Advanced IoT security risks

The incorporation of the internet of things (IoT) devices into our personal and business lives has brought about a whole new set of challenges.  Understanding the potential risks associated with this technology is vital in preventing the convenience of these devices to becoming an Achilles heel to the network.   Oracevic, Dilek, & Ozdemir (2017) explained that IoT devices lacking correct configuration are capable of becoming the pathway into the system for a malicious actor.

Maintaining communications privacy can be particularly tricky on IoT devices.  Encryption has typically been the focus of enterprise communications for protecting privacy and was not the normal practice for lower power, lower resource embedded systems.  If they did include encryption, it was limited to the extent that it did not degrade system performance.  Leveraging hardware encryption via a trusted platform module allows for the opportunity to gain better encryption without impacting the performance of the system.  Also leveraging elliptical curve cryptography can increase the efficiency of the encryption while providing a robust solution.

Encryption is not the only challenge when working with IoT devices.  Gaona-Garcia, Montenegro-Marin, Prieto, & Nieto (2017)  suggested that other major issues with the security posture of  IoT devices is a lack of secuity software, insecure web interfaces, and insufficient authorization.  Of the three mentioned, one of the most significant threats to the IoT devices is an insecure web interface.  As part of the insecure web interface we include the lack of being able to change web interface admin passwords.  For instance, the Mirai Botnet used to execute the Distributed Denial of Service (DDOS) agains Dyn grew to over one million devices.  This growth resulted from the attacker using default admin credentials to gain command and control of the IoT devices.  Ensuring that the web interface requires a secure connection and there is proper authorization to access the device is paramount to protecting against the IoT devices becoming the window into the rest of the network.

As with any IT system, securing the IoT devices completely is not possible.  Taking the necessary steps to implement controls such as changing default usernames and passwords, enabling HTTPS, and implement encryption is a good step towards protecting the edge of your network.  Likewise, developers should recognize the limitations of the hardware and develop as much security into the product at the time of development.  This will reduce the potential impacts of adding security as a secondary effort.

References

Gaona-García, P., Montenegro-Marin, C., D, P. J., & Nieto, Y. V. (2017). Analysis of Security Mechanisms Based on Clusters IoT Environments. International Journal of Interactive Multimedia and Artificial Intelligence, 4(3). Retrieved from https://pdfs.semanticscholar.org/a5a8/6db01e6b2b291bb07fd43435d3a4a36c4ac0.pdf

Oracevic, A., Dilek, S., & Ozdemir, S. (2017). Security in internet of things: A survey. 2017 International Symposium on Networks, Computers and Communications (ISNCC). doi:10.1109/isncc.2017.8072001

Spread the word. Share this post!

Leave Comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.