A beginner’s guide to securing the Internet of Things
by Akhil Joshi, Raamesh Gowri Raghavan and Sukant Khurana
“If one thing can prevent the Internet of things from transforming the way we live and work, it will be a breakdown in security.” This is one of the first pieces of information that appears when we search for internet of things. We are surrounded by new smart devices which ease our day-to- day work, but they
also create new security issues.
In the year 1960, the concept of the internet came out as ARPANET, a web of linked computers at the US Department of Defense. In 1990, it was first used for commercial purposes and in the next year, it was used publicly as the “World Wide Web”. Now we are trying to make many devices ‘smart’ (i.e. embedded with a microchip and electronics that allow them to do computational functions) and connect them through the internet, which can make a great impact on sectors such as transportation, medicine and healthcare, energy, manufacturing, environment monitoring, industries, home and building automation, etc. Such smart, internet-enabled devices allow us to control them remotely, and use operational data to make them more efficient. But connecting them to the internet leaves them vulnerable to hacking.
Examples of security challenges to IOT
In October 2015, a massive botnet hacked several IoT devices. A hacker, known only as Anna_Senpai, released the source code of this malware called Mirai. This malware would continuously scan the Internet for IoT systems protected by factory default or hard-coded usernames and passwords (often easy to crack), before taking control of their operating systems. A part of these compromised devices’ composing power is then used for DDoS (Distributed Denial of Service) attacks of the kind that intermittently knocked some websites offline like Etsy, GitHub, Netflix, Shopify, SoundCloud, Spotify, and Twitter etc. The malware was responsible for economic damage of 110 million dollars. This incidence highlights the need for security in IoT. Cardiac Devices manufactured by St. Jude and Owlet WIFI Baby Heart Monitor have been
discussed by many for similar concerns. Similar concerns have been raised with IoT devices in smart homes, which can be used to alter thermostats and other instruments. Hacking of CCTV cameras has also been raised as a potential threat to perform illegal surveillance and monitoring. People have also raised issues of the security of whole smart cities. India is planning on building smart cities, with smart grids that will control everything from electricity to water supply and drainage to telephone networks, which if not properly secured can also be misused. Not to mention messing with traffic lights!
Okay, we know we have scared you sufficiently with the dangers of IoT misuse but entertain this line of thought a bit further. If you have seen “Fast and Furious” or “Dhoom”, you can imagine how a hacker can get into a car’s engine and braking system. We hope that at least one of the examples succeeded in striking fear into your heart. We also hope that this fear was not enough to give up on the immense promise of IoT but just to be aware of the
possible dangers that we must overcome.
The nature of security challenges of IoT and how to fix them
So, what are the security challenges for IoT devices? Hacking, manifesting in the manipulation of instruments is the number one concern. As the
number of device connections increase, it proportionally increases the security risk in the Internet of Things. Privacy and data-sharing in addition to manipulation through hacking is also a security concern for IoT. The major challenge for IoT tech companies is to figure out how the communication in the internet of things realm can be made truly secure. The large volume of
data, due to large number of IoT devices, opens itself to vulnerabilities. By 2020, it is expected that thousands of zetabytes of data would be generated because of IoT. As more users are connected to IoT devices, more and more information has to be stored in the cloud.
Device tampering and counterfeiting can also be an important issue for IoT
manufacturers. Since IoT devices are small devices integrated into other systems, such as cars, light switches, TVs, and ovens etc, some of these devices spend time unattended in not-so- secure warehouses, adding another possible route of introducing problems.
To deal with the problem, the first and furthermost step is to deal with the hardware and software part of IoT devices. Companies are already working on it by introducing chip security in the form of trusted platform modules and ever-improving operating systems. We suspect that one day soon, in-built machine learning in these devices would prevent hacking and not just be used to control them. Right now the same copy and paste codes that are written for encryption can act as Achille’s heels. Ideally in the contemporary system, a developer must write original code but the repeat use of modules to cut corners is increasing vulnerabilities. At present most organizations prioritize fixing bugs rather than reducing vulnerabilities. This would require a cultural shift in companies for IoT to be safer. The ad-hocist temptation to release a product with its vulnerability intact, with the intention to patch the vulnerability in the next version runs high in industry, but it is extremely dangerous in the long-run. We also feel that threat modeling (i.e. planning every scenario beforehand) offers great value if incorporated into the design phase. When devices are in developing phase, the manufacturers or designers have great flexibility (and responsibility) to make changes and eliminate threats.We strongly feel that strong self-regulation from the industry will make IoT safer than relying only on governmental regulation. Adding warehouse and supply chain security of small IoT devices should also be on
industry’s radar. These can be dealt with easily through both technological as well as behavioural solutions already available in logistics best practices.
Another aspect is improving the networking or communication layer, where machine to machine communication (M2M) takes place between the IoT devices. To protect and secure the network connecting different IoT devices is challenging because there is a wider range of communication, standards, and device capabilities. To deal with it, firewalls and intrusion prevention systems are designed to examine specific traffic flows terminating at the device and are used to detect unwanted intrusions in the network and prevent malicious activities over the communication layer. The API security is also essential for protecting the integrity of the data that are transferred between the edge devices and to the back-end systems, to ensure that only authorized
devices and apps communicate with the APIs, as well as detecting potential threats and attacks against specific APIs. Segmentation of the network is another good method to improve security. An IoT device that needs to be directly accessible over the internet, should have segmented network and have its network access restricted. The network layers can then be monitored to identify potential anomalous traffic.
Authentication and encryption also play a significant role in the case of security of IoT devices. IoT endpoints require human interaction using a fingerprint, iris scan or password authentication. Some need identifiers such as radio-frequency identification (RFID), the address of the endpoint and more. Digital certificates are required which provide a reliable solution without weakening the practical operation. In this case public awareness about not leaving IOT devices without exit authentication (e.g. an explicit logout) is much needed. Cloud platforms enable IoT connectivity but also invite security challenges. This means security of applications, virtual machines, data storage, and supporting middleware to secure each of these components of cloud. The last thing is the responsibility of the user to be cautious: to know about their networks, to alert unauthorized access of a third party, and to update new patches for their devices. We hope we can soon think of relieving the pressure of the end users a bit because with so many devices most users simply click ‘install anyway’ without looking at an update critically.
We hope that we can increase the safety of Internet of Things to prevent it from becoming Internet of Threats. It is possible but it requires radical change in the industry and a proactive involvement of governments to make IoT a game-changer for good that it has the potential to become.
About:
Mr. Akhil Joshi worked as an intern in Dr. Khurana’s group in 2017.
Mr. Raamesh Gowri Raghavan is an award winning poet, a well-known advertising professional, historian, and a researcher exploring the interface of science and art. He is also championing a massive anti-depression and suicide prevention effort.
You can know more about Raamesh at:
https://sites.google.com/view/raameshgowriraghavan/home
https://www.linkedin.com/in/raameshgowriraghavan/?ppe=1
And here’s Raamesh telling his life story:
Raamesh and Sukant are working together on several projects on the intersection of science, technology, and art, and also projects on mental health.
Dr. Sukant Khurana runs an academic research lab and several tech companies. He is also a known artist, author, and speaker. You can learn more about Sukant at www.brainnart.com or www.dataisnotjustdata.com and if you wish to work on biomedical research, neuroscience, sustainable development, artificial intelligence or data science projects for public good, you can contact him at skgroup.iiserk@gmail.com or by reaching out to him on linkedin https://www.linkedin.com/in/sukant-khurana-755a2343/.
Here are two small documentaries on Sukant and a TEDx video on his citizen science effort.
This story is published in The Startup, Medium’s largest entrepreneurship publication followed by 282,454+ people.
Subscribe to receive our top stories here.
