Internet of Things (IoT) is the hot new phenomenon that is fast altering our lives and businesses with its seemingly unlimited possibilities and use cases. Improved utility, analytics, energy saving and plain simple comfort are just some of the benefits that IoT is introducing. But as I’ve mentioned time and time again, the security considerations and pitfalls of IoT are something that need to be taken more seriously, lest this new uncharted territory, which is destined to expand over 20 billion devices by 2020, spins out of control.
In a recent analysis, research firm Gartner has identified and introduced the key IoT technologies that will be prevalent in the next two years. This is important since it determines what manufacturers and consumers will be focused on, and thus we need to identify and understand the security implications.
Luckily, Gartner has mentioned IoT security as the most important trend, and it has emphasized on both information attacks and physical tampering against connected devices. The latter is an important point, I believe, and it is often neglected, because we fail to recognize the peculiarities and differences that IoT introduces and tend to think about our connected devices in the same way we do about our computers and smartphones. However, IoT devices are for the most part unattended and without any physical protection, which leaves them open to physical attacks and tampering, as was the case with this IoT doorbell which could easily be manipulated to reveal WiFi keys. Information attacks need a new perspective as well, because the connection model of IoT devices is different from generic computing devices as well, and their always-connected and long-running session model makes them prone to many different types of attacks, including network replay attacks.
The report also mentions the scarcity of IoT security specialists and the fact that current security solutions are fragmented and involve many vendors, and predicts that this will be a source of security issues in the field. This reminds me of a research carried out by security firm SEC Consult, in which it was found that a large number of IoT manufacturers are using third party code and packages that have serious security flaws such as the use of shared private keys (what’s so private about a key when it becomes shared between thousands and millions of devices).
There are other points in the report that are worth considering from a security perspective. For instance, it mentions the rise of IoT analytics and how devices and manufacturers will collect more and more data to understand consumer behavior and usage, and deliver better customer service and improve products. This gives cause to both security and privacy vigilance. The set of data that are being collected and sent to the cloud from IoT devices can give away many things, such as our living habits or the time’s we’re at home. Both the data exchange and its storage in the cloud need to be protected, and a set of rules and laws need to be defined as to how vendors use IoT data and share it with different parties. LGS Innovations has an excellent study on IoT security and privacy and a DIY method to protect communications.
The Gartner report also mentions the device management as an important issue, especially as IoT devices are propagating at a very fast pace and each firm, office or individual might be dealing with tens, hundreds or even thousands of devices. Managing the security settings, credentials and updates of each of these devices individually will become an impossible task, which will lead to negligence on the part of the user and leaving devices open to attacks. We’re going to need holistic approaches to protecting large IoT ecosystems. An example are this new breed of smart network security devices, which I’ve written about a while back.
Another point raised in Gartner’s analysis is IoT processor and operating system considerations. Many devices will be featuring low-end, 8-bit processors and minimal embedded operating systems, and will lack the computing power and storage capacity to run traditional and large-scale security solutions such as strong antivirus software that have huge malware definition databases or computationally-expensive security protocols. This design decision is often made from an energy consumption and cost efficiency perspective, without thinking about the security implications. Therefore, we need scalable IoT security solutions to deal with the wide range of differences in hardware and software infrastructure across devices.
Gartner also forecasts the development of APIs in order to deal with the interconnectivity and M2M communication needs of IoT devices. This too needs to be scrutinized from a security perspective. We’ve seen cases of devices having APIs that accept commands without authenticating the requestor. This again stems from the fact that many IoT developers are not properly trained in the basics of secure coding. API-based programming is itself a good security practice because it prevents endpoints from directly accessing each other’s underlying data, but when done wrong, it can turn into a security nightmare.
The Gartner report is a good study from many perspectives, including IoT security. I’ve laid out my own take here, and I think these are all facts that need to be taken seriously. I know a lot more can be said. For instance, I haven’t mentioned the security implications of the low-power, short range and wide area networks, which I think is worth studying. I would be grateful to have your comments and extra notes and considerations in this regard.