Seven Principles for Stronger IoT Security – Part 2

Bill McBeath Bill McBeath
June 1, 2018 IoT & Automation

Ready to learn Internet of Things? Browse  IoT Training and Certification courses developed by industry thought leaders and Experfy in Harvard Innovation Lab.

Indirect vs. Direct Attacks Involving IoT Devices

It’s important to differentiate between two types of attacks on IoT devices: 1) indirect attacks vs. 2) direct attacks. In ‘type 1’ indirect attacks, the goal of compromising IoT devices is to use them to conduct cyberattacks against other external targets. In ‘type 2’ direct attacks, the goal is to conduct some sort of ‘local malfeasance’ right there at the device itself—such as to cause some malfunction or physical damage to the machine/environment that the device is embedded in, or steal data from the machine, or surveil the environment, or gain entrance to the facility, or perpetrate other types of misconduct right there at the device or its immediate vicinity.1

A high profile example of a ‘type 1’ indirect attack was the DDoS (Distributed Denial of Service) attack against Dyn (a major DNS service provider) in October 2016. This attack exploited security weaknesses in tens of millions of IoT devices to create a botnet generating over 1 TB/second of traffic directed at overwhelming Dyn. This made dozens of major internet sites (e.g. Amazon, Twitter, Netflix) and other internet services unavailable to users across large areas of North America and Europe.  

                                                                                                                           
Source: Hacker News
Figure 1 – Outage Map, October 2016 DDoS Attack on Dyn, Originating from Compromised IoT Devices 

Lack of Market Incentives for Strong Security

Unfortunately, the market rewards time-to-market and lower prices over robust security for many classes of IoT devices, especially for the low-end devices that are commonly hijacked for use in creating a cyber-attack such as IP cameras, home automation systems, home gateways, connected printers, baby monitors, and so forth. The owners of the devices may never even know that they were used for an attack, as the device keeps functioning normally for them. The manufacturers of the compromised devices may, in high profile cases, get mentioned in the press; but so far that ‘shaming’ has not had a big impact on consumers’ decision-making process in selecting devices. One idea is government mandates; in the same way that airbags and seatbelts are mandated in all vehicles, some sort of minimum default security might be required.

‘Type 2’ direct attacks, where the goal is access to the IoT device (and by extension the sensors, machines, and environment that the device is connected to), have the potential to be even more destructive and disruptive. Criminals, terrorists, and malicious foreign governments may seek to hack into an internet-connected lock/home security system to rob or kidnap someone, hack into a car for theft or to remotely kill someone (e.g. by disabling the brakes),2 hack an airplane to crash it, or hack a traffic light system or power system to wreak havoc and hold a city or region hostage. In theory, this should create a much higher motivation to make these devices secure. However, we’ve seen from the track record of non-IoT cybersecurity that too often the same lack of resources or attention occurs, even for high-value targets. Thereby, successful cyberattacks are still very common. 

Seven Principles for Stronger Security

The IoT Security Imperative asserts that manufacturers and deployers of IoT devices and systems (especially potential targets for direct attacks) have a moral obligation to vigorously and comprehensively address security. The following seven principles can serve as guideposts to enable stronger IoT security:

  • Multi-layered approach
  • Security designed in from the start
  • Security for legacy and limited resource devices
  • Granular and scalable security
  • Protect against social engineering and insider malfeasance
  • Encourage robust, independent security testing
  • Prioritize security investments

To learn more about these seven principles, please see 7 Principles for Stronger IoT Security. You may scroll down to the middle of that page to see details of the seven principles. You will also find valuable additional IoT-security-related resources at the bottom of that article.

________________________________________________________________________________

1 In either case (type 1 or type 2), the perpetrator usually tries to evade detection until their goals of the attack have been accomplished. In more sophisticated cases, they may make efforts to ‘clean up’ and remove any trail left after a successful attack, to avoid being pursued and so that they can continue to take advantage of the same vulnerabilities again later. 

2 There have already been plenty of successful white hat hacks into cars, for example remotely disabling the brakes on a Corvette, killing the engine and/or brakes on a Jeep Cherokee, accelerating and braking against the driver’s will on a big rig tractor trailer, and more. 


 

  • Experfy Insights

    Top articles, research, podcasts, webinars and more delivered to you monthly.

  • Bill McBeath

    Tags
    Internet of Things
    Leave a Comment
    Next Post
    Making The Connection Between IoT And Big Data

    Making The Connection Between IoT And Big Data

    Leave a Reply Cancel reply

    Your email address will not be published. Required fields are marked *

    More in IoT & Automation
    IoT & Automation
    Could the IoT Help End Hunger? Farmers Are Finding Out

    Internet of Things (IoT) gadgets are everywhere. Cars, buildings, roadways, airplanes, home appliances, and other items have tens of billions of sensors, processors, and internet-connected gadgets. IoT devices detect motion, regulate temperature, share and collect data, measure weather, and provide location information, power logistics, and medical research. They also enable self-driving vehicles, to name just

    5 MINUTES READ Continue Reading »
    IoT & Automation
    10 Biggest Opportunities for IoT Innovation in 2021

    IoT is a powerful economic driver. IoT Innovation is actively shaping businesses and consumer trends. Most of the technologies developed before and during the pandemic address the Internet of Things directly or indirectly. From healthcare and retail to automobile and manufacturing, IoT innovations are opening new avenues across industries.  It covers almost every segment of

    8 MINUTES READ Continue Reading »
    IoT & Automation
    10 Things to Consider When Starting an IoT Project

    One of the biggest issues companies face when starting an IoT project is deciding who should be responsible. Should it be the engineering team that is responsible for the core technicalities of the device, or should it be the product management team that is responsible for the end functionalities of the IoT product? Starting on

    8 MINUTES READ Continue Reading »

    About Us

    Incubated in Harvard Innovation Lab, Experfy specializes in pipelining and deploying the world's best AI and engineering talent at breakneck speed, with exceptional focus on quality and compliance. Enterprises and governments also leverage our award-winning SaaS platform to build their own customized future of work solutions such as talent clouds.

    Join Us At

    Contact Us

    1700 West Park Drive, Suite 190
    Westborough, MA 01581

    Email: support@experfy.com

    Toll Free: (844) EXPERFY or
    (844) 397-3739

    © 2023, Experfy Inc. All rights reserved.