currently several initiatives that are focused on addressing the many privacy and security problems the IoT industry is introducing. However, the hardware, software and environmental diversities in IoT are so enormous that employing the same security solutions we’ve been using on computers and mobile devices is simply not feasible and will not address the multitude of problems we’re facing. Here are some of the challenges we must overcome if we wish to achieve a holistic approach to IoT security.
Low processing power and storage
A wide range of IoT devices, such as smart sensors and light bulbs, are fitted with very small processing and storage units, and they don’t even have proper operating systems. This effectively makes them incapable of installing and running anti-malware applications and resource-demanding security protocols such as SSL and TLS. They will rely on legacy security solutions and unencrypted exchanges, and we all know the implications of having connected devices that have no means to protect their communication and data.
Long running sessions
Most current security solutions are tailored to protect communication channels by encrypting the data flow using a shared encryption key, which is negotiated between communicating parties at the beginning of the session and remains valid for the entire duration of the session. This is a practical model for short running sessions, but can become problematic when sessions span over days, weeks and months at a time, which is the case with IoT devices. As has been proven time and again, even if hackers can’t crack the key to a secure communication line, they can learn a lot by simply wiretapping the line and listening long enough. With some patience and ingenuity, they can discern communication patterns and initiate what we call “repeat attacks,” in which a malicious party repeats a set of encrypted packets that have been previously exchanged between the communicating parties (by only having a general knowledge of what they contain) in order to disrupt communications or to achieve some other nefarious goal.
Current security solutions are mainly focused on protection against remote attackers and are predicated on the fact that devices are not physically accessible by the attackers. This is mostly true for desktop computers and servers that are usually kept in buildings, or mobile devices that seldom leave their owner’s pockets. But such is not the case for IoT devices which are usually scattered in and outside of smart-homes and -offices, or are out in the open in smart-cities and industrial settings. In most cases, intruders can easily gain physical access to these devices, crack open their shell, reflash the device with their own firmware or retrieve data that is stored on the device.
Keeping track and managing the security of a desktop PC and a mobile device is not a difficult task. Add a tablet and a laptop, and most people are still able to manage. But when your home is packed with dozens and scores of internet-connected devices, many of which are functioning without your interference and assistance, administration becomes an issue and you’re likely to forget about at least some of your devices. I don’t need to reiterate that unattended devices are the favorite targets of hackers and malicious actors. Without a centralized solution to administer and control IoT ecosystems, the propagation of connected devices will cause a serious security problem.
In most communications, the value lies in the data that is being exchanged, thus adding a layer of encryption will take care of most privacy issues. But in IoT, the real value lies in the patterns of communication and the metadata that is never encrypted, including the timing and frequency of data exchange. For instance, by simply eavesdropping on the data traffic that is going in and out of your smart home, a thief can remotely figure out your living patterns and the times your house may be vacant, and subsequently plan to rob your house without having to come close to your home. Therefore, unless you’re able to cloak and spoof your data traffic, encryption per se will not offer you full protection, and you’ll still be giving away plenty of crucial information to malicious actors that might be spying on you.
The point is that IoT is in many ways different from what we’re used to in terms of internet connected devices. Therefore we need a new perspective, and we need to redefine and scale security solutions to comply with the needs of the IoT industry. There are already many innovations and products that are dealing with these issues, and I’ll be writing about them in my future articles.
If you have anything to add or any suggestions on what else needs to be addressed in IoT security, please leave a note.