The Internet of Things (IoT) is occupying the attention of city planners, the ones in the medical world, the energy sector, more particularly, with no parallels in the recent past. The connected devices share a host of data covering many geographies. The questions often by-passed are related to security and if they are outside the clutches of hackers.
According to many research studies, including the Gartner analysis, there will be about 21 billion connected IoT devices by the year 2020. While we would like to quote this statistic with pride and look enthusiastically at the business opportunities this will give rise to, there is one alarming concern – IoT security. It stands to reason that more the number of smart devices, more the possibility of attack vectors.
Secure PCs, why not secure IoT products?
One of the reasons is that as the idea of networking appliances and other devices is relatively new, security is not always a priority during product design. IoT products often have old and unpatched embedded operating systems and software. Also, end users fail to change the default passwords on smart devices and usually don’t select sufficiently strong passwords. IoT devices are provided with unique identifiers and the ability to automatically transfer data over a network. Embedded sensor systems used in industrial machine-to-machine (M2M) communication, smart energy grids, home and building automation, vehicle to vehicle communication, wearable devices and other computing devices account for most of the IoT communication that happens. The frightening vulnerabilities found on IoT devices have therefore brought IoT security further up to the fore.
For example, research has found that a significant range of IoT baby monitors can be hacked and used to monitor live feeds, change the camera settings and authorize others to remotely view and control the monitor. Connected cars can be compromised, and hackers can take control of the entertainment system, unlock the doors or even stop a moving car. Hackers have been found to use the motion sensors embedded in smart watches to steal information or gather health data from fitness apps or health tracker devices.
Very soon, there will be consumers who own hundreds of connected devices. Hence, we need a fool-proof plan for installing security updates, which definitely cannot be manual. Proper safeguards are necessary to prevent updating interfaces from becoming security holes themselves or else we will end up with a scenario of the fence eating the crop. We need security at both the device and network levels for safe operation of IoT. The Artificial Intelligence (AI) that is the brain of the device which learns the preferences of the users and enables the device to perform accordingly must also be able to recognize and counteract threats. The measures that have proven enormously successful in IT networks will have to be substantially re-engineered if they are to address the device constraints.
Challenges
Most embedded devices are tiny and are designed for low power consumption with limited connectivity. The processing capacity and memory required to perform their tasks is also very limited plus some are low cost and essentially disposable. All these factors could prove to be an inhibiting factor in encryption and other robust security measures. With the enormous amount of data IoT devices generate and communicate back to the cloud for analysis, it would be unwise to assume that all systems can scale to accommodate the bandwidth, power, storage and computing ability needed to handle this load.
Manufacturers, as well as users of connected devices must spend time and try to understand what data their devices collect, what information is shared and with whom and how the data is transmitted and received. In addition, where the data is being stored is vital including how stringent are the privacy settings that need to be activated in accompanying the software. Just as with any other computer devices, it is essential to run the latest software and patch vulnerabilities as well as ensure all apps associated with the device are updated. For example, a smart meter that is able to send energy usage data to the utility services company for billing or real-time power grid optimization must be able to protect that information from unauthorized users. If this information can be hacked, thieves could figure out which houses are empty based on the decrease in power usage and burgle those homes.
About a decade ago, we had to protect only our computers and few years ago, our smartphones. Now we have to worry about protecting our home appliances, our car, our wearables, even our medical reports. Hackers can hack into any device, by being even in a remote place. The IoT devices manufactures & users have to start thinking from the point of the hacker and thus create products that make it hack-proof.
Solutions
When a device is being designed, security must be one of the primary components and must continue throughout the device lifecycle. The following could be a few ways to ensure secure connected products:
• When the device is first powered up, a cryptographically generated digital signature verifies the authenticity and integrity of the software on the device, i.e., only the software that has been authorized to run on that device and signed by the entity that authorized it will be loaded.
• Access controls built into the operating system limit the privileges of device components and applications so they access only the resources they need to do their jobs. The principle of least privilege dictates that only the minimal access required to perform a function should be authorized in order to minimize the effectiveness of any breach of security.
• When the device is plugged into the network, it should authenticate itself prior to receiving or transmitting data.
• The device must have a firewall or deep packet inspection capability to control traffic that is destined to terminate at the device in a way that makes optimal use of the limited computational resources available.
• Software updates and security patches must be delivered in a way that conserves the limited bandwidth and intermittent connectivity of an embedded device and absolutely eliminates the possibility of compromising functional safety.
The Internet of Things Security Foundation (IoTSF) is a non-profit body founded by a group of technology companies that will be responsible for vetting connected devices for vulnerabilities and flaws and will offer security assistance to technology providers, system adopters, and end users. There are many other companies working on setting up platforms that will enable large networks of IoT devices to identify and authenticate each other in order to provide higher security and prevent data breaches. There is also research being conducted to enhance IoT security through device and smartphone linking.
To summarize, IoT security cannot be an afterthought – it must be an integral part of the device. Rather than searching for a silver bullet that does not exist, we must re-engineer, optimize and adapt current cutting edge security controls that work for the IT network for the complex embedded applications that is at the heart of Internet of Things.
Mr. MN Vidyashankar is the President of India Electronics & Semiconductor Association. MN Vidyashankar served as the Principal Secretary to the Government of Karnataka and brings over 30 years of rich experience in management and administration of various government offices, autonomous bodies, boards and corporations. Vidyashankar joined the IAS in 1982 and served various government departments at the state and central level before moving on to hold the position of the Principal Secretary, Department of Information Technology, Biotechnology and Science & Technology, Department of e-Governance, Government of Karnataka. Vidyashankar holds an M.A in Economics and an M.Phil. from the Delhi School of Economics, University of Delhi. He is also a post graduate in business administration from Harvard University, USA.