There’s no denying that the Internet of Things (IoT) has expanded and improved technology. Not only does it help businesses gauge customer satisfaction, medical professionals gain a more accurate read on patient symptoms, or a runner track how many calories she burns as she improves her mile time, but it has also led professionals across a range of industries to innovate in ways that can’t compare to previous years.
With this more interconnected form of technology, however, comes more responsibility and a greater need to keep security strong. When it comes to maintaining safety precautions for your company, you’ll want to have a clear idea of what the issues are concerning the IoT.
How far has IoT come?
While a Coca-Cola machine at Carnegie Mellon University was one of the first machines to use the Internet of Things in the 1980s, it has come a long way since then. People with connected devices have access to a lot more than being able to tell if a soda machine has their carbonated drink of choice. Apple watches can track all sorts of health statistics, pacemakers allow doctors a more detailed study of patients’ hearts, and cars can become hot spots with real-time GPS and music streaming from your cell phone, just to name a few.
To give you an idea of how much the IoT has changed in the past 10 years, in 2009, there were about 900 million connected things in the world. By 2020, that number will be closer to 20 billion.
Whether you’re just introducing this helpful and nuanced technology to your industry, or you've had it in use and are concerned about where it’s headed, we’ve compiled a list of what to keep in mind as the technology changes.
1. Inadequate device updates
As with any newer or constantly changing area of technology, security updates and patches are difficult to install but necessary. Why? There simply needs to be a standardized method of implementing such software updates.
There are vulnerabilities in any form of software. Think about how often your phone and computers notify you that you must install the latest updates. The purpose is to remove bugs that can create defects in the software as well as ensuring that your devices have the latest security installed.
You might notice that the more consistently you update your phone or laptop, the less likely those devices are to be victims of malware attacks. Now imagine all your connected devices. It’s not as easy as hitting the update button and waiting for your phone or laptop to restart.
Though engineers are working to develop a standardized method of firmware updates to work across the entire Internet of Things, it is still a work in progress and IoT network security issues that exist today can make you more susceptible to malware attacks.
For the embedded systems developer working on IoT products, the development of quality firmware and a process to implement it is important. Agility and speed are also important. With Total Phase products, developers can increase velocity without sacrificing quality. For an introduction to the benefits of our USB development tools, see our Shorten Time to Market with Affordable USB Development Tools article.
2. Inadequate device testing
Not only do devices need to be tested, but so too do the networks they run on and the infrastructures they are built on. Weak network infrastructures and inconsistent internet connection negatively impact how efficiently — and effectively — smart devices work.
Because of unstable network infrastructure, inconsistencies in internet connectivity and an overabundance of IoT platforms, device testing can get really tricky. Software is what keeps IoT technology running effectively, but each device that the IoT is connected to has its own hardware. Further, there is even more variation because different operating systems and firmware exists.
Changing passwords, enforcing IoT protocols, and creating testing strategies that work across a variety of platforms is critical.
The sheer number of combinations of hardware and software platforms makes it virtually impossible to test the communication and connectivity of all of the combinations. Analyzing the information from your end-users, however, will give you a better idea of which combinations are the most common, and you can start at least by testing those.
Total Phase products enable developers and QA teams to improve their testing of IoT devices. For example, the Aardvark I2C/SPI Host Adapter enables engineers to interface with an embedded system using I2C and SPI via USB connection. Similarly, the Beagle I2C/SPI Protocol Analyzer enables debugging of I2C, SPI, or MDIO based embedded systems.
For a crash course on testing embedded systems like those found in IoT, review our Benchtop Testing for Embedded Systems Guide.
3. Authenticating passwords on devices
IoT security issues can be avoided if devices require users to engage in best practices. Engineers can help encourage users to secure their devices in a number of ways. For example, forcing a change of default password on the first login eliminates low-hanging fruit for attackers. Similarly, one-time passwords (OTP) can mitigate risk. With OTP, the potential damage from a hacker learning a password at any given time is limited due to the fact that a password cannot be reused. For M2M (machine to machine) communication using protocols like MQTT, certificate-based authentication helps ensure only trusted devices can communicate.
4. Malware Attacks
IoT has become a popular target for hackers. Case in point: Silex malware was able to infect so many IoT devices in large part thanks to easy to guess passwords. IoT engineers can mitigate risk to their users by enforcing strong authentication policies (we can't stress this enough: changing default passwords is important and encryption protocols). Types of malware attacks to be aware of with IoT include mining of cryptocurrency, router and storage device infections, and distributed denial of service (DDoS).
5. Implementing data privacy
Legislation like GDPR (General Data Protection Regulations) makes data privacy more important than ever. Not only do IoT engineers have an ethical obligation to keep data private, but regulations like GDPR also make doing so a legal requirement. IEEE calls out a number of questions to ask to help tackle the data privacy in IoT, including:
- What personal data does your IoT device collect?
- Where and how does your device store that data?
- Who has access to the data?
- What is it used for?
- How long will it be stored?
- How will individuals be notified if their data is leaked?
While capturing data is a big part of IoT, anonymizing personally identifiable information (PII), using strong encryption, and only keeping relevant PII for a reasonable amount of time are important parts of secure and responsible IoT development.
6. Data security and privacy
The challenges surrounding PII lead us to this point. How do you keep data secure and private from an engineering perspective? Collecting PII only when necessary is a start. Only using secure data transport methods like HTTPS or SSH to send data across a network is another important step. Keeping encryption protocols up to date for data at rest (and in transit) is important as well. Today that means not using protocols like DES or SSL v3.0 and instead of using protocols like SHA-256 and TLS 1.2. Similarly, using the principle of least privilege to only give users access to the data they must have, limits some of the potentials for unintended exposure of PII.
Image by 7. Insecure communication
Insecure network communication using cleartext protocols make IoT devices much easier to hack. Therefore, cleartext protocols must be avoided at all costs. Using a cleartext protocol to transmit data enables anyone with network access and a packet sniffer to read the data transmitted to and from IoT devices. For a quick breakdown of protocols NOT to use, and what protocols to use instead, see below.
- Do NOT use Telnet, instead use SSH
- Do NOT use HTTP, instead use HTTPS
- Do NOT use FTP, instead use SFTP or SCP
- Do NOT use SNMP v1 or v2c, instead use SNMP v3
8. Vulnerabilities and attacks
New vulnerabilities and exploits are discovered all the time. Staying up to date on the latest CVEs and issuing patches and security updates when appropriate help keep your devices secure. The world of IoT security moves fast, so enabling users to patch devices in the field is important. Additionally, using security scanners to scan your devices for overlooked exploits help ensure you avoid leaving known weaknesses exposed.
9. Complex systems
IoT devices exist in complex networks. The market is also growing and expanding rapidly, leading to new use cases and integrations in a short period of time. The larger this ecosystem grows, the larger the attack surface for IoT devices becomes. Whenever a new feature or protocol is implemented, it poses a potential data security risk. IoT engineers must ensure security is taken into account both at the device-level and network-level.
10. Learning to predict and prevent security issues
Proactive preventative measures go a long way in enabling secure IoT development. This means IoT development teams need to emphasize security throughout the product life cycle. This requires using many of the suggestions we have mentioned throughout this article. For example, by forcing a user to change the default password and also enforcing the use of strong passwords, IoT engineers can prevent many attacks that assume default passwords are enabled. However, hackers learn and adapt over time, so using regular vulnerability scans, staying up to date on security, and implementing best practices like the principle of least privilege can help mitigate risk and improve security posture.
Want to learn more? Contact the Total Phase Team of Experts!
If you find yourself needing support in the area of IoT protocol implementation or security practices, Total Phase is well equipped with the knowledge you need. Whether it’s to further discuss something you read here or if questions arose that weren’t answered here, reach out. Our sales team will ensure your security concerns are taken care of.