By: Vishesh Berera, BCA 2nd Semester, 2nd Shift
Concerns have been raised that the Internet of Things is being developed rapidly without appropriate consideration of the profound security challenges involved and the regulatory changes that might be necessary. IoT suffers from platform fragmentation and lack of technical standards, a situation where the variety of IoT devices, in terms of both hardware variations and differences in the software running on them, makes the task of developing applications that work consistently between different inconsistent technology ecosystems hard. Customers may be hesitant to bet their IoT future on a proprietary software or hardware devices that use proprietary protocols that may fade or become difficult to customise and interconnect.
IoT's amorphous computing nature is also a problem for security since patches to bugs found in the core operating system often do not reach users of older and lower-price devices. One set of researchers says that the failure of vendors to support older devices with patches and updates leaves more than 87% of active devices vulnerable.
According to the Business Insider Intelligence Survey conducted in the last quarter of 2014, 39% of the respondents said that security is the biggest concern in adopting Internet of Things technology. In particular, as the Internet of Things spreads widely, cyber attacks are likely to become an increasingly physical (rather than simply virtual) threat. In a January 2014 article in Forbes, cybersecurity columnist Joseph Steinberg listed many Internet-connected appliances that can already "spy on people in their own homes" including televisions, kitchen appliances, cameras, and thermostats. Computer-controlled devices in automobiles such as brakes, engine, locks, hood and truck releases, horn, heat, and dashboard have been shown to be vulnerable to attackers who have access to the onboard network. In some cases, vehicle computer systems are Internet-connected, allowing them to be exploited remotely. Later hackers demonstrated remote control of insulin pumps and implantable cardioverter defibrillators.
As a response to increasing concerns over security, the Internet of Things Security Foundation (IoTSF) was launched on 23 September 2015. IoTSF has a mission to secure the Internet of Things by promoting knowledge and best practice. Its founding board is made from technology providers and telecommunications companies including BT, Vodafone, Imagination Technologies and Pen Test Partners. A study by HP’s security unit Fortify found that 70 percent of popular consumer IoT devices are easily hackable. When Kaspersky Lab examined industrial controls systems exposed to the Shodan search engine it found seven percent of 172,982 ICS components vulnerable to attack had “critical” issues.
Some of the simplest IoT devices (or machine-to-machine) devices lack adequate processing power and storage to host endpoint security software. They are real-time OS’s which do not offer support for a wide variety of endpoint protection products. The list of IoT products without the ability to have the firmware updated with security protection is long. In the rush to connect everything to the internet, no one has stopped to think if it should be connected to the internet. Security is taking a backseat to convenience and ease of access. Does it make sense to be able to check your Gmail account on your fridge? Or does a building’s HVAC system really need to be linked to the internet?
Without proper investment in secure protocols, website interfaces, and APIs, the risks associated with IoT seldom outweigh the benefits Internet of Things applications collect tonnes of data. Data retrieval and processing is an integral part of the whole IoT environment. Most of this data is personal and needs to be protected through encryption.
To address this IoT security issue you can use Secure Sockets Layer protocol or SSL wherever your data is present online. Websites already use SSL certification to encrypt and protect the user’s data online. This is only half part of the equation other half is to protect the wireless protocol side. While data is being transferred wirelessly it needs encryption as well. Sensitive data like locations need to be available to be concerned user and no one else. Therefore, make sure you use a wireless protocol with inbuilt encryption.
"Hackers are beginning to realise that the value of protected health information (PHI) is far more valuable than personally identifiable information (PII) and the weakness in the hospital network makes them a greater target than in the past. What makes this extremely dangerous for the patient is that the hacker is tampering with biomedical devices like infusion pumps, which can then become a life-threatening situation," he said.
Among the recent examples, one involves researchers who hacked into two cars and wirelessly disabled the brakes, turned the lights off and switched the brakes full on—all beyond the control of the driver. In another case, a luxury yacht was lured off course by researchers hacking the GPS signal that it was using for navigation.
Home control hubs have been found to be vulnerable, allowing attackers to tamper with heating, lighting, power and door locks, other cases involve industrial control systems being hacked via their wireless network and sensors.
We are already seeing hacked TV sets and video cameras [and] child monitors that have raised privacy concerns, and even hacked power meters which to date have been used to steal electric power, adds Paul Henry, a principal at security consulting firm VNet Security LLC in Boynton Beach, Fla., and a senior instructor at the SANS Institute, a cooperative research and education organization in Bethesda, MD."A recent article spoke of a 'hacked light bulb,'" Henry says. "I can imagine a worm that would compromise large numbers of these Internet-connected devices and amass them into a botnet of some kind. Remember it is not just the value or power of the device that the bad guy wants; it is the bandwidth it can access and use in a DDoS (distributed denial-of-service) attack.
What Can We Do?
While threats will always exist with the IoT as they do with other technology endeavours, it is possible to bolster the security of IoT environments using security tools such as data encryption, strong user authentication, resilient coding and standardised and tested APIs that react in a predictable manner.
Security needs to be built in as the foundation of IoT systems, with rigorous validity checks, authentication, data verification, and all the data needs to be encrypted. At the application level, software development organisations need to be better at writing code that is stable, resilient and trustworthy, with better code development standards, training, threat analysis and testing. As systems interact with each other, it's essential to have an agreed interoperability standard, which safe and valid. Without a solid bottom-top structure we will create more threats with every device added to the IoT. What we need is a secure and safe IoT with privacy protected with the tough trade off but not impossible.
For organisations to realise the full value of IoT, they must address security holistically. First, they need to physically secure IoT, especially sensors and smart meters that are out in the field. Second, they need to secure IoT connections. IoT connection security should provide the ability to easily identify, authenticate, onboard, segment, and monitor connected devices and then enforce access policies consistently and continuously. Finally, they need to secure data collected by IoT devices.
0 comments:
Post a Comment