March 10, 2015


IoT Security - The Need of the Hour

With the advent of low power sensors, energy efficient processors/ controllers, the advancements in communication, especially in wireless, the reach and growth of IoT is accelerated. This exponential growth is causing concerns for data security and data privacy. Any network that has nodes with a programmable interface and is accessible can be a potential network security threat. The more devices get added to the network, the more fragile it becomes. A network is only as strong as its weakest link.

IoT is here to stay and since there can be no compromise on data security, issues must be addressed right from the initial phase of development. IoT security processes must be deployed across each phase of design, coding, installation and commissioning, and maintenance.

In this blog, I will discuss IoT security issues, be it home or Enterprise, how these can be addressed to ensure data security.

  • Secure programming

Most reported security incidents have been caused due to a programmer’s non-adherence to secure programming standards. With IoT devices, the risk of using non-secure functions and processes increase the risk of weakening the link, exposing the network to attacks. This is easily avoidable, if the programmer adheres to a few steps while coding, such as avoiding using non-secure functions, using the latest updates for tool chains, and adapting to Code Reviews and Code Analysis for security vulnerabilities.

There are a few tools like Rosecheckers, which perform static analysis on C/C++ source files to enforce the rules in the CERT C Coding standard. The Secure Coding Validation Suite is a set of tests developed by CERT to validate the rules defined in ISO/IEC TS 17961.

  • Multi network connect and lack of encryption of data transferred over the network

The IoT is a heterogeneous mix of media and communication protocols. The wireless communications are open to air, most protocols are open to the public, and devices are limited with resources to implement strong security algorithms for transmission. These factors contribute to IoT security challenges as they mostly go unnoticed, leaving the network prone to attacks.

The attacks on the IoT network are of the following kind:

  • Passive attack, carried out with the objective of stealing confidential data, and sniffing on the network. These attacks often go unnoticed, are difficult to detect, and are usually an insider activity.
  • Active attacks, carried out to disrupt the network, like the Sybil, Honeypot DDOS, Node Replication etc. They are more difficult to detect due to the heterogeneity of the network. There are techniques and tools to detect and neutralize these attacks on Wi-Fi 802.11, but the same on ZigBee, Bluetooth, Wireless Direct, and NFC pose multiple challenges.

The best practice, to deal with these challenges, is to encrypt data before it is sent out to open channels of communication. But the encryption and decryption of data adds to the overheads of the limited computational ability of the IoT sensors and processors. Hence, a lot of introspection is required when choosing the best option between security and computational ability.

  • Identification and authorization of connected devices

IoT devices have certain attack metrics in their complete lifecycle, which need to be addressed to make them completely secure.

  • Boot Image Security and Identification: Since most IoT devices are programmed ‘Over the Air’ (OTA), it’s possible to program them with malicious images without identification, resulting in control being relinquished to an intruder. To secure the image, ‘Boot Image Identification Mechanism’ should be introduced with a digital signature to authorize the authenticity of the image. This can be used to check every-time it is booted up
  • Role Based Login Authorization: IoT devices are programmed to connect to the user with a single login and be identified with the MAC address. The attacker can easily spoof the MAC address and intrude in to the network. “Role Based Login” should be incorporated to counter data theft and device intrusions.
  • Device Network Identification: Most IoT Devices start data transmission over the network as soon as they are connected, leaving them more vulnerable to active attacks, such as the Honey Pot

To avoid any mishaps, the device network should have a second level of handshake authentication, specific to the device and network before it transmits data over the network.

  • Patching of Security Threats Identified

Most IoT sensor devices are fitted and forgotten about, and this is a bad practice, which can severely compromise network security. While, it is imperative to identify and fix security defects in future products, existing products and infrastructure must not be left behind with security vulnerabilities. Just as we have patches and updates for the security for our personal devices, the same technique must be adopted regularly for network security vulnerabilities. With these practices, all devices either in critical or non-critical operations can be secured.

Security is of the utmost importance for the health of IoT Device Network. As devices become smarter with added intelligence and artificial learning capabilities, they also become more prone to attacks. IoT security companies must embrace these IoT security solutions in order to secure the network. The solutions I’ve described can be the first small steps towards securing the IoT Network.