The Internet of Things (IoT) is getting on in the world. Home fridges have better communication skills than some people, and high-tech virtual home assistants can order your favorite sushi set for dinner, turn off the lights in the basement, start the car and purchase stacks of cookies. However, the Internet of Things technologies has a huge skeleton in the closet.
Manufacturers of mobile devices and sensors lack uniform security standards and a system of checks and balances which makes the entire system of connected things an easy target for hackers and cybercriminals. Both data and functional capabilities can fall victim to intruders and hence require an adequate level of protection.
Feeling insecure?
Let’s analyze how the Internet of Things operates. Its devices establish connections between each other; the data from them flows to the server infrastructure; the infrastructure processes obtained information and dispatches certain commands to devices and people. For this process to develop smoothly, we need protocols, which help solve these tasks. There is a myriad of these protocols available and they are used for different purposes, such as service quality, addressing, operation message exchange, etc. (AMQP, DDS, XMPP, MQTT, etc.).
As of now, no uniform protocols have been developed. Devices vary drastically in their characteristics and functionalities, thus making the process of creating a single protocol a complicated task which may be close to impossible.
The possible solution to the problem may consist of classifying devices according to industry features, the grouping of similar devices and detection of common features. If we approach the problem from another perspective, as did Intel, you don’t have to pay attention to the protocol as such. Instead, the company has been developing the IoT platform, which can connect basically any device to a common network via a gateway. The important factor here is that it will be concentrated on a secure connection to the network, i. e. the device will be checked in advance.
Smart ≠ Secure
For Internet of Things devices, IoT security solutions consist first of all in the code integrity, user (device) authentication, checking user rights as well as the possibility to withstand virtual and physical attacks. However, as the case may be, most of the IoT devices currently in use are not provided with security features, they have management interfaces accessible from the outside, default passwords, i. e. they have all the characteristics of web vulnerability.
Everybody remembers recent events when the Mirai botnet hacked a large number of CCTV cameras and routers by guessing default logins and passwords. These were subsequently used for a massive DDoS attack on provider networks of the UK Postal Office, Deutsche Telekom, TalkTalk, KCOM and Eircom. As it happened, the “bootforce” of IoT devices was carried out with the help of Telnet, and routers were hacked via port 7547 using the TR-064 and TR-069 protocols.
Nonetheless, the most massive public outcry was sparked by an attack which brought down DYN’s DNS operator and almost half of the American internet with it. For the attack, the botnet used the easiest way via default logins and passwords of devices.
These events clearly demonstrated security flaws in IoT systems and the vulnerability of many “smart” devices. For sure, failures in the operation of smartwatches or fitness trackers will do little harm, except for their owners’ disappointment. However, hacking into IoT devices within M2M systems and services, in particular, those integrated into the critical infrastructure, can entail unpredictable consequences. In this case, their security level should comply with the role of this or that infrastructure (transport, energy or others) which can have a significant impact on people’s lives and the operation of the economy. The same can be applied to a more consumer level: failures and attacks on the renowned “smart home” can lead to alarming and dangerous situations on a local scale.
Who’s to blame?
As a rule, the lack of technical knowledge or inconsistency on the part of developers are not the only ones to blame when it comes to the existing issues with the security of IoT devices. We see a purely economic approach here: the faster your device enters the market, the more advantages you have in comparison to your competitors, although it may be only for a short period of time, due to a low protection threshold.
Most manufacturers do not bother to spend time and money to develop and test codes and security systems of their smart products.
Blockchain savior
The security of IoT solutions became one of the first areas where blockchain technology was introduced. Thanks to the distributed ledger technology, it became possible to provide a high level of security for IoT devices connected to the network. It helps eliminate existing restrictions and risks for the IoT related to centralization.
It allows you to quickly and safely save exchange protocols and results of the interaction of various IoT devices in a decentralized system. It is the blockchain distributed architecture that guarantees a sufficiently high level of security in the entire IoT system. But if some network devices can still be hacked, this will not affect the overall performance of the system. The distributed type of trust relationships allows you to get rid of the hacked device without substantial damage to the entire model of interaction between “healthy” objects.
Today, in the context of security, blockchain can be used in numerous spheres where the Internet of Things opportunities are developing most intensely. For example, these are authentication management, performance inspection of different services, ensuring the indivisibility of information and others.
It is worth noting that in January 2017, the American DHS began using blockchain technology to protect, transfer and store data collected by the agency from surveillance cameras and various monitoring sensors. The technology is also being tested by the DARPA, a division of the US Department of Defense that oversees the development of new technologies for the army. In addition, one of the agencies leading the research under the umbrella of the Pentagon has signed a multi-million dollar contract with the software company Galois, which is engaged in the development field of security based on blockchain.
5G knocking on the door
The urgency of the problem is underlined by epic incidents. Industroyer, BrickerBot, Mirai – they are just the tip of the iceberg, but what does the future have in stock for us?
The 5G era has finally arrived. Both the United States and South Korea claim they have won the race to launch the first commercial next-generation mobile network, with other countries trying to keep up with this technology race. We think the adoption rate and the pace at which coverage will grow will be even faster than we have witnessed in the past.
Initially, the 5G technology has been presented as a solution for connecting things rather than people to the internet.
Imagine the scenario where a 5G network could be potentially flooded with data and it just fails to function. Like, for example, train signals. They are not going to allow trains to run unless they are going to run safely, so train stations are potentially closing. Traffic lights and communication systems that the transportation sector uses rely on transferring real-time information from one place to another.
If attackers have access to that information then they could alter it really easily.
But as we are seeing more autonomous vehicles, they will become dependent on 5G networks. Self-driving cars rely on hundreds of sensors. So if you bombard a self-driving car with a lot of information then you might see the safety feature to kick in. Cars just won’t start. They’ll become a hunk of metal.
Power, gas, water. They’re all going to become increasingly dependent on smart measuring devices. Hands down, all of them will be connected via 5G.
If they start to get conflicting or confusing results, they will probably play safe and shut down. Potentially we’re getting to the situation when it happens widely enough, then imagine this happening to an individual power station. How many power stations do you need to go down for the grid to start being affected? Not very many as it happens.
The same does not apply to Internet-connected devices. It’s really left the door wide open for bad actors, bad practice and people being careless with developing devices.
What does the ISO say?
The International Organization for Standardization (ISO) considers cybercrime one of the most serious threats to businesses worldwide. Industry experts believe that by 2021, annual losses due to cybercrime could rise to $ 6 trillion.
The ISO has developed a new security standard for the industrial IoT, containing recommendations for encryption and authentication.
The document supplements the existing standard on machinery safety: ISO 12100 “Safety of machinery – General principles for design – Risk assessment and risk reduction”. The purpose of the new standard is to review the safety aspects of equipment that may be affected by cyber-attacks related to direct or remote access and manipulation of safety-related management systems for deliberate misuse (unintended use).
Evil never sleeps
The Internet of Things, just like any fast-evolving technology, is experiencing a number of “growing pains”, among which the most serious is the problem of security. The more “smart” devices are connecting to the network, the higher the risks associated with unauthorized access to the IoT system and the use of its capabilities by attackers. Today, the efforts of many IT companies and organizations are aimed at finding solutions that will minimize the threats hindering the full implementation of the IoT.
Of course, the issue of security should be primarily addressed by software vendors, but users always hold the right of self-defense. In any case, vendors need to think seriously about how they can prevent data leakage from devices and what new methods of protection they can offer to consumers, otherwise, the numerous vulnerabilities inherent in devices will lead to large-scale development of cybercrime.