Security in IoT

Today is the era of the Internet of Things (IoT), where digitally connected devices are intruding on
many aspect of our lives, including our homes, offices, cars, retails Health and fitness etc. With the
advent of IPv6 and the wide deployment of Wi-Fi networks, IoT is growing at a very fast pace, and
researchers estimate that by 2020, the number of active wireless connected devices will exceed 40
billion. Downside is that, it is becoming increasingly vulnerable to cybercriminals. IDC predicts that
the IoT market will hit $14.4 trillion in annual sales by 2020 when combined with big data. And
according to Cisco, there will be 50 billion connected devices by that time. Major industries, from
healthcare to consumer to automotive, stand to benefit from these devices and the services derived
from them. While the adoption of the smart home and its connected devices are still in its early
stages today, Accenture reports that nearly 70% of consumers plan to buy a smart home device by
2019 bringing the smart home market alone to $490 billion in revenue. The healthcare industry
will experience the fastest growth in IoT adoption within the next five years, topping $2.5 trillion in
IoT-generated healthcare revenue by 2025. A recent survey by McKinsey & Company even found
that more than 25% of car buyers believe Internet connectivity is more important that engine power
or fuel efficiency.
However innovative and promising it seems, this so-called Internet of Things (IoT) phenomenon
significantly increases the number of security risks businesses and consumers will inevitably face.
Any device connecting to the Internet with an operating system comes with the possibility of being
compromised, in turn becoming a backdoor for attackers into the enterprise. The need of the hour is
to prevent the security threats by introducing adequate security the entire Ecosystem right from
establishing the system else when the system is compromised; it may really go out of proportion to
identify and fix issues in such high volumes of potentially affected nodes. Therefore, IoT security,
previously ignored, has now become an issue of high concern. Security should protect the services,
hardware resources, information and data, both in transition and storage.

Security Issues

Access control
and
Authorization

Authentication
and Identity
Management

Privacy
Protection

Trust
Establishment

Authorization
helps determine if
upon
identification, the
person or device
is permitted to
receive a service.
Access control
entails controlling
access to
resources by
granting or
denying means
using a wide
array of criteria.
These are
important to
establishing a
secure
connection
between a
number of
devices and
services. The
main issue to be
dealt with in this
scenario is
making access
control rules
easier to create,
understand and
manipulate

Because multiple
users,
object/things and
devices need to
authenticate each
other through
trustable
services.
The problem is to
find solution for
handling the
identity of user,
things/objects
and devices in a
secure manner.

Entities are
connected, and
data is
communicated
and exchanged
over the internet,
rendering user
privacy is very
sensitive.
Ensuring privacy
is required in data
collection, as well
as data sharing
and
management,
and data security
matters.

Two dimensions
of trust should be
considered in IoT:
trust in the
interactions
between entities,
and trust in the
system from the
users
perspective.
In order to gain
user/services
trust, there should
be an effective
mechanism of
defining trust in a
dynamic and
collaborative IoT
environment.

Data
confidentiality
Data
Confidentiality is
whether the
information stored
on a system is
protected against
unintended or
unauthorized
access.
Since systems
are sometimes
used to manage
sensitive
information, Data
Confidentiality is
often a measure
of the ability of
the system to
protect its data.

Vulnerability
Vulnerabilities are weaknesses in a system or its design that allow an intruder to execute
commands, access unauthorized data, and/or conduct denial-of service attacks. IoT systems are
based on two main components; system hardware and system software, and both have design flaws
quite often.

Exp
Is

It is a
the sy
config
allows
to con
inform
gathe
activit
Possi
device
left un
and lik
placed
easily
to atta
Such
raises
possib
attack
captu
device
crypto
secre
their
progra
replac
malici
under
of the

Hardware vulnerabilities are

very difficult to identify and
also difficult to fix even if the
vulnerability were identified
due to hardware compatibility
and interoperability and also
the effort it take to be fixed.
OEM and
Manufacturers of IoT
Device should
ensure providing inbuilt security.
Embedded devices
carry authentication
and authorization
information right from
manufacturing stage,
so that it can readily
fit in IoT Ecosystem
to ensure end to end
security.

Software vulnerabilities can

be found in operating
systems, application
software, and control
software like communication
protocols and devices drives.
There are a number of
factors that lead to software
design flaws, including
human factors and software
complexity.

Unauthorized Data Ingestion

Over the air

software / firmware
auto updates /
upgrades and
Provisioning.
Allowing the
information to be
injected into the
system through USB
or any other external
means. The entire
path/interface should
be secured and
procedures to be
applied only after
ensuring
authentication and

authorization of the
source of Data.

Security Attacks
Attacks are actions taken to harm a system or disrupt normal operations by exploiting vulnerabilities
using various techniques and tools. If enterprises haven't been affected by IoT attacks already,
they're something that should be on their to-address lists. IoT attacks are inevitably coming, so it is
important to learn how best to prevent or defend against them before it's too late. Common cyberattack types are:

Physical attacks

This sort of attack tampers with hardware components. Due to the unattended and distributed nature of th
operate in outdoor environments, which are highly susceptible to physical attacks.
Reconnaissance attacks

Unauthorized discovery and mapping of systems, services, or vulnerabilities. Examples of reconnaissance

network ports, packet sniffers, traffic analysis, and sending queries about IP address information.
Denial-of-service (DoS)

This kind of attack is an attempt to make a machine or network resource unavailable to its intended users.
capabilities and limited computation resources, the majority of devices in IoT are vulnerable to resource en
Access attacks

unauthorized persons gain access to networks or devices to which they have no right to access.
There are two different types of access attack: the first is physical access, whereby the intruder can gain a
The second is remote access, which is done to IP-connected devices.
Attacks on privacy

Privacy protection in IoT has become increasingly challenging due to large volumes of information easily a
attacks on user privacy are:
Data mining: enables attackers to discover information that is not anticipated in certain databases.
Cyber espionage: using cracking techniques and malicious software to spy or obtain secret information o
or the government.
Eavesdropping: listening to a conversation between two parties
Tracking: a users movements can be tracked by the devices unique identification number (UID). Trackin
identifying them in situations in which they wish to remain anonymous.
Password-based attacks: attempts are made by intruders to duplicate a valid user password. This attem
different ways: 1) dictionary attack trying possible combinations of letters and numbers to guess user p
attacks using cracking tools to try all possible combinations of passwords to uncover valid passwords.
Cyber-crimes

The Internet and smart objects are used to exploit users and data for materialistic gain, such as intellectua
brand theft, and fraud.
Ransomware

It is a type of malware that can be covertly installed on a computer without knowledge or intention of the u
the infected computer system in some way, and demands that the user pay a ransom to the malware oper
restriction.
IoT devices offer a potential growth bed to any ransomware operation because the devices are interconne
pointedly lack any form of security. A selection of traditional malware will be too large to ever run on a num
ransomware, predominantly consisting of a few commands and an encryption algorithm, is much lighter.

Security Goals

 To provide reliable services to

IoT users, integrity is a
mandatory security property in
most cases. Different systems
in IoT have various integrity
requirements. For instance, a
remote patient monitoring
system will have high integrity
checking against random
errors due to information
sensitivities.

Ubiquitous connectivity of the IoT

aggravates the problem of authentication
because of the nature of IoT environments,
where possible communication would take
place between device to device (M2M),
human to device, and/or human to human.
Different authentication requirements
necessitate different solutions in different
systems.
Some solutions must be strong, for example
authentication of bank cards or bank
systems. On the other hand, most will have
to be international, e.g., ePassport, while
others have to be local.

Integrity

Authentication

A user of a device (or the

device itself) must be capable
of accessing services anytime,
whenever needed. Different
hardware and software
components in IoT devices
must be robust so as to
provide services even in the
presence of malicious entities
or adverse situations.
Various systems have different
availability requirements. For
instance, fire monitoring or
Availability
healthcare monitoring systems
would likely have higher
availability requirements than
roadside pollution sensors.

When developing security

techniques to be used in a
secure network, accountability
adds redundancy and
responsibility of certain
actions, duties and planning of
the implementation of network
security policies.
In case of a repudiation
incident, an entity would be
traced for its actions through
an accountability process that
could be useful for checking
Accountability
the inside story of what
happened and who was
actually responsible for the
incident.

A security audit is a systematic

evaluation of the security of a
device or service by measuring
how well it conforms to a set of
established criteria. Due to
many bugs and vulnerabilities
in most systems, security
auditing plays an important
role in determining any
exploitable weaknesses that
put the data at risk.
In IoT, a systems need for
auditing depends on the
Auditing
application and its value.

Application whitelisting is a
computer administration
practice used to prevent
unauthorized programs from
running.
The purpose is primarily to
protect computers and
networks from harmful
applications, and, to a lesser
extent, to prevent unnecessary
demand for resources.

The OWASP Internet of Things

Project is designed to help
manufacturers, developers,
and consumers better
understand the security issues
associated with the Internet of
Things, and to enable users in
any context to make better
security decisions when
building, deploying, or
assessing IoT technologies.

Individual systems should be

hardened including uninstalling
or disabling unneeded
functionality, patching services,
removing unneeded accounts,
closing unused ports and
services, changing default
passwords, etc. NERC CIP, for
example, has specific
requirements associated with
hardening.

Application whitelisting

OWASP Guidelines

Harden Systems

Confidentiality is an important
security feature in IoT, but it
may not be mandatory in some
scenarios where data is
presented publicly. However, in
most situations and scenarios
sensitive data must not be
disclosed or read by
unauthorized entities.
For instance patient data,
private business data, and/or
military data as well as security
credentials and secret keys,
Confidentiality
must be hidden from
unauthorized entities.

Privacy Goals
Privacy is an entitys right to determine the degree to which it will interact with its environment
and to what extent the entity is willing to share information about itself with others. The main
privacy goals in IoT are:

Privacy in devices
depends on physical and commutation privacy. Sensitive information may be leaked out of the device in cases
resilience to side channel attacks.

Privacy during communication

depends on the availability of a device, and device integrity and reliability. IoT devices should communicate onl
derogate the disclosure of data privacy during communication.

Privacy in storage

to protect the privacy of data stored in devices, the following two things should be considered:
Possible amounts of data needed should be stored in devices.
Regulation must be extended to provide protection of user data after end-of-device life (deletion of the device d
stolen, lost or not in use).
Encrypted Data at Rest

Privacy in processing

depends on device and communication integrity. Data should be disclosed to or retained from third parties with
data owner.

Identity privacy
the identity of any device should only discovered by authorized entity (human/device).

Location privacy
the geographical position of relevant device should only discovered by authorized entity (human/device).

Conclusion
IoT networks are challenging to secure. Meanwhile given that the nature of the risk emphasizes
system availability as a high-priority security attribute means that the threat environment is very
polarized: IoT networks need to be worried about both sophisticated targeted attacks from
competitors and nation-states, as well as accidental misuse from employees, contractors, and
vendors.
By using historical attack patterns, vulnerabilities, and lessons learned from previous incidents, IoT
network owners can build a threat model that effectively mitigates security risk while also addressing
compliance requirements. This risk-based approach is cost effective, practical, and emphasize the
most critical areas of risk first. Its an important foundation to an ongoing information security
program that can enable organizations to continue to use the benefits of increased system
interconnectedness as dictated by proven ROI, while minimize the very real human and economic
risks associated with IoT. However, until that is done, it is up to users and enterprises to take the
necessary precautions and put the proper controls in place to mitigate potential IoT security threats.

References

http://riverpublishers.com/journal/journal_articles/RP_Journal_22451439_414.pdf
https://en.wikipedia.org/wiki/Ransomware

http://icitech.org/wp-content/uploads/2016/04/ICIT-Brief-Combatting-theRansomware-Blitzkrieg2.pdf
http://techcrunch.com/2015/10/24/why-iot-security-is-so-critical/
https://www.owasp.org/index.php/OWASP_Internet_of_Things_Project
http://searchsecurity.techtarget.com/definition
https://www.ariasystems.com/blog/the-iot-new-opportunities-bring-newsecurity-challenges/
http://internetofthingsagenda.techtarget.com/tip/Internet-of-Things-IOTSeven-enterprise-risks-to-consider
http://www.cisco.com/c/dam/en/us/products/collateral/se/internet-ofthings/C11-735871.pdf
Images :
o http://blogs-images.forbes.com/centurylink/files/2015/10/cyber-attackdata-breach.jpg
o https://www.ariasystems.com/blog/wpcontent/uploads/2016/03/Internet-of-Things-security-questions.jpg
o https://vtechsolution.com/wpcontent/uploads/2014/05/Vulnerability.png
o Google Images

Credits: Various references have been taken to compile the article and due credits
are passed to the authors/publishers of these White papers/tutorials/journals. This is
compiled information to give a perspective.