We live in the age of the Internet of Things, so every aspect of our life is somehow related to connected devices which makes up the interconnected environment that opens a world of new possibilities. Today we have more than 8 billion IoT gadgets in use, but according to some estimations by 2020 this number will exceed 40 billion units.Companies get a better understanding of employees and customers, improved asset management, reduction of operating expenses, as well as equipment failure predictions. Customers receive control and real-time monitoring of household devices and their energy consumption like they never imagined before.
The importance of IoT security
With this dynamic growth and not enough awareness of potential security problems, IoT became a target for cybercriminals.Today every device could be in danger – your Smart TV could turn on a camera anytime, helping thieves to determine whether you are at home, while Smart Fridge will is breaking in into your Facebook account.According to security experts, more than 90% IoT devices are targets of remote attacks. Disabling toy cars or compromising entertainment systems, locking doors and even turning off monitors in the inter-connected vehicles, are just a few examples of consequences.
2013 was the year when an enterprise security company from California detected the first big IoT cyber attack, with 100,000 smart household appliances involved, generating more than 750,000 spam emails. Misconfiguration and use of default passwords led to this attack through a Botnet – a number of Internet-connected gadgets, usually consisting of thousands of devices, where each can do a task, like sending a few emails. The next serious incident occurred in 2015 when families across Western Europe and the USA suffered from hacker attacks on baby monitors. The criminals were able to see live streams and change the settings on monitors to authorize other users to watch. The manufacturers reacted instantly with a firmware update and recommended users to get updates regularly. Just a few years ago the biggest websites – Verge, Twitter, and GitHub were brought down due to DDoS attack from Mirai botnet. Cameras, DVR players, Wi-Fi routers and other devices running vulnerable firmware were used to attack Dyn servers. It was easily the biggest ever incident of this kind, made possible by compromising IoT devices.
Events like these made the change in the state of IoT security – which is no longer ignored! Now the security firms, manufacturers, and even the federal government are all joining forces to prevent global disasters caused by connected networks. After Fiat lost 1.4 million U.S. to recall their vehicles for a security update, the whole industry seems to take action – Gemalto will offer Secure Element (SE) technology to companies in utility and automotive industries, Microsoft is planning to empower Windows 10 IoT with BitLocker encryption and Secure Boot technology. Top tech firms, including Vodafone,had raised awareness of this problem by founding Internet of Things Security Foundation, a non-profit organization aimed at checking connected devices for flaws and vulnerabilities, offering security assistance for providers and users. But the more IoT market grows, the more IoT privacy and security challenges become a real threat to global cybersecurity.
Main components of IoT security:
IoT network security
Complex protection of a network that connects devices to cloud-based back-end systems. It includes such elements as firewalls, intrusion prevention, detection systems, antivirus, and many others.
The ability for users to authenticate a device, including managing different users of a single device. It spans from basic passwords to much more complicated digital certificates and biometrics. In most cases, authentication is between machines, so no human input is required.
The prevention of data’s integrity to eliminate any leaks in the IoT ecosystem by encrypting information – at this moment it’s hard to have standards in this area, due to a large number of vendors and devices, in addition to that, the encryption must have effective key management to match.
IoT API security
The ability to authorize and authenticate information transition among devices, back-end systems, and apps with the help of REST-based APIs. The protection of API’s is crucial for data movement between edge devices and back-end systems, as well as for the elimination of potential threats.
IoT Public Key Infrastructure
Checking not only devices of IoT network but also data itself and authentication between apps and devices. An example of this is the X.509 digital certificate standard. Although some devices still lack the possibility to use PKI, certificates could be installed into devices after production.
IoT security analytics
The provision of advanced feedback on security issues leveraging ML and Big Data – while this is still nascent, it has the potential to provide IoT-specific attacks protection and anomaly detection to be far more superior to traditional solutions.
The most common security mistakes by IoT vendors
Some IoT device manufacturers still don’t consider security as a priority, just because it’s hard to interact with the devices from a long distance and without knowing the location. But as was mentioned above, it’s very important to take care of security as much as we can, so when you choose hardware partner for your IoT gadgets, be aware of these common mistakes:
- Gadget manufacturer does not allow users to generate custom passwords by making them unchangeable in the device firmware.
- Default passwords that are set by the hardware manufacturer are easy to hack.
- Management consoles of back-end devices can’t handle sensor data encryption at the volume they are expected to.
- Too complicated and unclear firmware updates, according to some statistics only 31% of consumers have the latest version because of the complexity.
Building your IoT solution: here are some things you should do to prevent security issues:
- Find a custom software development company that will become your trusted partner. This company should have hands-on experience in IoT, to be able to give you examples of how they dealt with security issues in the past, and what they are doing to improve their work.
- Set an appropriate budget for researches and have a “time and materials” contract.
- Use devices with high processing power only from proven hardware companies.
- Have different use cases for your product, with potential security problems covered in all of them.
- Get a dedicated security expert in your team from the very beginning who will work closely with the project manager to create IoT product roadmap and prevent possible security problems.
- Make sure that your customers are aware of and fully understand your privacy policies – you can’t stress enough on the importance of regular firmware updates.
How do we know it?
Working on our own IoT projects, we use the expertise, knowledge, and experience of our specialists to preserve the highest level of privacy and security for our clients. All devices and systems in our IoT solutions include cryptographic encryption algorithms (AES128, AES256), signatures and data integrity checks (HMAC), which provide secure data transfer even through public networks. Adhering to modern security standards ISO 27001, ISO 27008, Regulation (EU) 2016/679 we use active and passive monitoring and auditing of the developed systems to prevent, detect and eliminate any security problems as they occur. If you are interested in starting your own project and have any security concerns or questions, feel free to contact us.