The Internet is evolving into what it once was: a special means of communication between things. The informatization of society is developing rapidly and IoT security should become the first priority for both individuals and companies.
What is Internet of Things?
In 1990, John Romkey created the world's first Internet thing. He plugged in his toaster. Since then, a universally accepted definition of IoT has not yet been developed. In a broad sense, the Internet of Things is seen as the ability of objects and people to remotely interact via the Internet anywhere and anytime, due to the convergence of various technologies. At the same time, the development of IoT, as a concept of the evolution of humankind, can have technological and social consequences. Things in the world of the IoT are now on par with people. And every year the number of things is growing.
IoT technologies are most developed in financial services, economics, commerce, medicine, energy, natural resources management, and agriculture. A lot of different types of smart home automation solutions have been implemented, too.
IoT in real life is:
- A smart home that can recognize voice commands or identify people who are going to get inside
- A car that you can start through the application or remotely receive data on its condition
- A bowl for dogs with a Wi-Fi module, which gives the dog tasks and rewards food for the correct answers
- A solar-powered trash can, which seals garbage by itself and signals the wipers when it is full
- Smart sensors and water meters in the infrastructure of São Paulo and Beijing, which reduced costs by 50%
- Automatic systems for collecting fines and alerts about accidents and traffic jams
How IoT Devices Are Managed
An automatic irrigation system is an ideal example. It works according to a schedule, checks whether watering is actually performed (a water flow sensor is used), stores information about the system’s operation in a cloud, sends text messages to a consumer and provides access to schedule management. The last action is carried out through the application on a smartphone.
It’s hard to imagine what damage “hacking” a lawn sprinkler can do, but picture a nuclear reactor? Or think of your favorite coffee machine with the control function from a smartphone that you use along the way from the bathroom to the kitchen? Yes, it’s hardly worth imagining the naive plot of a retro techno-horror with a revolt of toasters. Spoiling your breakfast is unlikely to be a good idea for an attack. A much greater danger is the transformation of everyday household appliances into a source of DDoS attacks with very real and devastating consequences such as blocking Internet resources and stealing information.
Attackers are able to access the least suspicious things - viruses only live on computers, right? And then to gather from them an army of bots, ready at any time to take down, for example, Amazon. To organize a successful DDoS attack, a hacker needs to quickly assemble a botnet.
The requirements are minimal: the equipment should have installed software, ideally with zero-day vulnerability, and Internet access. This coincides with the portrait of kitchen utensils connected to the Internet of things.
In addition, today most IoT household appliances are available for control from smartphones or tablets, and therefore any device can potentially become a mobile security threat when hacked.
Internet of Things belongs to the class of information systems, the construction of a significant part of which should be accompanied by the use of information protection tools. Maleficent attacks, for example, the “man in the middle” (MitM), can often lead to catastrophic consequences.
What is IoT Security?
Thanks to the use of modern capabilities of identification, collection, processing and data transfer, IoT ensures the most efficient use of things to provide services for all types of applications, while also fulfilling security requirements. IoT devices should meet various privacy regulations. At the device level, the general tasks of information security are reduced to ensuring the reliability of device identification, as well as to correct the authentication, authorization and administration of objects. Managing network connections requires access control and guaranteed message delivery. As to the need to solve authentication problems, it is critical to protect the server-device channel from attacks of the MitM class. It is necessary to ensure the confidentiality of data and protect the integrity and confidentiality of signaling data, as well as the confidentiality, availability and integrity of the IoT system data itself during transmission.
At the level of support for services and applications, packets are encapsulated during transmission; therefore, identification and authentication services should be supported, as well as encryption and integrity protection functions. Since the main attack vectors can be directed to the application level, the approach should be comprehensive and aimed at ensuring security.
Why Do You Need IoT Security
Each participant in IoT networks interacts with others, which leads to security threats, starting with hacker attacks and ending with the banal human factor. Incidents with IoT devices are among the top three threats, with the greatest potential financial damage to companies. Unfortunately, government agencies are also at risk.
Imagine the awkwardness of the situation when you need to pay a ransom for ... the door. In February 2017, The Romantik Seehotel Jäger underwent a hacker attack, as a result of which, attackers broke into a computer network and gained full access and control over the reaction of door sensors to guests electronic key cards. To restore the hotel’s business process, they demanded a ransom in bitcoins. At that time, the amount was equivalent to $ 1,603.
The stories about smart thing riots are fantastic, but for some reason, it sounded very familiar, when the vacuum cleaners turned into spy cameras, LG refrigerators sent spam, and hacked routers made it possible to juggle search results to promote certain goods.
What next? The development of technology gives attackers the opportunity for more sophisticated actions with a more unpredictable result. The accession of the 5G standard can go hand in hand with them. This standard provides faster connection and high-speed data transfer from one device to another and from them to the owner and back. On the one hand, acceleration and expansion of the channel will make the Internet of things more useful and multifunctional, but each hacked device will become not just a pawn of cybercriminals, but will also bring on board all the resources of the hacked device. This also means that the quality of bots (or hacked devices) will rise above their number when building a botnet.
Considering that along with the transition to 5G, more things will be connected to the Internet with increasing internal resources available for hackers to use, it is worth paying attention to 5G security issues of IoT.
We investigated a sufficient number of IoT systems, and in each of them, we met the same thing. These systems are often assembled from the simplest and cheapest hardware and software. At the same time, several vendors produce OEM components, which then participate in the assembly process. So, first, one company sells a particular set of software and hardware to another. This company, in turn, modifies, adds some functionality and resells further, and this can happen several times.
Also most IoT solutions we have seen and tested are like Frankenstein monster, many are low cost, long life devices and this puts pressure on manufacturers meaning the solutions are being built from pieces of third party software and hardware.
This inevitably means a lost the overall control and continuity of the design.
You are also potentially baking in deep seated vulnerabilities that are difficult to resolve.
Even the world's most reputable companies have problems as we have seen with Intel’s chips and if problem is discovered on another devices using the same 3rd party resource the breach could be easily replicated elsewhere.
IoT devices are also running on the mobile networks and while the security provided by eSIM and eUICC is really good there are still issues at the network boarders on SS7, Diameter, GTP that we see all the time during network assessment testing and via our monitoring solutions and that we write up in endless whitepapers, that I should say are all very informative and available for free from our website! All the threats that we have highlighted against subscribers in previous presentations are replicated on SIM-enabled IoT devices.
IoT Security Management
It is obvious that IoT security could become a headache. You might secure devices and a growing network. Operators also take on more responsibilities, providing more functions for reasons of profit growth.
But just like software development the sooner you will start security, the cheaper it is. This is proven by our client for the wifi router, actually they did the testing before going to market, and this effort did paid off.
It is always more economically appropriate to identify a bug at the testing stage than when the user is already applying the product and encounters a flaw.
Unfortunately, what we see is a lot of IoT solutions vulnerabilities are found after the product already hit the market. Allowing these situations is dangerous and probably irresponsible, and fixing them is quite expensive. We should look to change it.
So to sum up: it is a hard task to deploy secure IoT solution. Amount of vulnerabilities is huge, starting from software and ending with infrastructure. Sometimes it is impossible to solve all issues because of time or cost. Moreover, threats are business critical.
So, to secure IoT it is need to know its DNA:
|What’s inside?||What Networks?||What information?|
Without knowledge of DNA it is not possible to build real security of IoT system.
Operators have to test and certify IoT security to ensure the integrity of the network and to do that they need to look at all these different protocols, elements, ecosystems and devices as security is only as good as its weakest point.
To achieve that it would take a massive investment in security, including the largest multinational mobile operators.
So we see mobile operators having to build partnerships with one or multiple security companies because IoT will be far more fluid than we have seen in telecom networks before. This change will probably have to be structured as ongoing strategic partnerships between the security companies and operators.
We do already observe an alternation of thinking in security, though not in IoT, with the recent trend in IPX providing security services and monitoring for SS7, Diameter and GTP.
Perhaps the security assessment in IoT will be replaced by monitoring and using limited versions of IoT PoC.
So to sum up: multi-discipline security expertise is essential. It requires a large operator security team or multiple security suppliers partnership. The working scheme includes risk analysis, threat analysis and security assessment. Also, security is an ongoing long-term process.