Internet of Things (IoT) security – Infrastructure, Attack Surfaces and Solutions
The Internet of Things (IoT) is an ever-increasing and visible reality. With applications ranging from public utilities to medical equipment, IoT is rapidly surrounding us in ways we never imagined. The personal (smart home appliances, fitness widgets, sharing services, smartphones, vehicles) to the industrial (factory automation, hospital functioning, nuclear reactors) scope of IoT systems make them an attractive target for cybercriminals.The necessity for addressing IoT security issues is also well observed in the multi-billion dollar spending on IoT security systems by major corporations and institutions. Such high and growing market size valuations are also reflective of the increasing understanding of IoT infrastructure complexities among the industry players.
An interconnected, data-dependent and self-learning system such as IoT is not fully scalable without addressing safety and security concerns. IoT security is an increasingly talked about issue because, at almost every point of the ecosystem, opportunities for tamper or abuse abound. These security threats can present themselves in in several areas of the supply chain ranging from the way goods are designed, manufactured, transported, distributed, deployed and even disposed.
- For instance, nuclear reactor control systems are part of the overall IT infrastructure. Such an infrastructure is heavily dependent on software updates and security patches. Protecting the system functionality becomes paramount whenever a patch is rolled out.
- Applying IoT infrastructure for smart energy billing of residential homes is an efficient and futuristic solution but involves dynamic data exchange – leaving the home at a threat (burglary) in case of an information leak.
The IoT infrastructure can be broadly divided into four major components (along with the attack surfaces)
- Devices (Gateways, Sensors and Actuators) – Device memory, firmware, physical interfaces (USB ports), web and admin interfaces.
- Communication Channel (Bluetooth/Wi-Fi) – Network traffic using LAN, Wireless
- Cloud Interface – Getting access to data stored on cloud through injection attacks, weak credentials (passwords), insecure encryption
- Application Interface (web/mobile) – Exploiting vulnerabilities like mobile Top 10 or OWASP Web in application interfaces.
IoT security should not be treated as an add-on or an extra feature, but rather as a process that is part of the entire device lifecycle. Lack of a concrete consensus on IoT security implementation (whether at the device, network or system levels) shouldn’t act as a detriment to the growth of the technology. The hierarchy of safety should be broad ranged starting form the user interface level to the manufacturing (silicon) level.
Operating System (OS): To ensure a robust security environment, controls need to be established at the OS itself. Such a measure ensures capping of hardware security capabilities at the manufacturing phase. Directly starting from the OS level also helps developers down the line to maintain safe platforms.