IoT deployment raises a number of IoT security issues related to IoT device features, such as the need for lightweight encryption algorithms in terms of processing and storage capabilities, and the use of standard protocols. IoT devices are more vulnerable to security threats than traditional Internet-based computers for their less processing power and limited memory resources, exacerbating the enforcement of protection. The current Internet network protocol transition from IPv4 to IPv6 means that more and more IoT devices have global IP addresses, which can help identify these devices as targets for security attacks. The autonomous operation and communication of IoT devices also facilitate security attacks. Therefore, new and more powerful security solutions for IoT systems are urgently needed. This article will take you through the Internet of Things from the network to hardware, software, and other security issues at all levels of the discussion.
1. What are IoT Security Issues?
IoT security concerns have a lot in common with IT security. However, IoT systems require more sensitivity and confidentiality as these systems come in and digitize an individual’s private life. The sensitivity of IoT technology stems from the high requirements for security, with extremely high confidentiality, authenticity, privacy, and integrity. There are physical and logical issues with IoT security. On the one hand, the physical problem is the energy of the device. Most IoT devices are powered by batteries, so the energy is relatively insufficient. On the other hand, IoT devices have relatively low processing power and limited memory resources. Logical issues exist in authentication, malware protection, privacy protection, and surveillance.
The Internet and its technology stack have existed for decades. During this time, a centralized client and server architecture was the foundation upon which current platforms and services were built. These architectures can also be cumbersome from an IoT perspective. For example, when a myriad of wireless sensors needs to submit their data back to a centralized service, a monolithic service should be able to distribute security updates to a decentralized or distributed sensor network. These sensor networks typically benefit from a decentralized communication architecture, which has a large To a certain extent it is self-managing. Traditionally, a barrier to creating a decentralized architecture has been the trust of other participants. The introduction of the cryptocurrency Bitcoin assumes that there is no need for trust between two parties. This is achieved by incorporating a distributed consensus mechanism as proof of new transaction validation while cashing in on earlier transaction history. So this extends to the design of generalized transactions outside the scope of cryptocurrencies. Today, this generalized mechanism often takes the name of blockchain.
Recent attention from regulators, especially in the European Union, has prompted increased focus on security and privacy in the IoT space. The adoption of blockchain technology has great potential as a viable solution for future IoT systems to meet regulatory requirements. Regarding the regulatory requirements for the design of IoT devices, the European Parliament has recently passed new directives and regulations. These requirements, which can be considered the most stringent in the world, apply to device manufacturers as well as service and platform providers if they provide to the EU or process personal data of EU residents.
In addition, EU member states provide some sector-specific regulations for areas dealing with sensitive information, such as healthcare and financial services. The United States lacks general data protection or privacy law and relies mainly on a small number of privacy-related legislation related to the industry. The American approach to designing information systems makes it harder to reach common conclusions about maintaining a certain level of privacy. For example, while the same IoT system can be used in different regions, the lack of common privacy requirements or definitions suggests it. The manufacturer must therefore at least somewhat anticipate the intended use of the design system, and the intended use of the design system if it were restricted from entering the U.S. market.
On the other hand, people could view EU regulatory requirements as a benchmark of obligations to be met when dealing with personal data or dealing with operators of certain important infrastructure. There are two EU laws and regulations responsible for the development and management of information systems. They are the General Data Protection Regulation (GDPR) and the Network and Information Systems Security Directive (NIS Directive).
The GDPR may have some nuances between member states, but it lays the groundwork for a unified digital single market within the EU. As a directive, member states may take a different approach to the NIS, although it defines what can be considered a minimum level of security responsibility for information systems.
What is Internet of Things(IoT) Privacy?
With the development of IoT technology, digital technology has further penetrated our life and environment. According to Strategy Analytics, the number of connected devices worldwide reached 22 billion by the end of 2018 and is expected to reach 50 billion by 2030. Based on optimistic data, the combination of IoT and artificial intelligence will create a more intelligent way of communication. Overall, the social and economic impact of the Internet of Things will be significant, with connected devices integrated into every aspect of our lives, from wearables to the Internet of vehicles to smart homes to the Internet of everything. The convenience and ubiquity of the Internet of Things will bring huge benefits, but it also means that information collection moves from the online world to the offline world, with our bodies and private spaces becoming the source of information collection. In this context, the Internet of Things, especially the privacy issues related to the consumer Internet of Things, has become the focus of attention. On September 19, the Internet Society released a report on IoT privacy called “Policy Brief: IoT Privacy for Policymakers “, which analyzes the risks and challenges brought by the Internet of Things to personal privacy protection, and puts forward specific action recommendations for policymakers, IoT service providers and other stakeholders, and calls for strengthening the governance model of multi-stakeholder collaborative participation.
The development of the Internet of Things enables everyday objects and sensors other than computers to generate, exchange and consume data with less human intervention. Today, the Internet of Things shows the development trend of scale (the number of connected devices continues to increase), intimacy (wearable devices and devices implanted in the human body, etc.), ubiquitous, always connected, and intelligent. But this scale of development could impact privacy protections, allowing individuals to be more easily identified, tracked, profiled, and influenced.
The challenges of the Internet of Things to personal privacy protection include: First, the protection of the Internet of Things spans a wide range, including the regulatory boundaries of different departments and jurisdictions. On the one hand, privacy legislation tends to be segmented by domain, such as medical privacy, financial privacy, student privacy, etc., and IoT devices and services are difficult to categorize. On the other hand, different countries and regions may have different privacy legislation for IoT devices and services and will face different regulations when data collection and processing occurs in different jurisdictions. Second, it is difficult for IoT to obtain informed consent from users. When IoT is deployed, in addition to obtaining informed consent from the owner of the device, it is difficult to obtain the consent of others around at the same time. IoT devices are no different from commonplace things like watches, speakers, and TVs, so it’s hard to know if a device is collecting and processing data. Finally, IoT challenges the transparency principle of privacy protection. For example, unlike websites, apps, etc., IoT devices and services may not be able to present their privacy policies to users, and may not do a good job of informing users that they are collecting data.
In order to better meet these challenges and strengthen the protection of personal privacy related to the Internet of Things, the Internet Society has put forward four recommendations: First, strengthen users’ meaningful control over IoT devices and services, and strengthen IoT data management. Specifically, it includes: clarifying the responsibilities of service providers, including obtaining informed consent from users when collecting personal data, enhancing transparency, and securely storing data, etc.; promoting open standards and interoperability in IoT devices and services; and encouraging data minimization practices. Second, improve the transparency of user data collection and use. For example, notify users of IoT device capabilities and data collection in a way that is easy for users to understand, set up effective consent and opt-out functions for users, improve privacy policy clarity, improve transparency throughout the data life cycle, and ensure privacy and security. It is protected throughout the product life cycle, etc. Third, privacy legislation and policies keep pace with technological developments. Specifically, it includes: improving existing privacy and consumer protection laws; reviewing the adaptability and scope of privacy protection laws; strengthening legal protections for privacy researchers to ensure that they do not incur legal risks by investigating privacy issues; Widespread use of networking does not exacerbate discrimination and unfair practices; introduce privacy impact assessment in IoT development, etc. Fourth, strengthen multi-stakeholder participation. Solving IoT-related risks and challenges requires the joint participation of the government, the public, industry, academia, social organizations, and technical personnel. Extensive dialogue should be carried out at the social level, and attention should be paid to consumers’ right to speak.
Overall, the combination of IoT with emerging technologies such as cloud computing and artificial intelligence will transform our economy and society in many ways. Technology brings great opportunities, but it also comes with risks. One needs to take appropriate steps to ensure that the benefits of IoT far outweigh the risks of privacy, security, etc. This requires the cooperation of all stakeholders, including governments, manufacturers, consumers, etc., to ensure that IoT technologies are developed in a responsible and sustainable manner. Foreign countries are already promoting IoT privacy and security legislation. Legislation needs to take into account the characteristics of IoT devices and services and adopt flexible and reasonable regulatory mechanisms. For example, even in the EU GDPR, users’ informed consent is not the only legal basis for service providers to collect and process users’ personal information. Therefore, the Internet of Things privacy policy should not be limited to informed consent but should consider the technical characteristics, and under certain circumstances, will be transformed from prior permission to in-process and post-event data protection obligations. In addition, consumer privacy awareness has awakened. For example, in a survey, 77% of consumers indicated that the privacy protection capability and security of IoT are important factors to consider when making purchasing decisions. IoT manufacturers must consider user privacy and data security issues when developing and building IoT. Practice the concept of “privacy by design” and strengthen users’ control over data.
Why is IoT security critical?
01. Why is IoT security so critical today
Today, Internet of Things devices and applications are widely used in people’s work and life, and almost all objects will become intelligent to take advantage of the benefits of being connected to the global Internet.
While in the early days, network threats were focused on enterprise IT facilities, in the modern world they have become more widespread and frequent. Before discussing security measures for the Internet of Things, it is important to understand some of the network threat vectors surrounding the Internet of Things.
02. Common threat vectors for the Internet of Things
Threat vectors refer to the paths or means by which cybercriminals can gain access to a company’s core systems operating in the network. Some of the most common threat vectors in IoT are:
(1) No physical boundaries
The IoT network boundary is more open than the traditional Internet boundary. Traditional security methods of restricting access to devices are no longer available. These IoT devices move to any new location when needed and have access to the network.
(2) Wi-Fi and Bluetooth data leakage
Wi-Fi and Bluetooth configurations in IoT are major sources of data leakage. Bluetooth and WI-FI with weak passwords can easily be stolen by network attackers during data transmission. Also, in most cases, the password used for configuration is not uniquely set for each device. If only one device is attacked and compromised by the network, a gap is left for unauthorized access.
(3) Physical access to IoT devices
Cyber attackers gain physical access to IoT devices and workloads, the worst of all threat vectors. With this access, cyber attackers can easily gain access to IoT devices’ internal information and its contents. And using tools like BusPirate, Shikra, or LogicAnalyzers, they can also read all the traffic in the network. With physical access, cyber attackers can extract passwords, modify their programs, or replace them with other devices they control.
03. IoT vs the IT
While many IoT devices are on the edge, the IT infrastructure is in the cloud. Threats to IoT security may result in cyber attackers gaining access to core IT networks through IoT threat vectors. Here are some real-life cyber attacks.
- Access to the network through the HVAC system leads to a data breach
According to media reports, Target Inc., one of the top 10 retailers in the U.S., has been hacked to steal 40 million credit card numbers from the company. It is one of the largest data breaches in the world. Hackers hacked HVAC systems by stealing third-party credentials and then gained access to corporate networks.
- SubwayPoS suffers hacker attack
There are currently some reports of security bugs related to PoS. The breach in SubwayPoS resulted in a loss of $10 million, with at least 150 of Subway’s franchises targeted. A similar hack occurred at US bookseller Barnes & Noble, in which credit card readers at 63 stores were attacked and compromised.
SamSam ransomware
Another well-known case of system breach is the cyberattack by SamSam ransomware, which hit administrations such as the Colorado Department of Transportation and the Port of San Diego in 2018 and abruptly halted their services.
04. IoT Regulations
Although some IoT regulations have been issued by some countries and regions, they are not sufficient to mitigate the risks involved in cyberattacks. California has reasonable security-level regulations when it comes to curbing cyberattacks. Likewise, the UK has implemented a unique password policy, and businesses must provide clear contact details for IoT devices connected to local IT infrastructure to disclose vulnerabilities and perform regular security updates. While these regulatory guidelines are welcomed by many security commentators, it is unclear who will enforce these policies. The commentator added that they were working to understand how the regulations would be enforced through existing regulators.
The strategies and measures of cyber attackers are updated much faster, and these regulations may be issued or implemented annually or semi-annually. Therefore, it is difficult to keep up with the attacks carried out by cyber attackers only by relying on regulatory policies.
05. What security measures must companies take
While complying with the above regulations, businesses must develop their security measures for the adoption of IoT devices.
First, they must determine the security of IoT devices. It is crucial to ensure that IoT devices have unique identities, which are the basis for other security measures.
Then, based on the identity layer, the software is protected by measures such as signed code, firmware, etc.
Finally, the enterprise must have compliance at the very top level to decide which versions of the software will be run.
IoT hardware security
In electronic product design, safety is paramount. This is especially true for the complex, resource-constrained, and highly connected Internet of Things (IoT). Achieving IoT security requires relying on proven security principles and vigilance against evolving threats. But design engineers face some IoT security challenges when bringing products to market.
01. IoT faces security threats
IoT is currently being incorporated into most industrial and commercial operations, including public utilities, critical infrastructure, transportation, finance, retail, and healthcare. IoT devices can sense and measure the physical world and collect data on various human activities, facilitating the widespread deployment of intelligent, automated, and autonomous command and control technologies. Through the ubiquitous IoT interconnecting smart devices, businesses are able to create truly revolutionary technologies that will improve every aspect of human society and economic life in the future. Yet almost every week mainstream media reports on digital security breaches. Reported losses are often theft or misuse of consumer credit card information, which are drops in the bucket compared to the thousands of cyber-attacks that occur every day. Security attacks include stealing valuable data and causing widespread damage, and even more, taking control of critical systems. From a consumer perspective, distributed denial of service (DDoS) attacks are probably the most common threat. The Mirai botnet, which disrupted the entire internet in 2016, sounded the first alarm bells, making agencies aware of the threat. After Mirai, Aidra, Wifatch, and Gafgyt, as well as new botnets such as BCMUPnP, Hunter52, and Torii53, have cumulatively penetrated millions of IoT devices to spread their DDoS malware, cryptocurrency miners, and spam.
As more IoT devices appear in our work and lives, potential security attacks are everywhere and on an ever larger scale. Take intelligent traffic control as an example. Imagine a major city where the infrastructure of sensors, traffic lights, car mesh networks, and control devices that control the flow of traffic is exposed to adversaries. Controlling traffic lights or communication between vehicles via wireless networks at important intersections is no longer the stuff of Hollywood blockbusters, but a real and serious issue.
Think also of internet-enabled medical devices, smart labels in stores to help improve the retail shopping experience, and how our appliances are connected. If you can use your smartphone to start the stove, unlock the lock and turn off the alarm system, what about everyone else?
The examples above are relevant to all of us, but there are many situations that are invisible to the average consumer. Imagine the Industrial Internet of Things (IIoT) deployed for automated manufacturing environments. What would be the chaos if a security breach occurred, and what would be the financial cost of production downtime and equipment damage?
With the potential for attacks growing exponentially, IoT security must be comprehensive and robust, with the ability to recover quickly.
02. You should not rely on a software approach alone
Attempts to wiretap or illegally obtain information are nothing new. Dutch computer researcher Wim Van Eck has been working on this since 1985. He successfully extracted information from the display by intercepting its electromagnetic field and decoding it. His pioneering work highlighted the fact that it was possible to circumvent expensive security measures by using inexpensive components.
Such non-intrusive and passive electromagnetic side-channel attacks are now becoming more sophisticated and one of many attack weapons. Other edge-channel attack methods include differential Power analysis (DPA) and others, which are commonly used together with electromagnetic edge-channel attacks. Through this attack, sensitive information such as encryption keys, passwords, and personal identities in the microcontroller of the IoT device will be “compromised” in the form of electromagnetic signals when the encryption processing instructions are executed. Broadband receivers as software-defined radio applications are currently very inexpensive and can be used to detect and store electromagnetic signals in operation.
DPA is a more complex thieving method, which can understand the processor power consumption during device operation through simple power analysis. Since the power consumed by the processing device will vary depending on the function performed, discrete functions can be identified by knowing the power consumption. The functions of encryption algorithms based on AES, ECC, and RSA require a lot of computation and can be identified by power measurement analysis. Examining power consumption at microsecond intervals reveals various numeric operations often used in cryptography, such as sum-squared multiplication. DPA adds statistics and error correction techniques to simple power analysis, which can realize high-precision decoding of confidential information.
Data leakage through wired or wireless communications can also expose confidential information. Covert channels and “man-in-the-middle attacks” are effective ways to collect data by listening to the communication between IoT devices and host systems. Analyzing this data can reveal device control protocols and the private keys needed to take over the operation of remotely connected devices.
Another attack technique used by hackers is implant attacks on unprotected microcontrollers and wireless system-on-a-chip (SoC) devices. In the simplest case, the technique can reduce or interfere with the microcontroller’s supply voltage, making strange errors. These errors can then trigger other protected devices to open registers that hold confidential information, thereby exposing them to intrusion. Tampering with the system’s clock signal by changing the frequency, planting the wrong trigger signal, or changing the signal level can also lead to abnormalities in IoT devices that can expose confidential information or lead to control functions being manipulated. Both cases require physical, but not invasive, access to the printed circuit boards inside the device.
Since many of the security technologies used to secure IoT devices are software-based, security information is likely to be read illegally. Standard cryptographic encryption algorithms such as AES, ECC, and RSA run as software stacks on microcontrollers and embedded processors. Devices and software that cost less than $100 can be used not only to see power consumption but also to obtain keys and other sensitive information using DPA technology. It is now easy to get off-the-shelf DPA software tools to automate the entire process without even having to be proficient in these analytical methods.
Such attacks are no longer confined to the realm of theory, and they have been widely used by hackers around the world.
With the increasing attack intensity, the developers of IoT devices and systems need to reconsider their security protection methods and improve their security protection functions to make them more robust and resilient.
03. Hardware approach to protecting IoT security
Before designing a new IoT device, it is best to have a comprehensive understanding of what attacks the device is likely to be exposed to, and what kinds of threats need to be protected against. It is prudent to review security requirements from the outset and incorporate them into product specifications. Most IoT devices tend to last for many years, and this alone could lead to more attacks, so it needs to be considered. Therefore, firmware updates must be performed over the air (OTA), and to protect against all attacks, a chip-to-cloud approach is required to implement a hardware-based security design.
The OPTIGA® Trust M2 ID2 security chip recently released by Infineon is a completely hardware-based security solution, and its biggest advantage is that it can resist attacks at the hardware level. It uses some specially designed streamlined logic to better protect the storage of data. Even though very professional reverse engineering, the original data cannot be easily hacked and cracked. Some professional designs and non-standard code implementations are actually difficult to analyze and understand. The most important point is that the hardware-based security chip solution can provide a trusted “root” for the entire system and a source of trust for the system.
IoT firmware security
With the number of IoT terminals increasing by leaps and bounds, the relevant regulations and standards of IoT security are gradually landing, and the firmware security of low-resource embedded devices will be gradually paid attention to. As an end-to-end IoT security detection platform, TinyScan truly scans and mines hidden sensitive information and security risks from the source. Both firmware developers and firmware users can use this tool to master the security status of the specified firmware and carry out targeted protection or evasion, thereby reducing the number of IoT security problems caused by firmware vulnerabilities.
In the era of the Internet of Things, a three-layer structure model of perception, transmission, and application is often used, and embedded devices such as sensors, gateways, and controllers distributed in the three layers have introduced a large number of new security issues: architecture.
01. System Security
At present, the mainstream embedded operating systems are still dominated by Linux or Linux derivatives, and different companies customize and develop Linux systems according to their product requirements and characteristics. However, due to the fact that the resources of embedded devices are limited, it is difficult to completely transplant existing security defense solutions to IoT devices.
02. Component Security
Because embedded devices use Linux as the operating system, many open source components are bound to be used. The hidden problems of some open source components in the C/S mode may be rediscovered and utilized in the Internet of Things era. Because there are a large number of identical IoT devices in the space at the same time, if the firmware of the device is not upgraded in time after a vulnerability occurs, it may cause heavy losses.
03. R&D Safety
In the Internet era, the client cannot directly access and control the server, but this phenomenon has changed in the Internet of Things era. Through the open source reverse tool, users can easily obtain the configuration files and plaintext information left in the device firmware, and then directly obtain the access rights of the device, posing a threat to a large number of devices of the same specification.
We should conduct security analysis on firmware from the following dimensions, and output the analysis results in the form of reports.
(1) File system service security analysis
● Automatically scans and obtains the basic information of the firmware file system, including the CPU architecture, setup time, compression mode, type, size, and storage mode of the file system.
● After obtaining the basic information about the file system, you can determine the scan target type and switch to different scan engines.
(2) System & service analysis coding
● Obtain system service information, including system service path and MD5 value.
● By obtaining the system service information, the system service self-startup status can be known, and the information such as whether unknown malicious scripts exist in the self-startup service can be quickly learned.
(3) Component & software safety analysis SPA
● Directional scanning, obtaining system component & software information, including component & software path, description, and website address;
● By obtaining the component & software information, you can quickly obtain the version information of the component & software installed in the firmware, and then perform security scanning accordingly.
(4)User password retrieval
● Directional scan, obtain user password information, including password-related file path, and password information;
● After user password retrieval, the password information leakage caused by non-standard development in firmware can be exposed.
(5)Analysis of encryption authentication security
● Automatically scans and obtains the encryption authentication file information, including the path and encryption information of the encryption authentication file;
● After the encryption authentication detection, the encryption authentication information leakage caused by the non-standard development in the firmware can be exposed.
(6)Analysis of sensitive information security
Automatic scanning and obtaining of suspicious sensitive information in firmware includes but is not limited to hard-coded Token/key, configuration hard-coded password, hard-coded IP, hard-coded HTTP address, cache file leakage, etc., which can expose sensitive information leakage caused by non-standard development in firmware.
(7)CVE vulnerability detection
Quickly detect CVE vulnerability information in the file system, including CVE-ID, release time, description, and level. After the CVE vulnerability detection, you can obtain the latest CVE vulnerability information of the software installed in the current scanned firmware.
Internet of Things(IoT) software security
72% of information security leaders say cloud computing is a top priority for digital transformation. Cloud-based IoT software is integrating both digital and physical elements of security so that data can be accessed and exploited by more secure phones.
What can cloud-based IoT software bring to security protection? This article will explain to you how IoT software can effectively help improve security in the field of security. It will also introduce how to combine digital and physical security elements to deal with security incidents.
01. The impact of cloud-based IoT software
Cloud-based IoT software is being used in business in various ways. And cloud-based solutions are bringing benefits to the security space. At its core, IoT technology is transforming the corporate sector, renewing the way businesses operate.
02. Integrate cloud-based solutions to leverage data
Data is very important in every industry, and the security field is no exception. With cloud-based solutions, storing data and information on a single interface can help companies stay abreast of what’s going on in the business.
In addition, by combining AI-enhanced software and cloud-based solutions, security personnel can better identify potential security threats. Leveraging cloud-based IoT technologies can increase productivity. Due to the extensive responsibilities of security personnel, real-time monitoring of the cameras is not possible. IoT technology can help security personnel receive camera information and log feedback anytime, anywhere, helping to establish better security policies. Some IoT solutions provide real-time alerts to security personnel that combines real-time video and AI analysis tools to enhance security system functionality and speed up response to security incidents.
03. Combine the power of physical and cyber security
Combining digital and physical security is beneficial for optimizing IoT security systems, helping to protect systems from online breaches and breaches. Plus, physical security measures help protect confidential information from hackers. The stronger the fusion of digital security elements and physical security teams, the more protected an organization will be.
04. Automatic software updates
Keeping all software up-to-date is extremely important to ensure that your organization is not exposed to cyber security threats even if IoT systems are breached. Traditionally, local security systems have been manually updated by certified professionals with each new upgrade. Using cloud-based software, updates can not only be performed on-site or remotely, but can also be automated, greatly reducing costs.
05. Remote function
With the flexible development of IoT cloud technology, security personnel can operate security tools remotely using mobile devices. For example, the video intercom system used in today’s access control system allows security personnel to verify the identity of the visitor by making a video call with the visitor’s smartphone. In addition, the intercom program also supports remote unlocking. When the identity of the visitor is confirmed, the door can be unlocked remotely to allow the visitor to enter. Through the use of cloud-based IoT technology, the authentication procedure for visitors is simplified and the verification time is greatly shortened so that visitors can enter the building faster.
06. Summarize
Adopting a cloud-based IoT solution in an enterprise’s security protection strategy is conducive to creating a security system that keeps pace with the times. Cybersecurity is the threat and challenge that enterprises face when using IoT technology. But by combining physical and digital security elements, cloud-based IoT systems can be largely protected from vulnerabilities and better protected to help businesses cope with the changing security landscape.
Internet of Things(IoT) network security
At the same time as the rapid development of the Internet of Things, security problems of the Internet of Things also frequently appear. Some mining and equipment hijacking incidents occurred repeatedly. Smart home products continue to break out security loopholes, which will cause irreversible economic losses when the loopholes are exploited. At the same time, it also reflects the importance of security as the infrastructure of the Internet of Things application in the early stage of the construction of the Internet of Things industry.
In recent years, with the breakthrough of key technologies such as 5G, the development of the Internet of Things has advanced by leaps and bounds. At the same time, due to the impact of Covid-19, the office forms of remote work have increased, which not only brings convenience to enterprises but also provides convenience for hackers to attack confidential company information.
The Internet of Things has penetrated into all aspects of our lives. Frequent attacks on smart devices threaten personal privacy and security. Critical infrastructure is also facing huge risks in realizing digital networking transformation. IoT security requires the establishment of reasonable management plans and regulations to ensure timely detection and efficient recovery of risks.
IoT security issues mainly involve data security, privacy, replication, and RFID system threats.
- Attacks on RFID: RFID technology is a popular Internet of Things technology, currently mainly used in “unmanned supermarkets” and other fields.
- Attack on WSN: WSN is the wireless sensor network. The bottom layer of the Internet of Things is the perception layer. This layer includes a large number of sensors. When the sensors work, they will generate a large amount of data. Once they are intercepted by criminals during the transmission process, the consequences will be unimaginable. WSN currently has related applications in the military.
- Attacks on routers: Routers are very important network devices. Once attacked, the network may be paralyzed. In addition, there are attacks on communication lines, attacks on users, and attacks on servers.
Specifically, the main security threats currently faced by the Internet of Things can be summarized as three aspects of “cloud, pipe, and end” security:
(1)Internet of Things terminal security
The first aspect is IoT terminal security. As a representative product of the deep integration of information space and physical space, IoT terminals have rapidly expanded from pioneer products for personal consumption to various fields of economy and society. It endows education, medical care, retail, energy, construction, automobile, and many other industries with new service means, and supports the improvement of basic urban functions such as government office, public safety, transportation, and logistics. Existing IoT terminal equipment focuses on function realization, while traditional equipment manufacturers have insufficient security capabilities, consider factors such as time and cost, and generally ignore security issues in terminal design.
IoT terminals can be divided into intelligent terminals and non-intelligent terminals. Most intelligent terminal devices have embedded operating systems and terminal applications, while most non-intelligent terminal devices have a single structure and function, and only perform functions such as data collection and transmission. Therefore, intelligent terminal devices have a greater threat to information security.
(2)IoT pipeline security
The second aspect is IoT pipeline security. The “tube” of the Internet of things is the pipeline connecting the “cloud” and the “end”. The security of the “tube” of the Internet of things is the security of the information pipeline with large capacity and intelligence. According to the investigation of the information pipeline of the Internet of things, it is found that there are four main security threats to the pipeline security of the Internet of Things.
(3)Internet of Things cloud service security
Third, Internet of Things clouds service security. Generally speaking, Internet of Things cloud services are used when information is shared with other parties. Therefore, protecting the security of cloud services is also a key link to protecting the security of the Internet of Things.
Ways to improve Internet of Things security
Enterprises must improve the security of IoT devices or they will cause huge financial and reputation losses. Data encryption and internal monitoring are some of the ways that companies can be focused on improving the security of IoT devices.
01. Use cloud infrastructure and software protection
The Cumulonimbus network device keeps the device secure as it helps maintain the confidentiality and integrity of the information recorded by the device. At the same time, the information in the exchange can be encrypted and protected from hackers.
02. Design a security device and create a separate network
Designing a better device focused on improving the security of IoT devices is important. A timely internal review of the behavior of the device under certain conditions is important to change the system of the device.
03. Apply IoT API to guard against identity spoofing
The role of API security protection is to allow only authorized devices to communicate with each other. Companies and users can be notified of any unauthorized access and operation of the system.
In today’s world, the number of IoT devices in use is increasing. At the same time, IoT development is facing challenges. Enterprises should gradually recognize the importance of IoT security and further enhance the technology to protect the security of devices.
Which industries are most vulnerable to IoT security threats?
IoT security issues pervade all industries and fields. That is to say, as long as the industry is related to human life and property, it is vulnerable to the security threat of the Internet of Things.
For example, an attack on a refrigeration system that houses a drug, monitored by an IoT system, could disrupt the viability of a drug if the temperature fluctuates. Likewise, the impact of attacks on oil wells, water systems, and energy grids, critical infrastructure that greatly affects human life, can be devastating.
However, other attacks should not be underestimated. For example, an attack on a smart door lock could allow thieves to enter a smart home. Or, in other cases, such as the 2013 Target hack or other security breaches, attackers can deliver malware through connected systems (the HVAC system in the target case) to steal personally identifiable information and wreak havoc on those affected.
01. How can IoT systems and devices be protected
The IoT security approach depends on the IoT application and where the business is in the IoT ecosystem. The development and integration of secure software need to be a major focus at the beginning of IoT software. Deploying IoT systems requires attention to authentication and hardware security. Likewise, for operators, keeping systems up-to-date, reducing malware, auditing infrastructure, and securing credentials are critical.
Security Standards and legislation for the Internet of Things (the US and Europe)
01. Eu Internet of Things Security Guidelines
The EU Cyber Security Agency has issued Security guidelines for the Internet of Things. On 9 November 2020, the European Union’s Cyber Security Agency (ENISA) published the Security Guidelines for the Internet of Things (IoT) (hereinafter referred to as the Guidelines), which aims to help IoT manufacturers, developers, integrators, and stakeholders who own IoT supply chains make the best decisions when building, deploying, or evaluating IoT technologies. The objective of the Guidelines is to define and identify IoT security challenges and threats to ensure the security of the IoT supply chain. The Guidelines give five recommendations: First, IoT entities should build better relationships with each other, including prioritizing cooperation with suppliers that provide cybersecurity guarantees, working to improve transparency, developing innovative trust models, and providing security commitments to customers. The second is to further popularize the professional knowledge of network security, strengthen the maintenance and training of professionals, and enhance the security awareness of users of the Internet of things. Third, security is achieved by improving IoT design standards, including the adoption of security design principles, the use of emerging technologies for security control and audit, and the implementation of remote update mechanisms. Fourth, take a more comprehensive and explicit approach to improve security, including establishing comprehensive test plans, integrating authentication mechanisms into circuits, and using factory Settings by default. Fifth, make full use of existing standards and successful practices to improve product safety and service quality in the supply chain.
02. The U.S. Internet of Things Cyber Security Improvement Act of 2020
The bill has been passed on September 14, 2020. Given that IoT device security is an emerging cyber challenge with a national security priority, the bill aims to improve the security of federal Internet-connected devices by addressing cyber security concerns before IoT devices are introduced into federal use. The act requires all IoT devices used by the federal government to meet minimum security standards published by NIST.
03. Australian Code of Practice: IoT Protection for Consumers
The Act has been published by the Australian government on September 3, 2020, and has been seen as a first step toward improving the security of IoT devices in the country. In view of the global nature of IoT device security, the industry standards proposed by the Code of Conduct are consistent with other international standards and are based on 13 principles, mainly including no repetition of weak or default passwords, implementation of vulnerability disclosure policies, continuous software security updates, Credentials are securely stored, personal data protection is ensured, exposure to attack surfaces is minimized, communications are secured, software integrity is ensured, systems are resistant to interruptions, measurement data monitoring systems, etc. Among them, cryptography, vulnerability disclosure, and security update action are recommended as the top three principles that the industry prioritizes because they enable the greatest security benefits in a short period of time.
04. Similarities and differences between European, US, and Australian IoT security laws and guidelines
The Acts improve the security protection standards for IoT devices in many ways. This article introduces a number of security standards for IoT devices in the European Union, the United States, and Australia, such as ensuring that the complexity of the device password is high enough, multi-factor authentication methods, ensuring the security of identity credentials such as secure storage, timely disclosure, and repair of security vulnerabilities, providing Regular security updates to minimize exposure to cyber attack surface and more.
All three Acts focus on strengthening the protection of personal privacy in the Internet of Things. Laws and guidelines in the EU, US, and Australia all make privacy protection an important part of IoT security. For example, Australia has proposed in its code of practice that IoT devices should have privacy protection by default, and that personal data must be processed with the prior consent of the user. And the device should support users to delete personal data at any time and have the right and time to revoke privacy, so as to maximize the protection of users’ personal privacy and sensitive data.
The coverage and target of the Acts are different. The Australian Code of Conduct is consumer-oriented, helping to raise awareness of the security protections associated with IoT devices, increasing consumer confidence in IoT technology, and enabling Australia to benefit from its rollout. The EU guidelines target IoT supply chain entities such as IoT device and software developers, manufacturers, security experts, procurement teams, and other supply chain entities. By studying and responding to different security threats faced by the supply chain at different stages, the purpose of building a secure IoT ecosystem is achieved. The US Act mainly covers the US federal government and aims to regulate the government’s security assessment of IoT devices and ensure that IoT devices purchased and used by government agencies meet security standards.
Government regulation of IoT security has varying effects. The EU Guidelines and Australia’s Code of Practice are not mandatory as recommended measures by relevant government agencies. The U.S. bill is governmental and contains several mandates, such as an explicit requirement for the National Institute of Standards and Technology (NIST) to publish standards and guidelines for the use of Internet-enabled devices security within 90 days of the federal agency’s enactment of the bill to guide executive agencies and budgets Conduct internet censorship; the federal government and agencies will not buy or use IoT devices that do not meet security requirements.
