What even is security?
A big HELLO 👋🏻 from CroudThings and welcome to OUR THIRD ARTICLE!! This week we’re tackling the world of IoT and security. We’ll get to grips with what security means in IoT, what the big-hitting issues are and what might happen if we get it wrong.
The concept of security is generally one that’s overlooked by the majority of technology users, and is only ever really considered when you’re setting (or resetting — insert witty remark about Facebook logging you out after an eternity and not remembering your password) a password. While this strategy is acceptable (it’s definitely not recommended) for most purposes, when it comes to new and revolutionary technologies that deal with vast amounts of our private data, this laissez-faire approach just doesn’t cut it.
As is the nature of connected technology, it’s essentially impossible to make it completely secure and bulletproof. Generally speaking, as technologies age and more people use it, loopholes and weaknesses are ironed out making the technology even more secure (assuming the security updates are actually applied ). That said, for new technologies, the luxury of having a long track record of use isn’t available. For this reason, and the fact that connected systems will likely be running significant swathes of city infrastructure, running the risk of these systems being hacked is particularly unacceptable.
The Parts — Defining the Things
Generally speaking, security for IoT can be broken down into 3 distinct component categories, each with their own specific definition of ‘secure’. These categories are hardware, software and data. Let’s quickly define what security means for each:
Hardware: security in this context is focused mainly on the integrity of the hardware components that are being used within a connected device. If this seems like a slightly vague definition of security, take a look at this article published by Bloomberg that looks at the impact of small computer chips being secretly embedded within servers that were sold to some of the largest companies in the world.
Software: software security is concerned with the “hackability” of a particular system. As with all pieces of connected hardware, some amount of software is required to allow that device to connect and communicate with people or other devices. When you think of software security, literally think of those cringy hacking TV scenes:
Data: data security is probably the most challenging branch of security to isolate and explain. It crosses quite a few boundaries between privacy and software security, but the thinking can basically be boiled down to “how easily can my data be stolen and used”. Now before you jump down our throat at this point and say “HEY! That sounds like software security to me!!”, it’s important to remember that new technologies like blockchain (), aren’t redefining software security, but revolutionising how data can be handled, authenticated and so, ultimately secured.
The tangible, the ethereal, and the difficult
The tangible — Hardware
As IoT devices become more and more prevalent, the potential damage as a result of hardware-based threats only increases. Consider for a moment that the vast majority of electrical components used around the world are produced in China. Up until recently, you would be forgiven for being quietly optimistic and trusting that there was a clear distinction between China’s manufacturing industry and the state. However, in light of the findings from Supermicro (see Bloomberg article linked above), we would be foolish to continue assuming this to be the case.
That said, China simply has no competition when it comes to low-cost electrical components. As IoT manufacturers continue looking for the lowest cost, biggest bang-for-your-buck hardware, many will inevitably opt for components manufactured in China. Obviously, not all components coming out from China will be compromised, but the point is there won’t be an easy way of telling which ones have been. In two years with the rate of growth of IoT, it’s entirely possible that compromised IoT devices will be in use all over the world (or they might already be…)
The ethereal — Software
Hacking doesn’t have to be as sophisticated as embedding a tiny microchip onto a server motherboard, it can literally be as simple as someone walking up to a smart sensor/device and re-flashing its firmware. With this, the hacker potentially gains access to the device itself, the data it’s acquiring and the network it is connected to.
As is inherent in IoT technology (i.e. things connected with each other), one of the major security risks is network attacks. One of the most notable of which is called the Mirai botnet (Wikipedia). The Mirai botnet was (and still is) a malicious software (aka malware) that specifically attacked network devices running Linux Operating System (no. 1 most popular OS). Mirai has turned Linux devices across 164 countries into remote-controlled “bots” allowing these devices to be controlled for malicious and nefarious ends. Mirai and its variations are still affecting IoT devices across the world.
The difficult — Data
Data security represents a critical component of overall IoT security. To consider and design systems to keep data secure, we have to consider the entire device and system tree (i.e. from the sensor all the way to the computer network). It’s for this reason that one of the most important parts of getting data security right is largely down to the methodology that’s adopted in handling the data.
The classic examples include losing laptops containing both the encrypted data, as well as the ability to decrypt it. It’s for this reason that data security is an all-pervasive issue that has to be considered at every level. As unsexy as it might seem, data policies applied by companies and governments have as much effect on data security as the technologies we use to generate and communicate the data. Fortunately, data security is increasingly on the radar of governments and companies as shown by the recent wholesale implementation of the General Data Protection Regulation (GDPR #buzzword).
Locking down your home
Before we wrap up, this wouldn’t be an article on security if we didn’t mention home security. There is a vast range of IoT devices designed to make your house more convenient and secure. Amazon with its recent updates of its virtual assistant introduced a feature where the device would utilise its microphone array to detect sounds like broken glass, the sound of a smoke alarm and even the sound of your own security system alarm. addition to this, there are also new smart locks that do away with the need for physical keys and allow you to detect if and when a door is left open or unlocked. You can even share temporary access keys with friend and family so they can let themselves in if they need to. A quick google will land you fully in the ocean of products out there to make your home smarter and more secure.
Yup, that’s all we’ve got…
Over this article, we hope we’ve been able to demonstrate quite how important, and at times complicated, the world of IoT security is. We’ve only really been able to scratch the surface in this article, but if you keen to learn more, make sure you SUBSCRIBE to receive regular updates. In our upcoming article series “The Three Pillars” (yup, we’re still running with that name), we’re going to tackle some of these areas in a lot more detail — so stay tuned!
 This is a really important note. If you think back a few months, you’ll likely remember the National Health Service (NHS) in the UK suffering from a ransomware that was only able to exploit computers running Windows 7 called WannaCry. While Microsoft had issued security patches to prevent programs like WannaCry, the patches hadn’t been installed on many of the computers being used in hospitals and GPs across the country.
 In fact, unfortunately, the question of encryption is a little more complicated than even simply encrypting absolutely everything. Encryption requires computational power, and for IoT devices which generally operate on the limits of their hardware capabilities for efficiency, there often isn’t much computational power left over for encryption.