Internet of Things: More time for security in the era of innovation

Internet of Things: More time for security in the era of innovation

A life in the smart home through connected devices

It’s 6:18 am, the smart light alarm clock gently brings its owner out of his slumber to start the day and the morning routine full of energy. Since the alarm clock is linked to various devices in the house via the Internet, the heater heats the bathroom to the desired temperature of 21 degrees at 6:20 am. The coffee is also ready on time at 6:35 am. Even the way to work is monitored by the smartphone app, reporting that a traffic jam may mean delays. When leaving the house, energy consumption is reduced as both the heating and lights are automatically turned off.

Devices that are equipped with an Internet connection and can communicate with each other make such a smart home possible. And the number of these devices is increasing year by year: The market researchers of the American IT consulting institute Gartner estimate that by 2020, around 20 billion networked devices will be used worldwide, both by private users and by companies. Known as the Internet of Things, the devices create a kind of global infrastructure for technologies that link together physical and virtual objects.

Introduction to the Internet of Things (IoT)

What does Internet of Things actually mean and how did it come about?

“The Internet of Things (IoT) is a network of physical objects that contain integrated technology to communicate and capture things, or to interact with their internal states or the external environment.”(Gartner)

Ten years after the invention of the World Wide Web, British technology pioneer Kevin Ashton coined the term “Internet of Things”. Ashton is considered the co-founder and developer of the so-called radio-frequency identification (RFID) technology. A device that is equipped with an RFID transponder, receives its own “identity” and is able to receive and submit information – in order words “communicate”. In 1999, Ashton first used the term Internet of Things in a presentation demonstrating RFID technology and its relationship and importance to logistics. RFID is therefore considered the basis of the Internet of Things.

The ultimate goal of the “Internet of Things” is to unite the real world with the virtual to make it more comfortable, efficient, economical and secure. For example, devices connected to the Internet are used in a variety of private, economic, but also scientific and political fields. American technology company Leverege, which specializes in IoT, divides the world of the Internet of Things into three categories:

  • Things that collect information and send it (to a server).
  • Things that receive information and act accordingly.
  • Things that can be assigned to both category 1 and 2.

How does an IoT system work?

The applications of the Internet of Things are diverse and extend across a wide range of industries – but building an IoT system always consists of the same four components:

1. Sensors/Devices
An important part of the Internet of Things is data. Accordingly, sensors or devices are necessary, which as a first step collect data from their environment. These can be as simple as a temperature measurement or as complex as a full video transmission.

2. Connectivity
In order to send or exchange the collected data, a connection from a sensor to a server or to the cloud is required. The devices can, for example, be connected to the cloud via mobile, Wi-Fi, Bluetooth or satellite.

3. Data processing
In order to process the sent data for information, a server is needed which connects to the device and “communicates”. Processing takes place in most cases via the cloud.

4. User interface
The information collected must be made useful to the user in some way or displayed and made accessible. Therefore, an interface is required that outputs the information, for example, via notification by text, voice or sound. Depending on the IoT application, the user can also perform an action and influence the system, or the system automatically executes actions through predefined rules.

Hornetsecurity News

 

 

Stay in touch

 

Sign up to get the latest News about Cloud Security.

Why is the cloud so important to the Internet of Things?

The progress of cloud technology has a significant impact on the evolution of IoT systems. Because the devices are not only used for private purposes, but are also becoming increasingly prevalent in the industry. In such applications, hundreds of sensors and devices can be used quickly. However, this creates a large amount of data that can only be processed with the help of immense computing power.

The cloud technology is intended for these purposes, because it consists of a large network with powerful servers. The computing power of the cloud and the resulting capabilities, such as Artificial Intelligence (AI) and Machine Learning (LM), allow the data mass generated by IoT systems to be used intelligently. The system makes “smart” decisions and is also fully scalable. So, instead of having a fixed server that has limited performance, more computing power can easily and quickly be freed up for the “communication” of the Internet of Things in a cloud system.

What is the difference between IoT and IIoT?

While we connect IoT in everyday life with networked vacuum cleaners, intelligent lamps and digital heaters, the Internet of Things is also used in the production environment: The Industrial Internet of Things (IIoT) is, so to speak, the industrial expansion of the Internet of Things. IIoT makes Industry 4.0 possible only to this extent. There are not two or three sensors in an industrial hall, but one hundred, two hundred or even thousands. The evaluation of this data makes it possible, for example, to detect irregularities in real time and to solve any problems that might occur, automatically and without delay.

However, IIoT is not only used in production, because order and dispatch processes can also be optimized by smart devices. Stock about to run out? A sensor records the current inventory and informs the purchasing department. Parcel courier stuck in traffic? Thanks to GPS, the recipient receives a push message directly explaining that his package will be slightly delayed. Particularly interesting is a smart production facility if maintenance can be optimized. Routine checks are no longer necessary if the entire system is monitored by intelligent devices. An efficient and cost-effective solution for businesses – but what about the security of such networks?

Does IoT pose a cybersecurity risk to businesses?

Any device that has a computer chip and network connection is potentially vulnerable to hacking. This begins with a light bulb and ends with the acquisition of a nuclear power plant. In August 2019, the FBI commented on this topic: “Routers, wireless radios links, time clocks, audio / video streaming devices, Raspberry Pis, IP cameras, DVRs, satellite antenna equipment, smart garage door openers, and network attached storage devices could be hijacked for their computing power.”

With inadequately secured connections, IoT devices are increasingly becoming the target of cybercriminals, for example, using the processing power of sensors to create huge botnets. The malware Mirai infected more than 600,000 IoT devices in 2016 and successfully attacked several companies via DDOS attacks. Victims included American global companies like Netflix and Amazon, whose services were no longer usable for some time. In addition to the loss of service, such attacks often result in high loss of revenue and damage to the image of the company affected. Sending spam emails, hiding network traffic or generating ad-click fraud is also possible through the unauthorized takeover of IoT networks. Most importantly, cybercriminals are looking for data: The basis of the Internet of Things is the exchange and gathering of information from and about its users. Passwords and account access credentials, as well as details about daily user behavior, are of interest to hackers who can use this information for their own purposes, obtaining it easily and quickly if the network is not be adequately secured.

Why are IoT hacks already a real danger?

Currently, the number of networked devices is estimated at about 7.5 – 15 billion. In the next 5 to 10 years, the number is expected to increase to around 75 – 125 billion. Alexa and Google Home alone can be found in every fourth American household.

Big technology companies like Google and Amazon are of course eager to protect their devices from attacks. That’s why they invest huge budgets in their IT security. However, a large proportion of companies pay little attention to cybersecurity, because due to the high pressure to innovate, the main focus is on developing new devices in order to expand the product portfolio and increase sales. According to a recent security survey, some 950 of the companies surveyed invested around 13% of their IoT budgets in the security of their product or service development. Fewer than three out of five (59%) companies encrypt all data they collect or store on IoT devices.

Lack of security interest shown by companies and users

87% of all successful attacks on IoT devices are due to software which is not up to date, weak passwords, or a combination of both (Jason Sattler, 4/1/2019). Responsibility lies, on the one hand, with the companies, and on the other hand, with the users themselves. For example, many companies deliver their devices with a default password (e.g.: user: admin / password: password). If the user does not change or cannot change the login details, it is easy for cybercriminals to hack a variety of devices with a simple script.

The software looks similar because on the one hand, the user is obliged to regularly install updates in order to close security gaps. On the other hand, there are companies that, at worst, develop devices that are not updatable. Often older devices simply no longer receive updates. The user is ultimately the victim. Other attack surfaces include open ports and USB ports, SQL injection, insecure web interfaces, buffer overflow, network device fuzzing and cross-site scripting (XSS). The focus is on the development of new and innovative devices, but not their security. Many technologies are simply too cheap to cover the costs of IT security.

Internet of Things without legal security standards

The system behind a “smart device” is very different from that of a computer: The structure and operation are much more complex than, for example, that of a light bulb. In addition, a computer has much more processing power. Accordingly, there are many ways to protect the system of a computer from unauthorized access. But how do you protect a smart light bulb? Smart home appliances or networked machines have low computational power because they are often just small sensors connected to external servers. A script consisting of just a few KB therefore runs on the devices. The possibilities for a backup are therefore limited.

The market of the Internet of Things is still quite new, demand is growing steadily and the industry is therefore fast-paced. Many manufacturers often lack the necessary expertise to protect the devices from possible cyber attacks, but time is also a factor to which security falls victim: Companies are under great pressure to bring new and innovative products to market faster than the competition. As a result, cybercriminals can develop new ways to gain access to devices faster than it takes to secure them. Another challenge for the growing Industrial Internet of Things market is that there are no legal production standards for companies. Hackers are aware of this lack of such standards and see IoT devices as easy targets. In addition, hackers can establish a broad reach with minimal effort through the growing number of smart gadgets.

But where there is no plaintiff, there is no judge: There are currently no laws or established security standards regarding the form in which IoT and IIoT must be protected. This leads to disorientation for both the manufacturer and the buyer alike, because both ask the same questions: Is the device secured well enough? And: How well is the device protected compared to other devices?

Foundations for a secure Internet of Things

The most important measure for more security in the IoT and IIoT domain is to make the manufacturers of smart products responsible. In view of the increasing risk, the British Government, in cooperation with the European Committee for Standardization, the European Telecommunications Standards Institute and the Cybersecurity Tech Accord, published a document in February this year entitled ETSI TS 103 645. An essential element of the 16-page document is provided by 13 paragraphs or arrangements addressed to companies that should serve as a guide to IoT consumer safety in the manufacture of smart devices. These include the following items:

 

1. No universal default passwords

2. Implement a vulnerability detection tool

3. Implement regular software updates

4. Ensure secure storage of access data and sensitive information

5. Enable secure communication (encryption)

6. Reduce exposed attack surfaces

7. Ensure software integrity

8. Ensure protection of personal data

9. Ensure fail-safe design of systems

10. Monitor system telemetry data

11. Make it easier for consumers to delete personal data

12. Ensure easy installation and maintenance of equipment

13. Ensure validation of data entry

 

However, the paragraphs are only “suggestions” and are not yet mandatory – they could at least serve as the basis for an IoT certification process.
In addition, new tools such as “AutoSploit” enable potential security vulnerabilities to be found already during production. Thanks to artificial intelligence, the tool performs fully automatic searches for code errors that could lead to cyberattacks (Dan Mosca, 2018). The following continues to apply in the IT industry: Secure by Design.

How do I protect my company from IIoT attacks?

According to the current situation, as a user, whether privately or at work, you cannot assume that networked devices are secure. In the area of digitization, many companies use the Internet of Things as part of their digital transformation. To do this, they are connecting a growing number and variety of IoT devices to the corporate network. These interact or communicate with other valuable IT resources and often process sensitive information. Precisely for this reason, companies must take precautions to ensure IT security, to protect access and data, but without losing touch with the digital future at the same time.

Cyber risk analysis
Before an IoT system is introduced, cyber risk should be analyzed and integrated into the company’s risk management. Assessing security for all planned IoT services and products is essential. In addition, regular reviews and certificates from IoT services provide customers with qualified proof that companies and manufacturers protect personal data well and process it transparently for users.

Regular inspection by a responsible person
During operation, there must be regular checks on the security of networked devices. For this reason, it is important to appoint a responsible person who guarantees the security in the long term going forward. Thus, this person must regularly check whether all updates have been installed, when the last update was made available, and which hacks have appeared on the Internet and could possibly pose a threat to the company’s system. Tools like Shodan control whether devices from their own network are visible on the “free” Internet.

How do I as a private person protect myself from a hack of my smart home?

Even for private end users, there is currently no quality seal as a guide for comparing the IT security of IoT devices. Therefore, the buyer himself must take security precautions. The following tips should be followed to increase the security of your IoT systems:

Only buy devices that you can update

Regularly install software updates

Change the default password of a device immediately after commissioning

Passwords for all IoT devices in the house should be different

If possible, periodically scan all devices and the network for viruses

Limit the access of associated apps to a minimum

Keep up to date on recent cyberattacks

Close ports in the network not currently required

Avoid IoT systems with a technically outdated web interface

Data should be encrypted via SSL / TLS

Some of these tips require some technical know-how. However, you can already increase security with little effort: Up-to-date software and secure credentials are the most basic recommendations to prevent your IoT system from being hacked.

Conclusion: Maintain progress and guarantee security

The possibilities offered by the Internet of Things are incredibly broad. Although IoT devices have already arrived in everyday life, we are only just scratching the surface of huge technical progress. Although innovation is a top priority among market participants, protection of IoT technologies should never be overlooked, as reported incidents have made very clear. In times of current and ever increasing cybercrime, security may be something that provides a competitive advantage over rivals and helps increase customer acquisition.