Office Time: Mon - Fri (1:00 am to 4:00)

Security Blog

IOT: CONNECTED BUT NOT PROTECTED?

Connecting countless physical objects to the digital world, the IoT is rapidly transforming every aspect of how society works and lives. At the same time, many security leaders recognize that IoT solutions complicate security management. Here’s a look at how businesses are using IoT to drive results and the key risks and threats accompanying those benefits. Businesses are transforming entire industries by integrating IoT devices with applications. A growing number are embracing opportunities to create intelligent tools and interconnected systems or services. The payoffs include faster and better data analysis, decision making and business processes. But just as the potential payoffs are great, so are the risks.

While the IoT can deliver tremendous benefits, introducing these new devices also raises the degree of complexity by increasing communication channels between the different nodes while increasing volumes of data to interpret, secure and support. To put it more concretely, imagine another 10,000 vehicles joining your metropolitan traffic jam tomorrow morning. That’s why IoT solutions are viable only when there is effective machine-to-machine (M2M) communication and real-time M2M communication over the Internet. Protocols for communication via the Internet have always brought a tradeoff between reliability and speed. In anticipation of the IoT era, major changes in protocol development have happened in the application layer of the Open Systems Interconnection (OSI) model. This layer specifies interface methods in a communication network for how a system connects to the server and how this layer chooses to send data.

The most popular protocol for communication over the Internet is HTTP. An IoT device can simply be an HTTP client that periodically uploads data (JSON object) to a cloud-based web server. In most cases, the IoT device itself exposes a web application, thus enabling data browsing and device controlling. Another potential IoT protocol is CoAP (HTTP over UDP), which is a web transfer protocol based on the REST model. It is used for lightweight M2M communication owing to its small header size. One of the more interesting features of this protocol is the web service’s ability to discover nodes within a network. This capability is especially useful when designing low-power wireless sensor networks that are autonomous and self-healing.

Many IoT devices also support protocols such as SSH and Telnet for internal use. Not all vendors restrict inbound management access from external networks to secure communication. A huge subset of IoT devices are smart sensors or low-power devices communicating over the MQTT protocol. Based on the TCP/IP stack, which uses the publish/subscribe method for data transportation, MQTT consists of two categories of participating devices: brokers and clients. Clients are devices that can access or modify data while brokers are those that host and relay data. They communicate via the publish/subscribe method. MQTT supports asynchronous connection of subscribers within an existing network of clients and brokers. It also provides a facility to check for redundancy and data loss.

A few IoT Threats

Experts are predicting that the IoT will surpass anything we have seen both in terms of market size and the exploding quantity of smart devices. Should these devices and their supporting ecosystem fail, consequences could vary from a simple annoyance (e.g., a service disruption) to something significantly worse (e.g., a security breach targeting personally identifiable information or leakage of top-secret and highly valuable data). The most common IoT threats include:

Unauthorised operations – performing unauthorized operations on the device and/or using it maliciously to perform unauthorized operations on the backend server. Actors can do so by using the device application protocol interface (API) or by exploiting the lack of security mechanisms that could lead to changing states, locking/unlocking devices and even admin operations.

Exposure of data – lacking an encryption procedure or using weak encryption to locally store the device data. Alternatively, privacy breach and sensitive data leakage can occur during the communication between the devices and the server/endpoint/app.

Lateral movement – hacking into the “closed” server (which is otherwise inaccessible) by serving as a malicious device with access to the server. The attacker gains an ability to “move around” inside the network in order to disclose sensitive information or perform malicious actions.

Client impersonation – connecting to the device/server from a malicious, fake endpoint/device with intent to attack the device/server. If attackers compromise a client and impersonate it, they could perform unauthorized actions or produce incorrect data. In some cases, an attacker might be able to disclose sensitive information by impersonating a legitimate client.