什麼是物聯網安全 & 隱私問題?

0
14007

物聯網部署引發了許多與物聯網設備功能相關的物聯網安全問題, 例如在處理和儲存能力方面需要輕量級的加密演算法, 以及標準協議的使用。物聯網設備 由於其處理能力較低且記憶體資源有限,因此比傳統的基於互聯網的電腦更容易受到安全威脅, 加大保護力度. 目前網際網路網路協定從IPv4過渡到IPv6意味著越來越多的物聯網設備擁有全球IP位址, which can help identify these devices as targets for security attacks. The autonomous operation and communication of IoT devices also facilitate security attacks. 所以, new and more powerful security solutions for IoT systems are urgently needed. This article will take you through the Internet of Things from the network to hardware, 軟體, and other security issues at all levels of the discussion.

1. 什麼是物聯網安全問題?

什麼是物聯網安全問題?

IoT security concerns have a lot in common with IT security. 然而, IoT systems require more sensitivity and confidentiality as these systems come in and digitize an individual’s private life. The sensitivity of IoT technology stems from the high requirements for security, with extremely high confidentiality, authenticity, privacy, and integrity. There are physical and logical issues with IoT security. 一方面, the physical problem is the energy of the device. Most IoT devices are powered by batteries, so the energy is relatively insufficient. 另一方面, IoT devices have relatively low processing power and limited memory resources. Logical issues exist in authentication, malware protection, privacy protection, and surveillance.

The Internet and its technology stack have existed for decades. During this time, a centralized client and server architecture was the foundation upon which current platforms and services were built. These architectures can also be cumbersome from an IoT perspective. 例如, when a myriad of wireless sensors needs to submit their data back to a centralized service, a monolithic service should be able to distribute security updates to a decentralized or distributed sensor network. 這些感測器網路通常受益於分散式通訊架構, 在某種程度上它是自我管理的. 傳統上, 創建去中心化架構的一個障礙是其他參與者的信任. 加密貨幣比特幣的引入假設兩方之間不需要信任. 這是透過納入分散式共識機製作為新交易驗證的證明,同時利用早期交易歷史記錄來實現的. 因此,這延伸到了加密貨幣範圍之外的廣義交易的設計. 今天, 這種通用機制通常被稱為區塊鏈.

近期監理機構關注, 尤其是在歐盟, 促使人們更加關注物聯網領域的安全與隱私. 採用區塊鏈技術作為未來物聯網系統滿足監管要求的可行解決方案具有巨大潛力. 關於物聯網設備設計的法規要求, 歐洲議會最近通過了新的指示和法規. 這些要求, 這可以被認為是世界上最嚴格的, 適用於向歐盟提供或處理歐盟居民個人資料的設備製造商以及服務和平台提供商.

另外, 歐盟成員國為處理敏感資訊的領域提供了一些特定部門的法規, 例如醫療保健和金融服務. 美國缺乏通用的資料保護或隱私法,主要依賴少數與產業相關的隱私相關立法. 美國設計資訊系統的方法使得就維護一定程度的隱私達成共同結論變得更加困難. 例如, 而同一個物聯網系統可以在不同地區使用, 缺乏共同的隱私要求或定義表明了這一點. 因此,製造商必須至少在一定程度上預期設計系統的預期用途, 以及設計系統的預期用途(如果限制進入美國). 市場.

另一方面, 人們可以將歐盟監管要求視為處理個人資料或與某些重要基礎設施營運商打交道時應滿足的義務基準. 歐盟有兩項法律法規負責資訊系統的開發和管理. 它們是《一般資料保護規範》 (一般資料保護條例) 以及網路和資訊系統安全指令 (NIS指令). 

GDPR 成員國之間可能存在一些細微差別, 但它為歐盟內部統一的數位單一市場奠定了基礎. 作為指令, 成員國可能對 NIS 採取不同的方法, 儘管它定義了資訊系統的最低安全責任級別.

什麼是物聯網(物聯網) 隱私?

Internet of Things(物聯網) 隱私

隨著發展 物聯網技術, 數位科技進一步滲透到我們的生活和環境中. 根據策略分析, 全球連網設備數量達到 22 年底達億元 2018 並預計達到 50 十億 2030. 基於樂觀數據, 物聯網與人工智慧的結合將創造更智慧的通訊方式。全面的, 物聯網的社會和經濟影響將是巨大的, 互聯設備融入我們生活的各個層面, 從穿戴式裝置到車聯網再到智慧家居再到萬物互聯. 物聯網的便利性和無所不在將帶來巨大的效益, 但這也意味著資訊收集從線上世界轉向線下世界, 我們的身體和私人空間成為資訊收集的來源. 在此背景下, 物聯網, 尤其是與消費者物聯網相關的隱私問題, 已成為人們關注的焦點. 在九月 19, 互聯網協會發布了一份關於物聯網隱私的報告,名為“政策簡報”: 政策制定者的物聯網隱私權“, which analyzes the risks and challenges brought by the Internet of Things to personal privacy protection, and puts forward specific action recommendations for policymakers, IoT service providers and other stakeholders, and calls for strengthening the governance model of multi-stakeholder collaborative participation.

The development of the Internet of Things enables everyday objects and sensors other than computers to generate, exchange and consume data with less human intervention. 今天, the Internet of Things shows the development trend of scale (the number of connected devices continues to increase), intimacy (wearable devices and devices implanted in the human body, ETC。), ubiquitous, always connected, and intelligent. But this scale of development could impact privacy protections, allowing individuals to be more easily identified, tracked, profiled, and influenced.

The challenges of the Internet of Things to personal privacy protection include: 第一的, the protection of the Internet of Things spans a wide range, including the regulatory boundaries of different departments and jurisdictions. 一方面, privacy legislation tends to be segmented by domain, such as medical privacy, financial privacy, student privacy, ETC。, and IoT devices and services are difficult to categorize. 另一方面, different countries and regions may have different privacy legislation for IoT devices and services and will face different regulations when data collection and processing occurs in different jurisdictions. 第二, it is difficult for IoT to obtain informed consent from users. When IoT is deployed, in addition to obtaining informed consent from the owner of the device, it is difficult to obtain the consent of others around at the same time. IoT devices are no different from commonplace things like watches, speakers, and TVs, so it’s hard to know if a device is collecting and processing data. 最後, IoT challenges the transparency principle of privacy protection. 例如, unlike websites, apps, ETC。, IoT devices and services may not be able to present their privacy policies to users, and may not do a good job of informing users that they are collecting data.

In order to better meet these challenges and strengthen the protection of personal privacy related to the Internet of Things, the Internet Society has put forward four recommendations: 第一的, strengthen users’ meaningful control over IoT devices and services, and strengthen IoT data management. 具體來說, 這包括: clarifying the responsibilities of service providers, including obtaining informed consent from users when collecting personal data, enhancing transparency, and securely storing data, ETC。; promoting open standards and interoperability in IoT devices and services; and encouraging data minimization practices. 第二, improve the transparency of user data collection and use. 例如, notify users of IoT device capabilities and data collection in a way that is easy for users to understand, set up effective consent and opt-out functions for users, improve privacy policy clarity, improve transparency throughout the data life cycle, and ensure privacy and security. It is protected throughout the product life cycle, ETC. 第三, privacy legislation and policies keep pace with technological developments. Specifically, 這包括: improving existing privacy and consumer protection laws; reviewing the adaptability and scope of privacy protection laws; strengthening legal protections for privacy researchers to ensure that they do not incur legal risks by investigating privacy issues; Widespread use of networking does not exacerbate discrimination and unfair practices; introduce privacy impact assessment in IoT development, ETC. 第四, strengthen multi-stakeholder participation. Solving IoT-related risks and challenges requires the joint participation of the government, the public, 產業, academia, social organizations, and technical personnel. Extensive dialogue should be carried out at the social level, and attention should be paid to consumers’ right to speak.

Overall, the combination of IoT with emerging technologies such as cloud computing and 人工智慧 will transform our economy and society in many ways. Technology brings great opportunities, but it also comes with risks. One needs to take appropriate steps to ensure that the benefits of IoT far outweigh the risks of privacy, 安全, ETC. This requires the cooperation of all stakeholders, including governments, manufacturers, 消費者, ETC。, to ensure that IoT technologies are developed in a responsible and sustainable manner. Foreign countries are already promoting IoT privacy and security legislation. Legislation needs to take into account the characteristics of IoT devices and services and adopt flexible and reasonable regulatory mechanisms. 例如, even in the EU GDPR, users’ informed consent is not the only legal basis for service providers to collect and process users’ personal information. 所以, 物聯網隱私權政策不應僅限於知情同意而應考慮技術特徵, 並且在某些情況下, 將從事先許可轉變為事中和事後資料保護義務. 另外, 消費者隱私意識覺醒. 例如, 在一項調查中, 77% 的消費者表示物聯網的隱私保護能力和安全性是購買決策時需要考慮的重要因素. 物聯網製造商在開發和建構物聯網時必須考慮使用者隱私和資料安全問題. 實踐「隱私設計」概念,強化使用者對資料的掌控.

為什麼是 時間 安全 批判的?

為什麼物聯網安全至關重要?

01. 為什麼物聯網安全如今如此重要

今天, 物聯網設備和應用廣泛應用於人們的工作和生活中, and almost all objects will become intelligent to take advantage of the benefits of being connected to the global Internet.

While in the early days, network threats were focused on enterprise IT facilities, in the modern world they have become more widespread and frequent. Before discussing security measures for the Internet of Things, it is important to understand some of the network threat vectors surrounding the Internet of Things.

02. Common threat vectors for the Internet of Things

Threat vectors refer to the paths or means by which cybercriminals can gain access to a company’s core systems operating in the network. Some of the most common threat vectors in IoT are:

(1) No physical boundaries

The IoT network boundary is more open than the traditional Internet boundary. Traditional security methods of restricting access to devices are no longer available. These IoT devices move to any new location when needed and have access to the network.

(2) Wi-Fi and Bluetooth data leakage

Wi-Fi and Bluetooth configurations in IoT are major sources of data leakage. 藍牙 and WI-FI with weak passwords can easily be stolen by network attackers during data transmission. 也, in most cases, the password used for configuration is not uniquely set for each device. If only one device is attacked and compromised by the network, a gap is left for unauthorized access.

(3) Physical access to IoT devices

Cyber attackers gain physical access to IoT devices and workloads, the worst of all threat vectors. With this access, cyber attackers can easily gain access to IoT devices’ internal information and its contents. And using tools like BusPirate, Shikra, or LogicAnalyzers, they can also read all the traffic in the network. With physical access, cyber attackers can extract passwords, modify their programs, or replace them with other devices they control.

03. Io時間 vs the IT

While many IoT devices are on the edge, the IT infrastructure is in the cloud. Threats to IoT security may result in cyber attackers gaining access to core IT networks through IoT threat vectors. Here are some real-life cyber attacks.

  • Access to the network through the HVAC system leads to a data breach

According to media reportsTarget Inc., one of the top 10 retailers in the U.S., has been hacked to steal 40 million credit card numbers from the company. It is one of the largest data breaches in the world. Hackers hacked HVAC systems by stealing third-party credentials and then gained access to corporate networks.

  • SubwayPoS suffers hacker attack

There are currently some reports of security bugs related to PoS. The breach in SubwayPoS resulted in a loss of $10 百萬, with at least 150 of Subway’s franchises targeted. A similar hack occurred at US bookseller Barnes & Noble, in which credit card readers at 63 stores were attacked and compromised.

SamSam ransomware

Another well-known case of system breach is the cyberattack by SamSam ransomware, which hit administrations such as the Colorado Department of Transportation and the Port of San Diego in 2018 and abruptly halted their services.

04. IoT Regulations

Although some IoT regulations have been issued by some countries and regions, they are not sufficient to mitigate the risks involved in cyberattacks. California has reasonable security-level regulations when it comes to curbing cyberattacks. 同樣地, the UK has implemented a unique password policy, and businesses must provide clear contact details for IoT devices connected to local IT infrastructure to disclose vulnerabilities and perform regular security updates. While these regulatory guidelines are welcomed by many security commentators, it is unclear who will enforce these policies. The commentator added that they were working to understand how the regulations would be enforced through existing regulators.

The strategies and measures of cyber attackers are updated much faster, and these regulations may be issued or implemented annually or semi-annually. 所以, it is difficult to keep up with the attacks carried out by cyber attackers only by relying on regulatory policies.

05. What security measures must companies take

While complying with the above regulations, businesses must develop their security measures for the adoption of IoT devices.

第一的, they must determine the security of IoT devices. It is crucial to ensure that IoT devices have unique identities, which are the basis for other security measures.

然後, based on the identity layer, the software is protected by measures such as signed code, firmware, ETC.

最後, the enterprise must have compliance at the very top level to decide which versions of the software will be run.

Io時間 hardware security

物聯網硬體安全

In electronic product design, safety is paramount. This is especially true for the complex, resource-constrained, and highly connected Internet of Things (物聯網). Achieving IoT security requires relying on proven security principles and vigilance against evolving threats. But design engineers face some IoT security challenges when bringing products to market.

01. IoT faces security threats

IoT is currently being incorporated into most industrial and commercial operations, including public utilities, critical infrastructure, 運輸, finance, 零售, and healthcare. IoT devices can sense and measure the physical world and collect data on various human activities, facilitating the widespread deployment of intelligent, 自動化的, and autonomous command and control technologies. Through the ubiquitous IoT interconnecting smart devices, businesses are able to create truly revolutionary technologies that will improve every aspect of human society and economic life in the future. Yet almost every week mainstream media reports on digital security breaches. Reported losses are often theft or misuse of consumer credit card information, which are drops in the bucket compared to the thousands of cyber-attacks that occur every day. Security attacks include stealing valuable data and causing widespread damage, and even more, taking control of critical systems. From a consumer perspective, 分散式阻斷服務 (DDoS) attacks are probably the most common threat. The Mirai botnet, which disrupted the entire internet in 2016, sounded the first alarm bells, making agencies aware of the threat. After Mirai, Aidra, Wifatch, and Gafgyt, as well as new botnets such as BCMUPnP, Hunter52, and Torii53, have cumulatively penetrated millions of IoT devices to spread their DDoS malware, cryptocurrency miners, and spam.

As more IoT devices appear in our work and lives, potential security attacks are everywhere and on an ever larger scale. Take intelligent traffic control as an example. Imagine a major city where the infrastructure of sensors, traffic lights, car mesh networks, and control devices that control the flow of traffic is exposed to adversaries. Controlling traffic lights or communication between vehicles via wireless networks at important intersections is no longer the stuff of Hollywood blockbusters, but a real and serious issue.

Think also of internet-enabled medical devices, smart labels in stores to help improve the retail shopping experience, and how our appliances are connected. If you can use your smartphone to start the stove, unlock the lock and turn off the alarm system, what about everyone else?

The examples above are relevant to all of us, but there are many situations that are invisible to the average consumer. Imagine the 工業物聯網 (工業物聯網) deployed for automated manufacturing environments. What would be the chaos if a security breach occurred, and what would be the financial cost of production downtime and equipment damage?

With the potential for attacks growing exponentially, IoT security must be comprehensive and robust, with the ability to recover quickly.

02. You should not rely on a software approach alone

Attempts to wiretap or illegally obtain information are nothing new. Dutch computer researcher Wim Van Eck has been working on this since 1985. He successfully extracted information from the display by intercepting its electromagnetic field and decoding it. His pioneering work highlighted the fact that it was possible to circumvent expensive security measures by using inexpensive components.

Such non-intrusive and passive electromagnetic side-channel attacks are now becoming more sophisticated and one of many attack weapons. Other edge-channel attack methods include differential Power analysis (DPA) 和別的, which are commonly used together with electromagnetic edge-channel attacks. Through this attack, sensitive information such as encryption keys, passwords, and personal identities in the microcontroller of the IoT device will be “compromised” in the form of electromagnetic signals when the encryption processing instructions are executed. Broadband receivers as software-defined radio applications are currently very inexpensive and can be used to detect and store electromagnetic signals in operation.

DPA is a more complex thieving method, which can understand the processor power consumption during device operation through simple power analysis. Since the power consumed by the processing device will vary depending on the function performed, discrete functions can be identified by knowing the power consumption. The functions of encryption algorithms based on AES, ECC, and RSA require a lot of computation and can be identified by power measurement analysis. Examining power consumption at microsecond intervals reveals various numeric operations often used in cryptography, such as sum-squared multiplication. DPA adds statistics and error correction techniques to simple power analysis, which can realize high-precision decoding of confidential information.

Data leakage through wired or wireless communications can also expose confidential information. Covert channels and “man-in-the-middle attacks” are effective ways to collect data by listening to the communication between IoT devices and host systems. Analyzing this data can reveal device control protocols and the private keys needed to take over the operation of remotely connected devices.

Another attack technique used by hackers is implant attacks on unprotected microcontrollers and wireless system-on-a-chip (SoC) 裝置. In the simplest case, the technique can reduce or interfere with the microcontroller’s supply voltage, making strange errors. These errors can then trigger other protected devices to open registers that hold confidential information, thereby exposing them to intrusion. Tampering with the system’s clock signal by changing the frequency, planting the wrong trigger signal, or changing the signal level can also lead to abnormalities in IoT devices that can expose confidential information or lead to control functions being manipulated. Both cases require physical, but not invasive, access to the printed circuit boards inside the device.

Since many of the security technologies used to secure IoT devices are software-based, security information is likely to be read illegally. Standard cryptographic encryption algorithms such as AES, ECC, and RSA run as software stacks on microcontrollers and embedded processors. Devices and software that cost less than $100 can be used not only to see power consumption but also to obtain keys and other sensitive information using DPA technology. It is now easy to get off-the-shelf DPA software tools to automate the entire process without even having to be proficient in these analytical methods.

Such attacks are no longer confined to the realm of theory, and they have been widely used by hackers around the world.

With the increasing attack intensity, the developers of IoT devices and systems need to reconsider their security protection methods and improve their security protection functions to make them more robust and resilient.

03. Hardware approach to protecting I時間 安全

Before designing a new IoT device, it is best to have a comprehensive understanding of what attacks the device is likely to be exposed to, and what kinds of threats need to be protected against. It is prudent to review security requirements from the outset and incorporate them into product specifications. Most IoT devices tend to last for many years, and this alone could lead to more attacks, so it needs to be considered. 所以, firmware updates must be performed over the air (OTA), and to protect against all attacks, a chip-to-cloud approach is required to implement a hardware-based security design.

The OPTIGA® Trust M2 ID2 security chip recently released by Infineon is a completely hardware-based security solution, and its biggest advantage is that it can resist attacks at the hardware level. It uses some specially designed streamlined logic to better protect the storage of data. Even though very professional reverse engineering, the original data cannot be easily hacked and cracked. Some professional designs and non-standard code implementations are actually difficult to analyze and understand. The most important point is that the hardware-based security chip solution can provide a trusted “root” for the entire system and a source of trust for the system.

Io時間 firmware security

物聯網韌體安全

With the number of IoT terminals increasing by leaps and bounds, the relevant regulations and standards of IoT security are gradually landing, and the firmware security of low-resource embedded devices will be gradually paid attention to. As an end-to-end IoT security detection platform, TinyScan truly scans and mines hidden sensitive information and security risks from the source. Both firmware developers and firmware users can use this tool to master the security status of the specified firmware and carry out targeted protection or evasion, thereby reducing the number of IoT security problems caused by firmware vulnerabilities.

在物聯網時代, a three-layer structure model of perception, 傳染, and application is often used, and embedded devices such as sensors, 閘道, and controllers distributed in the three layers have introduced a large number of new security issues: architecture.

01. System Security

現在, the mainstream embedded operating systems are still dominated by Linux or Linux derivatives, and different companies customize and develop Linux systems according to their product requirements and characteristics. 然而, due to the fact that the resources of embedded devices are limited, it is difficult to completely transplant existing security defense solutions to IoT devices.

02. Component Security

Because embedded devices use Linux as the operating system, many open source components are bound to be used. The hidden problems of some open source components in the C/S mode may be rediscovered and utilized in the Internet of Things era. Because there are a large number of identical IoT devices in the space at the same time, if the firmware of the device is not upgraded in time after a vulnerability occurs, it may cause heavy losses.

03. R&D Safety

在網路時代, the client cannot directly access and control the server, but this phenomenon has changed in the Internet of Things era. Through the open source reverse tool, users can easily obtain the configuration files and plaintext information left in the device firmware, and then directly obtain the access rights of the device, posing a threat to a large number of devices of the same specification.

We should conduct security analysis on firmware from the following dimensions, and output the analysis results in the form of reports.

(1) File system service security analysis

● Automatically scans and obtains the basic information of the firmware file system, including the CPU architecture, setup time, compression mode, type, 尺寸, and storage mode of the file system.

● After obtaining the basic information about the file system, you can determine the scan target type and switch to different scan engines.

(2) System & service analysis coding

● Obtain system service information, including system service path and MD5 value.

● By obtaining the system service information, the system service self-startup status can be known, and the information such as whether unknown malicious scripts exist in the self-startup service can be quickly learned.

(3) Component & software safety analysis SPA

● Directional scanning, obtaining system component & software information, including component & software path, description, and website address;

● By obtaining the component & software information, you can quickly obtain the version information of the component & software installed in the firmware, and then perform security scanning accordingly.

(4)User password retrieval

● Directional scan, obtain user password information, including password-related file path, and password information;

● After user password retrieval, the password information leakage caused by non-standard development in firmware can be exposed.

(5)Analysis of encryption authentication security

● Automatically scans and obtains the encryption authentication file information, including the path and encryption information of the encryption authentication file;

● After the encryption authentication detection, the encryption authentication information leakage caused by the non-standard development in the firmware can be exposed.

(6)Analysis of sensitive information security

Automatic scanning and obtaining of suspicious sensitive information in firmware includes but is not limited to hard-coded Token/key, configuration hard-coded password, hard-coded IP, hard-coded HTTP address, cache file leakage, ETC。, which can expose sensitive information leakage caused by non-standard development in firmware.

(7)CVE vulnerability detection

Quickly detect CVE vulnerability information in the file system, including CVE-ID, release time, description, and level. After the CVE vulnerability detection, you can obtain the latest CVE vulnerability information of the software installed in the current scanned firmware.

物聯網(物聯網) 軟體安全

Internet of Things(物聯網) 軟體安全

72% of information security leaders say cloud computing is a top priority for digital transformation. Cloud-based IoT software is integrating both digital and physical elements of security so that data can be accessed and exploited by more secure phones.

What can cloud-based IoT software bring to security protection? This article will explain to you how IoT software can effectively help improve security in the field of security. It will also introduce how to combine digital and physical security elements to deal with security incidents.

01. The impact of cloud-based IoT software

Cloud-based IoT software is being used in business in various ways. And cloud-based solutions are bringing benefits to the security space. At its core, IoT technology is transforming the corporate sector, renewing the way businesses operate.

02. Integrate cloud-based solutions to leverage data

Data is very important in every industry, and the security field is no exception. With cloud-based solutions, storing data and information on a single interface can help companies stay abreast of what’s going on in the business.

另外, by combining AI-enhanced software and cloud-based solutions, security personnel can better identify potential security threats. Leveraging cloud-based IoT technologies can increase productivity. Due to the extensive responsibilities of security personnel, real-time monitoring of the cameras is not possible. IoT technology can help security personnel receive camera information and log feedback anytime, 任何地方, helping to establish better security policies. Some IoT solutions provide real-time alerts to security personnel that combines real-time video and AI analysis tools to enhance security system functionality and speed up response to security incidents.

03. Combine the power of physical and cyber 安全

Combining digital and physical security is beneficial for optimizing IoT security systems, helping to protect systems from online breaches and breaches. Plus, physical security measures help protect confidential information from hackers. The stronger the fusion of digital security elements and physical security teams, the more protected an organization will be.

04. Automatic software updates

Keeping all software up-to-date is extremely important to ensure that your organization is not exposed to cyber security threats even if IoT systems are breached. 傳統上, local security systems have been manually updated by certified professionals with each new upgrade. Using cloud-based software, updates can not only be performed on-site or remotely, but can also be automated, greatly reducing costs.

05. Remote function

With the flexible development of IoT cloud technology, security personnel can operate security tools remotely using mobile devices. 例如, the video intercom system used in today’s access control system allows security personnel to verify the identity of the visitor by making a video call with the visitor’s smartphone. 另外, the intercom program also supports remote unlocking. When the identity of the visitor is confirmed, the door can be unlocked remotely to allow the visitor to enter. Through the use of cloud-based IoT technology, 簡化訪客認證程序,大幅縮短驗證時間,讓訪客更快進入大樓.

06. 總結

採用基於雲端的 物聯網解決方案 企業的安全防護策略有利於打造與時俱進的安全體系. 網路安全是企業在使用物聯網技術時面臨的威脅與挑戰. 但透過結合實體和數位安全元素, 基於雲端的物聯網系統可以在很大程度上免受漏洞影響,並得到更好的保護,以幫助企業應對不斷變化的安全狀況.

物聯網(物聯網) 網路安全

Internet of Things(物聯網) 網路安全

同時隨著物聯網的快速發展, 物聯網安全問題也頻頻出現. Some mining and equipment hijacking incidents occurred repeatedly. Smart home products continue to break out security loopholes, which will cause irreversible economic losses when the loopholes are exploited. 同時, it also reflects the importance of security as the infrastructure of the Internet of Things application in the early stage of the construction of the Internet of Things industry.

最近幾年, with the breakthrough of key technologies such as 5G, the development of the Internet of Things has advanced by leaps and bounds. 同時, due to the impact of Covid-19, the office forms of remote work have increased, which not only brings convenience to enterprises but also provides convenience for hackers to attack confidential company information.

The Internet of Things has penetrated into all aspects of our lives. Frequent attacks on smart devices threaten personal privacy and security. Critical infrastructure is also facing huge risks in realizing digital networking transformation. IoT security requires the establishment of reasonable management plans and regulations to ensure timely detection and efficient recovery of risks.

IoT security issues mainly involve data security, privacy, replication, and RFID system threats.

  • Attacks on RFID: 射頻識別技術 is a popular Internet of Things technology, currently mainly used in “unmanned supermarkets” and other fields.
  • Attack on WSN: WSN is the wireless sensor network. The bottom layer of the Internet of Things is the perception layer. This layer includes a large number of sensors. When the sensors work, they will generate a large amount of data. Once they are intercepted by criminals during the transmission process, the consequences will be unimaginable. WSN currently has related applications in the military.
  • Attacks on routers: Routers are very important network devices. Once attacked, the network may be paralyzed. 另外, there are attacks on communication lines, attacks on users, and attacks on servers.

具體來說, the main security threats currently faced by the Internet of Things can be summarized as three aspects of “cloud, pipe, and end” security:

(1)Internet of Things terminal security

The first aspect is IoT terminal security. As a representative product of the deep integration of information space and physical space, IoT terminals have rapidly expanded from pioneer products for personal consumption to various fields of economy and society. It endows education, medical care, 零售, 活力, construction, 汽車, and many other industries with new service means, and supports the improvement of basic urban functions such as government office, 公安, 運輸, and logistics. Existing IoT terminal equipment focuses on function realization, while traditional equipment manufacturers have insufficient security capabilities, consider factors such as time and cost, and generally ignore security issues in terminal design.

IoT terminals can be divided into intelligent terminals and non-intelligent terminals. Most intelligent terminal devices have embedded operating systems and terminal applications, while most non-intelligent terminal devices have a single structure and function, and only perform functions such as data collection and transmission. 所以, intelligent terminal devices have a greater threat to information security.

(2)IoT pipeline security

The second aspect is IoT pipeline security. The “tube” of the Internet of things is the pipeline connecting the “cloud” and the “end”. The security of the “tube” of the Internet of things is the security of the information pipeline with large capacity and intelligence. According to the investigation of the information pipeline of the Internet of things, it is found that there are four main security threats to the pipeline security of the Internet of Things.

(3)Internet of Things cloud service security

第三, Internet of Things clouds service security. 一般來說, Internet of Things cloud services are used when information is shared with other parties. 所以, protecting the security of cloud services is also a key link to protecting the security of the Internet of Things.

提高物聯網安全性的方法

提高物聯網安全性的方法

Enterprises must improve the security of IoT devices or they will cause huge financial and reputation losses. Data encryption and internal monitoring are some of the ways that companies can be focused on improving the security of IoT devices.

01. Use cloud infrastructure and software protection

The Cumulonimbus network device keeps the device secure as it helps maintain the confidentiality and integrity of the information recorded by the device. 同時, the information in the exchange can be encrypted and protected from hackers.

02. Design A 安全 device and create a separate network

Designing a better device focused on improving the security of IoT devices is important. A timely internal review of the behavior of the device under certain conditions is important to change the system of the device.

03. Apply 時間 API  guard against identity spoofing

The role of API security protection is to allow only authorized devices to communicate with each other. Companies and users can be notified of any unauthorized access and operation of the system.

In today’s world, the number of IoT devices in use is increasing. 同時, IoT development is facing challenges. Enterprises should gradually recognize the importance of IoT security and further enhance the technology to protect the security of devices.

Which industries are most vulnerable to 時間 security threats?

哪些產業最容易受到物聯網安全威脅

IoT security issues pervade all industries and fields. 也就是說, as long as the industry is related to human life and property, it is vulnerable to the security threat of the Internet of Things.

例如, an attack on a refrigeration system that houses a drug, monitored by an IoT system, could disrupt the viability of a drug if the temperature fluctuates. 同樣地, the impact of attacks on oil wells, water systems, and energy grids, critical infrastructure that greatly affects human life, can be devastating.

然而, other attacks should not be underestimated. 例如, an attack on a smart door lock could allow thieves to enter a smart home. Or, in other cases, such as the 2013 Target hack or other security breaches, attackers can deliver malware through connected systems (the HVAC system in the target case) to steal personally identifiable information and wreak havoc on those affected.

01. How can 時間 systems and devices be protected

The IoT security approach depends on the IoT application and where the business is in the IoT ecosystem. The development and integration of secure software need to be a major focus at the beginning of IoT software. Deploying IoT systems requires attention to authentication and hardware security. 同樣地, for operators, keeping systems up-to-date, reducing malware, auditing infrastructure, and securing credentials are critical.

物聯網安全標準和立法 (美國和歐洲)

物聯網安全標準和立法 (美國和歐洲)

01. Eu Internet of Things Security Guidelines

The EU Cyber Security Agency has issued Security guidelines for the Internet of Things. 在 9 十一月 2020, the European Union’s Cyber Security Agency (ENISA) published the Security Guidelines for the Internet of Things (物聯網) (hereinafter referred to as the Guidelines), which aims to help IoT manufacturers, developers, integrators, and stakeholders who own IoT supply chains make the best decisions when building, deploying, or evaluating IoT technologies. The objective of the Guidelines is to define and identify IoT security challenges and threats to ensure the security of the IoT supply chain. The Guidelines give five recommendations: 第一的, IoT entities should build better relationships with each other, including prioritizing cooperation with suppliers that provide cybersecurity guarantees, working to improve transparency, developing innovative trust models, and providing security commitments to customers. The second is to further popularize the professional knowledge of network security, strengthen the maintenance and training of professionals, and enhance the security awareness of users of the Internet of things. 第三, security is achieved by improving IoT design standards, including the adoption of security design principles, the use of emerging technologies for security control and audit, and the implementation of remote update mechanisms. 第四, take a more comprehensive and explicit approach to improve security, including establishing comprehensive test plans, integrating authentication mechanisms into circuits, and using factory Settings by default. Fifth, make full use of existing standards and successful practices to improve product safety and service quality in the supply chain.

02. 美國. Internet of Things Cyber Security Improvement Act of 2020

The bill has been passed on September 14, 2020. Given that IoT device security is an emerging cyber challenge with a national security priority, the bill aims to improve the security of federal Internet-connected devices by addressing cyber security concerns before IoT devices are introduced into federal use. The act requires all IoT devices used by the federal government to meet minimum security standards published by NIST.

03. Australian Code of Practice: 時間 Protection for Consumers

The Act has been published by the Australian government on September 3, 2020, and has been seen as a first step toward improving the security of IoT devices in the country. In view of the global nature of IoT device security, the industry standards proposed by the Code of Conduct are consistent with other international standards and are based on 13 principles, mainly including no repetition of weak or default passwords, implementation of vulnerability disclosure policies, continuous software security updates, Credentials are securely stored, personal data protection is ensured, exposure to attack surfaces is minimized, communications are secured, software integrity is ensured, systems are resistant to interruptions, measurement data monitoring systems, ETC. 他們之中, cryptography, vulnerability disclosure, and security update action are recommended as the top three principles that the industry prioritizes because they enable the greatest security benefits in a short period of time.

04. Similarities and differences between European, US, and Australian IoT security laws and guidelines

The Acts improve the security protection standards for IoT devices in many ways. This article introduces a number of security standards for IoT devices in the European Union, 美國, and Australia, such as ensuring that the complexity of the device password is high enough, multi-factor authentication methods, ensuring the security of identity credentials such as secure storage, timely disclosure, and repair of security vulnerabilities, providing Regular security updates to minimize exposure to cyber attack surface and more.

All three Acts focus on strengthening the protection of personal privacy in the Internet of Things. Laws and guidelines in the EU, US, and Australia all make privacy protection an important part of IoT security. 例如, Australia has proposed in its code of practice that IoT devices should have privacy protection by default, and that personal data must be processed with the prior consent of the user. And the device should support users to delete personal data at any time and have the right and time to revoke privacy, so as to maximize the protection of users’ personal privacy and sensitive data.

The coverage and target of the Acts are different. The Australian Code of Conduct is consumer-oriented, helping to raise awareness of the security protections associated with IoT devices, increasing consumer confidence in IoT technology, and enabling Australia to benefit from its rollout. The EU guidelines target IoT supply chain entities such as IoT device and software developers, manufacturers, security experts, procurement teams, and other supply chain entities. By studying and responding to different security threats faced by the supply chain at different stages, the purpose of building a secure IoT ecosystem is achieved. The US Act mainly covers the US federal government and aims to regulate the government’s security assessment of IoT devices and ensure that IoT devices purchased and used by government agencies meet security standards.

Government regulation of IoT security has varying effects. The EU Guidelines and Australia’s Code of Practice are not mandatory as recommended measures by relevant government agencies. 美國. bill is governmental and contains several mandates, such as an explicit requirement for the National Institute of Standards and Technology (NIST) to publish standards and guidelines for the use of Internet-enabled devices security within 90 days of the federal agency’s enactment of the bill to guide executive agencies and budgets Conduct internet censorship; the federal government and agencies will not buy or use IoT devices that do not meet security requirements.