Problems of IoT security and ways to solve them
IoT security is one of the main problems related to quick growth, which inevitably arise when the industry is developing rapidly. According to data of Statista, there will be 75 billion connected devices in the world, which have to be protected against virtual and physical attacks.
The IoT conception implies that smart devices capable of exchanging data are connected in a network and can be controlled remotely. The main threat is that information gathered by devices and their actual performance may become the goal of hackers and scammers.
One of the main characteristics of IoT security is the possibility to personalize devices without additional efforts and expenses (to connect to the network and enter access keys). Besides, code integrity and a capability to repel attacks play a vital role. Problems arise from the side of both users and producers. For example, not all owners of devices change factory passwords to ones that are more complex. Hunting for quick revenue and willing to launch the device as quickly as possible, producers not always test the product code properly.
The Hewlett-Packard Company (HP) conducted a research and counted problems and vulnerabilities of the IoT that require solutions. The list of main problems looks as follows:
- factory accounts, unsafe authentication;
- producer does not help to eliminate vulnerabilities;
- problems of software updates;
- use of unnecessary open port, unprotected technologies;
- poor security of cloud infrastructure;
- use of insecure software.
According to analytical data, 20% of companies faced hacking attacks in the IoT field from 2015 to 2018. This is the result of companies not paying enough of attention to the issue of where they buy devices as well as not setting them up properly.
How hackers use vulnerabilities of IoT
Hackers usually use botnets – computer networks infected with malware. For example, a large DDoS attack on the infrastructure of Dyn DNS provider took place back in 2016. It involved the Mirai botnet that comprised 100,000 IoT devices. As a result, most of websites popular in the US were unavailable.
The Mirai botnet figured out combinations of default logins and passwords and cracked thousands of smart cameras and routers. The latter were used to make DDoS attacks on UK Postal Office, TalkTalk, KCOM, Eircom, and others. The botnet’s source code was posted on the Internet, which increased the risks of it being used by other hackers.
Real dangers of such vulnerabilities
They can do physical harm to people (for example, if malefactors gain access to explosive or flammable equipment) or cause breakdowns at production sites (leading to huge losses).
Cyber security specialists deal with IoT vulnerabilities, for instance, Check Point Software Technologies Ltd. In 2017, experts of the company detected a threat to SmartThinkQ connected home appliances. Hackers could crack devices and get access to home networks of owners.
The security department of Panasonic has found a vulnerability in the protection of smart toilet seats, which are controlled via Bluetooth. Using the detected loophole, hackers would have full control over devices.
However, the danger does not lie in the fact that malefactors can frighten people by unexpectedly flushing the toilet. By hacking one smart device, thieves can get access to the whole network including door locks and money accounts.
Does certification help to protect IoT devices?
Certification can partially solve the problem of IoT security. If a product undergoes tests and receives a corresponding certificate, it will ensure a certain protection for customers against hacking attacks. The main condition is to make the procedure accessible to producers and not to turn it into a mere formality.
Online Trust Alliance (OTA) came up with an idea of how to boost security of IoT devices. The company made a list of requirements to producers and service providers – IoT Trust Framework. The list is expected to provide security and sustainability of IoT products. Experts can draft certification programs and assess current risks basing on this list.
Now there are several IoT certificates developed by private companies. For example, Verizon's division ICSA Labs developed its own program that examines the security of IoT devices.
The protection degree of devices is assessed based on the following criteria:
- physical security;
- integrity of the platform.
The UL Cybersecurity Assurance Program (CAP) conducts security tests for both products and systems. CAP certificate confirms that software updates will not worsen the protection and will not increase risks of an attack.
In 2018, the German software producer SAP integrated its certification program for IoT equipment in the CIS countries. As part of the program, devices undergo testing, and receive a corresponding quality mark, which confirms that devices are safe and can be used in the IoT projects.
Thibault Kleiner, deputy head of cabinet of Günther Oettinger, European commissioner for digital economy and society, believes that IoT protection measures should be taken at the governmental level, and that certification should be obligatory for all IoT devices. Such a procedure should be applicable to not only devices but also networks and cloud depositories.
Blockchain as a way to secure IoT
Blockchain is one of the most efficient solutions that will provide IoT security. The integration of the distributed ledger technology in the IoT field reduces the number of points for hacking attacks and risks related to centralization. For example, if one device is hacked, a blockchain-based system will be unaffected.
The use of blockchain supposes that users are not able to change records about their actions in the IoT system. In such a way, the distributed ledger technology will secure companies that conduct financial operations, audit, and monitoring of supply chains. Besides, blockchain can be used in smart cities to protect smart devices against hacking (for example, smart traffic lights). The distributed ledger technology also helps to manage authentication, test the performance capacity of services.
In 2018, Cisco, BNY Mellon, Bosch and other major companies established a consortium that develops solutions capable of increasing IoT security using blockchain. Intel Corporation also realizes projects on blockchain development for corporate environment.
According to survey findings of Gemalto, the IoT sector started using the distributed ledger technology more often. The figures range from 9% to 19%in 2018. Besides, 91%of companies that do not use blockchain yet are ready to deploy the technology in the future. At the same time, 23% of respondents believe that blockchain is the best solution to provide security for IoT devices.
Analysts from Gartner think that the IoT market will be growing and its growth will be encouraged by the demand for tools and services intended for the search of threats. Besides, testing of IoT systems will be popular, aimed to assess to what extent they are protected against hacking. In such a way, expenses on the information protection of the IoT will increase to $3.1billion in 2021.
The survey of cyber protection specialists in 2018 showed that IoT security requires regulation; it is necessary to introduce general rules of protection. Fifty percent of enterprises that make use of the IoT technologies cannot define whether devices faced attacks. Being the tool that provides security, blockchain is steadily getting more popular. Most of respondents prefer encrypting information (71%),the rest use passwords and two-factor authentication.
Whichever method companies choose, the main thing is not to stand idle.