IoT and security issues

The Internet of Things (IoT), like any rapidly developing technology, experiences a number of "growth diseases", among which the most serious is the security problem. The more "smart" devices connect to the network, the higher the risks associated with unauthorized access to the IoT system and the use of its capabilities by intruders. Today, the efforts of many companies and organizations in the field of IT are aimed at finding solutions that will minimize the threats that impede the full implementation of IoT.


Smart, but vulnerable

The development of the concept of the Internet of things and its implementation in various spheres provides for tens of billions of autonomous devices. According to the Statista portal in 2017, there are already more than 20 billion, and by 2025 it is expected to be no less than 75 billion. All of them are connected to the Network and transmit data corresponding to their functionality through it. Both data and functionality are targeted for attackers, which means they must be protected.

For IoT devices, security consists primarily of code integrity, authentication of users (devices), the establishment of ownership rights (including the data generated by them), and the ability to repel virtual and physical attacks. But in fact, most of today's working IoT-devices protection elements are not equipped, have externally accessible management interfaces, default passwords, ie, have all the signs of a web vulnerability.

Still remember the events of a year ago when the Mirai botnet, by selecting combinations of default login and passwords, hacked a large number of cameras and routers that were later used for the most powerful DDoS attack on the provider networks of the UK Postal Office, Deutsche Telekom, TalkTalk, KCOM and Eircom. In this case, the "boot" of IoT devices was implemented using Telnet, and the routers were hacked through port 7547 using the protocols TR-064 and TR-069.



But the most resonant, perhaps, was the attack, which put DNS-operator DYN, and with it almost "half-Internet" of the United States. For botnet attack, the easiest way was used through the default logins and device passwords.

These events clearly demonstrated the breaches in IoT-systems and the vulnerability of many "smart" devices. It is clear that the failures of someone's "smart" hours or fitness trackers of special harm, except for the disorder of their owners, will not bring. But the break-in of IoT devices that are part of M2M systems and services, in particular, are integrated into critical infrastructure, is fraught with unpredictable consequences. In this case, the degree of their security must correspond to the importance of this or that infrastructure: transport, energy or other, on which people's livelihoods and the work of the economy depend. Also at the household level - failures and attacks on the same system "smart" house can lead to local communal or other emergency and dangerous situations.

Of course, threats to the infrastructure existed in the "pre-Internet" times - for example, because of the same natural disasters or the mistakes of the designers. However, with the appearance of devices connected to the Network, one more was added, and, probably, an order of magnitude more serious - a cyber attack.

Device Certification

The existing security problem for IoT devices did not come about because of the technical stupidity or carelessness of their developers. Here, "ears" sober calculation: the speed of entering the market gives an advantage over competitors, even for a short time, and even at the expense of a low threshold of security.



Most manufacturers do not bother to spend time and money on developing and testing codes and security systems of their "smart" products.

One way to get them to rethink their attitude to the safety of their IoT products can be certification. The idea is not new, but still deserves attention, at least, it is at least some way to solve the problem. The procedure for certification of IoT-devices should not be bureaucratized and provide the buyer with a guarantee that it has a certain degree of protection against hacker attacks. To begin with, the need for a security certificate can be specified in the implementation of public and corporate procurement.

Today several private companies are involved in certification issues. In particular, the Online Trust Alliance (OTA) has come up with an initiative to address the IoT security problem at the state and producer level by issuing the IoT Trust Framework- A list of criteria for developers, device manufacturers and service providers that aims to improve the security, confidentiality and life cycle of their IoT products. First of all, it is aimed at connected home, office and portable devices and is a kind of recommendatory code of conduct and the basis for several certification and risk assessment programs.



This year an independent division of Verizon - ICSA Labs launched the programtesting security and certification of IoT-devices. According to its developers, it is one of the first of its kind, and tests such components as notification / logging, cryptography, authentication, communication, physical security and platform security. Devices that have been certified will be marked with a special ICSA Labs approval mark indicating that they have been tested and that the detected vulnerabilities have been eliminated. Also, certified devices will be monitored and periodically tested throughout their life cycle to maintain their safety.

In turn, the testing and certification programUL Cybersecurity Assurance (CAP) is aimed at ensuring the safety of products and systems. CAP certification certifies that the product or system provides a reasonable level of protection against risks that may lead to unintentional or unauthorized access, alteration or malfunction. In addition, CAP also confirms that future patches, updates or new versions of software for a certified product or system will not result in a reduction in the level of protection that exists at the time of the evaluation.

However, many IoT security experts believe that the greatest benefit from such certification programs will be in testing not only a specific device, but the entire ecosystem: its infrastructure, applications, etc. After all, a tested and safe Iot device can fail even during the interaction within the system.



Having unconditional advantages for the development of IoT, certification programs have the opposite side. The mere fact that the device passes the test and the availability of a certificate can not be a 100% guarantee of its safety, since, it is very likely still has some flaws. Excessive belief in the security certificate can play a cruel joke on users who have individual needs and various options for using devices, which means their own risks and threats. And, of course, the likelihood of abuse is not ruled out. For sure there will be manufacturers who will pay for "quasi-certification", pursuing purely commercial goals.

In all, it turns out that for a global solution to the security problem through certification, a certain unifying solution is needed, a common incentive for all producers to produce protected devices, and consumers - not to buy those whose security is not confirmed by anything. How should it be - legislative, economic or punitive - remains to be resolved. Ultimately, the result should be the security of the global Internet of things.

Blocking technology

The security of the Internet of things has become one of the first areas of use of blocking technology. Thanks to the technology of the distributed registry, it became possible to provide a high level of security for IoT devices in the network and to remove existing limitations and risks for IoT related to centralization.



It allows you to quickly and securely save the exchange protocols and the results of the interaction of different IoT devices in a decentralized system. It is the distributed architecture of the block system that guarantees a sufficiently high level of security for the entire IOT system. But if some of the network devices are still susceptible to hacking, in general, this will not affect the overall operation of the system. The mentioned use by botnets of "smart" devices working in IoT-systems became possible due to their weak security. A distributed type of trust relationship allows you to get rid of a compromised device without appreciable damage to the whole model of interaction between "healthy" objects.

In the context of security, today, the blockage can be used in a number of areas in which the Internet of things develops most intensively. For example, this is the management of authentication, verification of the health of various services, ensuring the indivisibility of information, and others. At the beginning of the year, a number of leading companies, including Cisco, BNY Mellon, Bosch, Foxconn and others, formed a consortium that will find solutions for the use of blocking equipment to increase security and improve the interaction of IoT products. The main task that its members set for themselves is the development on the basis of block-technology a distributed database and protocol for information exchange between IoT-devices.

Note that in January 2017, DHS USA began using blocking technology to protect, transfer and store data that are collected by the Office from CCTV cameras and various monitoring sensors. The technology is also tested by DARPA, a division of the US Department of Defense, which oversees the development of new technologies for the army. In addition, one of the agencies that conducts research under the roof of the Pentagon, has signed a contract worth several million dollars with the software company Galois, which is engaged in security developments based on the blockbuster.



Today it is already obvious that it will be difficult to realize all the possibilities that the IoT concept can provide users without solving the problems with security and confidentiality. The above mentioned ways of protecting IoT, of course, are not exhaustive, many groups, companies and enthusiasts work on solving the problem. But above all, the high level of security of Internet devices of things should be the main task of their producers. Reliable protection should initially come as part of product functions and become a new competitive advantage for both manufacturers and suppliers of complex IoT solutions.

For more detials Please visit: www.digitaltechnologyreview.com