How to Avoid Security Problems in IoT Devices?
Sergio Salduhin
Project Portfolio Management | MS Project Server-Online-Web| migration| backup| restore| integration|Power BI
Today, many devices which have built-in operating systems are connected to the Internet. This creates a lot of new opportunities for the common users. According to a research, by the year 2020, there will be about 26 billion internet-connected devices. Meanwhile, other analysts say a number of these devices may exceed 100 billion.
The same we can say about IoT apps – there are a lot of them: alarm systems that warn users through smartphones; fitness trackers apps that collect health data, shared with doctors; car gadgets software, which calculate the optimal route; home refrigerators, that remind users to buy necessary goods, and so on.
The IoT industry is still in its development phase, but it already gave us rise to huge expectations, promising to open up new markets, providing a wealth of information about possible benefits from the buying habits of customers for future sales. However, we must understand that there is another side of the coin, related to IoT security and privacy issues, to which we need to pay our attention first and foremost.
Security Issues In IoT
IoT cyber attacks, unlike usual ones, are not limited by the information damage or its loss. They can be used to inflict physical harm or provide money loss. Almost any connected device, from fitness tracker to an onboard plane system can be hacked. Here are some illustrative examples.
- Hackers hacked digital infrastructure of the European Space Agency and have stolen names, email addresses and passwords of an 8,000 people. Then this data was hosted for the public use.
- Security experts from the Proofpoint company found that over the short period in 2014, web-connected refrigerator sent more than 75,000 spam messages and fishing emails.
- Hacker and a cyber security expert from the One World Labs company hacked the onboard plane system and, according to the FBI report, dated April 2015, overrode the control of an aircraft.
- More and more cars today became web-connected. But what if the car will be hacked? Usually, people do not think about it, but what will happen when control of your vehicle will be overridden at a speed of 70 mph? This isn’t the best scenario for sure.
Well, we can list situations similar to that for a long time, but the main question remains: how can we avoid security problems in IOT and provide the highest level of security to our devices?
Security For Internet Of Things
In the case of Internet of Things, the physical object itself becomes a key element to which we need pay our full attention. Whether it's a car, smart watch or a health tracker – these objects all became suddenly involved in networking.
At the same time, some of IoT devices can serve critical infrastructures - water supply system, city’s power grid, transport system. The Major importance of all these systems turns them into potential targets for industrial espionage, DoS, and other hacker attacks.
To prevent damage, safety mechanisms, and IoT security services must be integrated at the early development stage, so authorized users would be able to control all data transmission inside the IoT device system. Here are 6 tips that can help to avoid security problems IoT devices.
IoT Security Solutions
1. Don’t reinvent a wheel. This is the main recommendation. Instead of searching for fundamentally new solutions, use already existing industry standards and protocols for building software infrastructure. Internet of Things – it is a fairly complex range of technologies, where the consequences of different code mistakes often have a stronger effect on the company's business comparing to the classical software projects. Therefore, it is important to devote the greater amount of time for testing and using of already proven solutions.
Build applications based on existing, well-protected platforms such as Apple iOS (for example). World-class companies have already invested dozens millions of dollars to provide maximum security of these products. The choice of these platforms means the faster launch of the product because it would nоt require a development of the number of very labor-intensive components from scratch.
2. Ensure the protection of access channels. Mobile operators’ VPN can be used for increasing IoT app security so that no one could access to an IoT device from the public network. This eliminates the risk of accessing a device software using standard Internet connection, ie, the attacker will not be able to connect to your IP address. Similar solutions are used to provide the security of ATMs.
3. Enable two-factor authentication. The first important step in providing security of the IoT device is to ensure that the user is really the one who he claims to be, and indeed has all rights to access to this device. An authentication procedure is an important aspect while dealing with web-connected devices. For example, when we open a smart car with a mobile phone, we want to be sure that there is no one except us who can do the same.
Another internet of things security problem is weak passwords. It is one of the key issues why IoT device security can fail. 60% of users use the same password on multiple websites and services, 45% change passwords once a year.
Single-factor authentication (password only) is a thing of the past, two-factor authentification system becomes a standard one. It provides a two-layer protection for your account against unauthorized access. For example, the first login is a password, and the second one is a special code user receives via SMS.
HP Fortify found that 100% of smart watches are vulnerable due to the absence of two-factor authentication and because of easy accessibility for brute force - that means a hacker can easily crack the password and use it for future attacks.
4. Use biometrics and its potential. Authentication can become more challenging in the terms of hacking if developers will integrate voice recognition, USB-keys, smart cards, code generators, SecureID technologies. Unfortunately, today face authentication is implemented on mobile devices poorly.
As regards the voice identification – according to a research, the number of users, who is convenient with that, very small. And what‘s more, if we are talking about smartphone capabilities, voice recognition technology, in this case, is not 100% sufficiently reliable.
But still, developers continue to look for reliable solutions based on this technology. The Dutch bank ING Netherlands has released an application for online banking, where the password to the account is client’s voice. The IoT application uses voice biometrics technology, which is implemented on a platform called “Nina”.
Mastercard is testing an application that allows confirming transaction without using of numerical codes but on the basis of facial recognition technology. In other words, the client will need to take a selfie to be able to make any payment on the Internet.
5. Do not underestimate mobile threat and its price. Today, the Internet of Things develops largely due to the possibility to manage physical objects through applications on mobile devices. With the help of smartphones, a lot of users already control their vehicles, receive data from portable devices, including a fitness bracelets, and exchange data with smart watches.
Often, work with a physical object is connected with a two-factor authentication which is impossible to make without using a smartphone. And here we go back to the problem of mobile malware, which can steal passwords and codes needed to log into the bank app or to a personal medical account on a hospital web-resource.
6. Compose threat model. Always try to compose an exhaustive list of all possible web-threats to your IoT device and model the security architecture for the object, which will be managed by your product (software).
The methodology of modeling should cover all issues of privacy, security, fraud prevention, cyber attacks and intellectual property theft. Still, risk assessment is not an easy task, because hackers are constantly searching for new solutions and progressively create more and more ways of web-hacking.
Security of a Fully Connected World
Security should not be seen as an isolated process that we just run once and forget about it. It is important to protect devices used in the IoT ecosystem throughout their lifecycle, no matter whether it is a standalone custom product, or a certain system, for example, integrated into the car.
Yes, for now, there are particular pros and cons of using IoT devices in our life, but over time, consumers will perceive the convenience of the IoT using for granted, and be sure it's safe. But as there is no universal solution on how to neutralize all the threats simultaneously, it is recommended to get help from the experts in the field of web security consultations. That’s why we are here on the market.
Our company has been developing IT-products since 2000. We can say, without exaggeration, there is nothing we don’t know about cyber security on the network. Contact us and we will advise you on all aspects of IoT software development and will help to create an effective security system for IoT devices.
(picture source internetofbusiness.com)