Security Update 2016 IoT – Today's Use Cases Call for Increased Security

Today, the Internet of Things is ever-present. Everyday objects increasingly come with all sorts of sensors, which allows providing new offerings. However, security is often neglected.

Today, numerous IoT devices are used in many different scenarios. However, the devices are often insufficiently protected, which may result in severe consequences for security as shown by the latest DDoS attacks based on IoT botnets. The Internet of Things therefore is one of the – or rather – THE hot topic in IT security (see figure, AdNovum's current hype cycle for information security).

AdNovum’s hype cycle for information security as of November 2016 (based on Gartner’s hype cycles)
Zoom
AdNovum’s hype cycle for information security as of November 2016 (based on Gartner’s hype cycles)
New topics and changes compared to the previous version are marked red.

The Internet of Things as a sensor system network

Everyday objects are increasingly equipped with sensors. Sensors allow gathering information on home appliances, production facilities, buildings and cities – but also people – in a cost-efficient and easy way. Based on this information, it is possible to analyze problems more quickly, continuously enhance processes or estimate the remaining useful life of critical components, such as turbines, with predictive analytics and thus save costs. The tremendous economic potential of IoT solutions is obvious.

Sensor system networks in health care

Sensor system networks are also of great benefit to health care. Devices, such as scales or insulin pumps, not only collect data about their own status, but also about the physical conditions and processes of patients. Sensor system use cases that involve personal data have to deal with privacy issues. An IoT infrastructure that is secure from data measurement and data transfer to data storage is a prerequisite for the implementation of use cases in the medical sector. Due to the typically high level of networking and heterogeneity as well as the decentralized characteristics of IoT solutions, the consistent implementation of this requirement proves very demanding.

Business cases for insurance companies

Sensor system applications create promising business cases for insurance companies. Health insurers, for example, may give to their customers free toothbrushes that provide information on oral hygiene habits and thus, e.g., the risk of a disease of the oral cavity. Car insurers may provide their customers with a connected tachograph that records different parameters during the trip. Customers who drive safely are eligible to a discount. Another example: A number of insurance companies offer a program that – among other things – rewards customers for physical activities as proven by their fitness bracelet. From the insurers' perspective, IoT thus allows optimizing or even reducing risks to a certain extent. The customer, in turn, can influence the costs he incurs by behaving accordingly.

Solutions often insufficiently protected

Their often insufficient protection makes IoT solutions themselves attractive for abuse and a target of direct attacks. Therefore, it is crucial to not only consider aspects of data privacy but to also protect IoT solutions against manipulation. The devices used – their hardware and software – often lack security or the IoT solutions built on them do not adequately implement security. As IoT solutions are generally made available under high time and cost pressure, the technical possibilities to protect them are sometimes not fully exploited. Many times, the business attaches more importance to new features and usability than security due to the high innovation pressure. As a result, many of the current solutions can be attacked by using relatively simple tools. One example are fitness trackers that reward physical activities. An attacker may simulate a tracker on the Bluetooth interface or build his own app to generate fraudulent activities data.

Points of attack (attack vectors) on IoT solutions
Zoom
Points of attack (attack vectors) on IoT solutions

What measures do companies and organizations need to take to enhance the security of their IoT solutions and thus, for example, prevent fraud or at least make it less likely?

Updatable devices

IoT devices must be selected carefully by considering the related ecosystem and the specific security requirements. In practice, it has to be assumed that security at hardware level does not take top priority when standard IoT devices are used. One exception is specialized hardware to meet regulatory requirements – and which comes at a significantly higher price, making it unsuitable for many mass and end-user applications. Therefore, it also has to be assumed that hardware is not safe enough as a platform to implement the IoT solution and that security mechanisms need to be implemented in the software. For this reason, it is essential that the software on the IoT devices can be updated.

Identity of the device

Another important measure is to consistently assign a unique identity to each IoT device. IoT devices shall be authenticated the same way as users today are authenticated when logging in to a system. This makes sure that the system knows from which device exactly the data is sent at any time. Unauthenticated devices can be systematically excluded. In addition, it is possible to grant different access rights for different devices. For example, certain IoT devices are only granted write access. This means that they are allowed to provide but not to read data. Based on a tried and tested approach, access to data and services can thus be protected and controlled.

Secure communication

IoT devices typically communicate over short distance wireless technologies, such as Bluetooth, the GSM network, IoT-specific wide area wireless networks, such as LoRa, or regular Internet connections. In either case it has to be assumed that the communication connection is not per se secure. Therefore, when implementing the IoT solution it has to be made sure that end-to-end communication between the IoT devices and the central system is secure.

Secure servers

The security measures "out in the field" are only useful if a solution's server infrastructure is protected too. In addition to physical protection, this includes protection at network level and a reliable identity and access management. Depending on the use case, further measures, such as secure data storage (encryption), need to be implemented. Organizational measures must not be neglected either, for example regularly raising the awareness and training of the people responsible for operations.

Secure software engineering

Security always has to be taken seriously, even if the requirements of one's own application are rather low. There is always a risk of IoT devices being used as springboard or, as in the case of DDoS attacks, misused as agents. For this reason, all security mechanisms provided by the platform used (chip) should be considered in the development. For confidential data or data with high requirements in terms of quality/origin, a stable identity management, possibly supported by hardware, has to be implemented.

Monitoring and anomaly detection

Given the high degree of networking, heterogeneity and price pressure, it has to be assumed that the measures described so far are necessary, but not yet sufficient. Apart from that, there are always cases in which individual measures cannot be implemented. Therefore, it is advisable to put in place a monitoring system in order to detect security-relevant anomalies and enable providers to respond to them.

Awareness and standards

Even if the devices attacked are not damaged, providers of IoT solutions should pay attention to security. On the one hand, the provider's reputation may be damaged if his devices are used for attacks. On the other, attackers may get access to data by using such devices. End-users too should be aware of the fact that IoT devices may collect confidential data just like spies or may be used to attack third parties. There are ways to protect oneself: use secure passwords for IoT devices whenever possible, systematically disable any features and sensors not used, purchase devices of renowned and thus reliable manufacturers. However, in the long run binding security standards are mandatory for the secure use of IoT.

 

Ultimately, the same applies to the security of IoT solutions as for known use cases. Even if someone decides that he does not want to or, for cost reasons, cannot apply all the security mechanisms described, it is crucial to make this decision deliberately with the risk involved in mind. With such a focus, it is possible to develop an ideal solution in terms of risk, benefit and costs also for IoT-based business cases.