- What are the security issues in IoT?
- Security for IoT devices
- IoT security solutions
- Security of a fully connected world
Today, many devices that have built-in operating systems are connected to the Internet. This creates a lot of new opportunities for common users. According to research, by the year 2020, there will be about 26 billion internet-connected devices. Meanwhile, other analysts say the number of these devices may exceed 100 billion.
The same we can say about IoT apps – there are a lot of them: alarm systems that warn users through smartphones; fitness trackers apps that collect health data, shared with doctors; car gadgets software, which calculate the optimal route; home refrigerators, that remind users to buy necessary goods, and so on.
The IoT industry is still in its development phase, but it already gave us rise to huge expectations, promising to open up new markets, providing a wealth of information about possible benefits from the buying habits of customers for future sales. However, we must understand that there is another side of the coin, related to IoT security and privacy issues, to which we need to pay our attention first and foremost.
What are the security issues in IoT?
IoT cyberattacks, unlike usual ones, are not limited by the information damage or its loss. They can be used to inflict physical harm or provide money loss. Almost any connected device, from a fitness tracker to an onboard plane system can be hacked. Here are some illustrative examples.
- Hackers hacked the digital infrastructure of the European Space Agency and have stolen the names, email addresses, and passwords of 8,000 people. Then this data was hosted for public use.
- Security experts from the Proofpoint company found that over the short period in 2014, web-connected refrigerator sent more than 75,000 spam messages and fishing emails.
- Hacker and a cybersecurity expert from the One World Labs company hacked the onboard plane system and, according to the FBI report, dated April 2015, overrode the control of an aircraft.
- More and more cars today became web-connected. But what if the car will be hacked? Usually, people do not think about it, but what will happen when control of your vehicle will be overridden at a speed of 70 mph? This isn’t the best scenario for sure.
Well, we can list situations similar to that for a long time, but the main question remains: how can we avoid security problems in IoT and provide the highest level of security to our devices?
Security for IoT devices
In the case of the Internet of Things, the physical object itself becomes a key element to which we need to pay our full attention. Whether it's a car, smartwatch, or a health tracker – these objects all became suddenly involved in networking.
At the same time, some IoT devices can serve critical infrastructures - water supply system, city’s power grid, transport system. The Major importance of all these systems turns them into potential targets for industrial espionage, DoS, and other hacker attacks.
To prevent damage, safety mechanisms, and IoT security services must be integrated at the early development stage, so authorized users would be able to control all data transmission inside the IoT device system. Here are 6 tips that can help to avoid security problems for IoT devices.
IoT security solutions
1. Don’t reinvent a wheel.
This is the main recommendation. Instead of searching for fundamentally new solutions, use already existing industry standards and protocols for building software infrastructure. Internet of Things – it is a fairly complex range of technologies, where the consequences of different code mistakes often have a stronger effect on the company's business comparing to the classical software projects. Therefore, it is important to devote a greater amount of time to testing and using already proven solutions.
Build applications based on existing, well-protected platforms such as Apple iOS (for example). World-class companies have already invested dozens of millions of dollars to provide maximum security for these products. The choice of these platforms means the faster launch of the product because it would nоt require the development of several very labor-intensive components from scratch.
2. Ensure the protection of access channels.
Mobile operators’ VPN can be used for increasing IoT app security so that no one could access an IoT device from the public network. This eliminates the risk of accessing a device software using a standard Internet connection, ie, the attacker will not be able to connect to your IP address. Similar solutions are used to provide the security of ATMs.
3. Enable two-factor authentication.
The first important step in providing security of the IoT device is to ensure that the user is the one who he claims to be, and indeed has all rights to access this device. An authentication procedure is an important aspect while dealing with web-connected devices. For example, when we open a smart car with a mobile phone, we want to be sure that no one except us can do the same.
Another internet of things security problem is weak passwords. It is one of the key issues why IoT device security can fail. 60% of users use the same password on multiple websites and services, 45% change passwords once a year.
Single-factor authentication (password only) is a thing of the past, a two-factor authentification system becomes a standard one. It provides two-layer protection for your account against unauthorized access. For example, the first login is a password, and the second one is a special code user receives via SMS.
HP Fortify found that 100% of smartwatches are vulnerable due to the absence of two-factor authentication and because of easy accessibility for brute force - that means a hacker can easily crack the password and use it for future attacks.
4. Use biometrics and its potential.
Authentication can become more challenging in the terms of hacking if developers will integrate voice recognition, USB-keys, smart cards, code generators, SecureID technologies. Unfortunately, today face authentication is implemented on mobile devices poorly.
As regards voice identification – according to research, the number of users, who are convenient with that, very small. And what‘s more, if we are talking about smartphone capabilities, voice recognition technology, in this case, is not 100% sufficiently reliable.
But still, developers continue to look for reliable solutions based on this technology. The Dutch bank ING Netherlands has released an application for online banking, where the password to the account is the client’s voice. The IoT application uses voice biometrics technology, which is implemented on a platform called “Nina”.
Mastercard is testing an application that allows confirming transactions without using numerical codes but is based on facial recognition technology. In other words, the client will need to take a selfie to be able to make any payment on the Internet.
5. Do not underestimate the mobile threat and its price.
Today, the Internet of Things develops largely due to the possibility to manage physical objects through applications on mobile devices. With the help of smartphones, a lot of users already control their vehicles, receive data from portable devices, including fitness bracelets, and exchange data with smartwatches.
Often, work with a physical object is connected with a two-factor authentication which is impossible to make without using a smartphone. And here we go back to the problem of mobile malware, which can steal passwords and codes needed to log into the bank app or to a personal medical account on a hospital web-resource.
6. Compose threat model.
Always try to compose an exhaustive list of all possible web-threats to your IoT device and model the security architecture for the object, which will be managed by your product (software).
The methodology of modeling should cover all issues of privacy, security, fraud prevention, cyber-attacks, and intellectual property theft. Still, risk assessment is not an easy task, because hackers are constantly searching for new solutions and progressively create more and more ways of web-hacking.
Security of a fully connected world
Security should not be seen as an isolated process that we just run once and forget about it. It is important to protect devices used in the IoT ecosystem throughout their lifecycle, no matter whether it is a standalone custom product, or a certain system, for example, integrated into the car.
Yes, for now, there are particular pros and cons of using IoT devices in our lives, but over time, consumers will perceive the convenience of IoT using for granted and be sure it's safe. But as there is no universal solution on how to neutralize all the threats simultaneously, it is recommended to get help from experts in the field of web security consultations. That’s why we are here on the market.
Our company has been developing IT-products since 2000. We can say, without exaggeration, there is nothing we don’t know about cybersecurity on the network. Contact us at firstname.lastname@example.org and we will advise you on all aspects of IoT software development and will help to create an effective security system for IoT devices.