In part one of my series on IoT (Internet of Things) security, I outlined key concepts around authentication, encryption, and secure storage. Keeping these concepts mind, I’ll continue my discussion by outlining some IoT device security tips below.
IoT Device Security Challenges
There’s several challenges that make securing IoT devices difficult today. I often tell people at security conferences and speaking events that if it were easy to secure IoT devices, the industry would have done it by now. With that in mind, I’d like to spend some time explaining challenges that device manufacturers face today.
1. IoT devices have limited UI and human interaction making security more challenging
Unlike smartphones or laptops, IoT devices are largely autonomous and may have very limited computing resources. Unlike mobile phones and PCs, IoT devices generally cannot be secured with biometrics or a username or password. Because connected devices such as smart lightbulbs or thermostats often require no human interaction to function, they require a different and more complex approach to security to prevent spoofing and intrusions. I’ll touch more on this in a future blog post.
2. Today’s market expects frequent software updates
Today, apps, smartphones, and PCs constantly provide a stream of updates to add features, patch bugs, or security issues. It’s the market’s expectation that anything that’s connected to a network will have software updates.
The problem is that most IoT devices have far fewer computing resources and established backend infrastructure to deliver updates in a secure fashion. As a result, many IoT devices are designed with open access to their memory to accommodate today’s agile development lifecycle. With software cadences becoming more frequent, it’s a challenge for developers to deliver new functionality and fixes without sacrificing security for a device that’s already deployed in the market. This often results in introducing security vulnerabilities.
You’ve likely read a number of stories where hackers have leveraged vulnerabilities for their own means. This has resulted in users abusing holes in the code to steal device credentials to gain network access, replace existing firmware with malware, or even executing denial-of-service (DoS) attacks.
3. Network security has traditionally been an enterprise implementation
Many device manufacturers struggle with implementing security inexpensively in a highly scalable fashion. Most current security solutions target enterprise applications, which has a far different dynamic than the world of embedded systems and small devices. In the enterprise world, big data centers have their own security teams and security is typically a fairly centralized deployment. Data centers have relatively few customers and large deployments.
Devices and embedded systems are the exact opposite of this: tens, maybe hundreds of thousands of customers with limited security expertise. The additional difficulty is that each individual company is generally not that large, but in aggregate they manufacture billions of devices. It is a highly fragmented and highly de-centralized application.
4. General misunderstandings about what security is
The term “security” gets thrown around a lot, but not that many people understand that it is a very non-specific term and could literally mean anything. The common perception is that security is about encryption, which is only about 25% correct. The biggest element of security is authentication: identify who you are communicating with and be able to verify it.
Going back to our previous point, forged or spoofed identities are one of the most common methods of hacking access to devices and networks. It’s far easier to fool the system into believing you are someone else than it is to break the encryption by brute force. It’s not like each device can have an easily readable and unique fingerprint like humans that can be registered. Or can they?
I hope you’ve found this blog post helpful in outlining different challenges in securing IoT devices today. Look out for part three of my series, where I’ll cover how digital certificates and asymmetric cryptography can help authenticate and encrypt your device.
In a world of connected people, places and things, Kyrio exists to ensure reliability, trust and scale so you can innovate at the speed of business. Contact Kyrio today to find out how we can secure your entire ecosystem and look out for part three of my series.