Internet of Things (IoT) refers to the connected objects, capable of processing, storing, and sharing information with other IoT devices. The IoT architecture can be divided into three generic layers, that is (a) perception layer, (b) network layer, and (c) application layer. The perception layer is the ground layer that interacts with the physical or external environment for data collection. The network layer is responsible for data transportation. The application layer performs the desired functions based on the information it receives through the network layer. IoT functions are usually performed automatically without human interaction. That’s why IoT objects are often termed as smart objects. Examples include smartphones, smartwatches, smart homes, smart cars, etc. IoT devices are becoming an integral part of our daily life. Different research studies expect 75 billion IoT devices around us by the year 2025; that makes 9 devices per human in this world. Although there are billions of IoT devices generating approximately 2.5 quintillion bytes of data every day, the majority of these devices have limited resources. The resource-constrained nature of IoT devices makes them vulnerable to a variety of cyber-attacks. Following is a brief overview of the most common cybersecurity issues in IoT networks along with possible solutions. Addressing these issues can greatly reduce the IoT data breaches despite the constrained nature of the Internet of Things.
IoT manufacturers often prefer functionality over security. In some cases, this idea may work. However, all IoT devices cannot afford a tradeoff between security and functionality. Healthcare is one example where a lack of security can bring life consequences for the users. Security researchers have demonstrated how hackers can compromise healthcare IoT devices like pacemakers, putting patients’ lives at risk. The IoT devices, especially the healthcare gadgets, must pass a strict security test before they can be used for critical operations like a heart pumping.
Rogue devices are the biggest security challenge for the Internet of Things. The IoT framework usually comprises of a network of security devices that coordinate with each other. The presence of one rogue device can give hackers access to the whole network without compromising any further devices in the network. Rogue devices should be identified and replaced with secure devices. Network segmentation should be applied to separate the vulnerable devices from the rest of the network.
Often times, secure IoT devices come under attack due to outdated and unpatched versions. Many IoT devices require regular security updates and patches issued by the vendors. Some IoT devices are capable of installing security updates automatically, others may require manual installation of updates and security patches. There should be a regular check for security updates from the vendors for manual devices.
One obvious reason for using outdated/unsecured IoT devices by the consumer is the dependence of IoT networks on legacy protocols with known vulnerabilities. Although there is a lot of research work going on in the field of IoT, not many studies focus on updating the existing security protocols used by the majority of the IoT devices. Collaborative research work is required to remove security discrepancies in such protocols.
Many organizations fail in keeping track of all the IoT devices for different possible reasons. The existing IoT devices are often replaced without being reported. Sometimes, new IoT devices are introduced in the network as a temporary enhancement. At times, the newly introduced devices fail to meet the security policy of the existing IoT network, opening ways for potential cyber-attacks. To avoid these security challenges, organizations should not allow the installation or replacement of new IoT devices without being reported to the security department. A proper security audit should be performed for the newly introduced devices to make them aligned with the deployed security policy and standards.
Many IoT frameworks comprise of devices from different vendors. In the absence of standardization, many producers follow their own specifications guidelines while producing smart gadgets. This may create software conflict among many devices working in a single IoT network. The conflict may give rise to security challenges. To tackle this issue, there should be a global or vendor level consensus among IoT manufacturers to ensure the interoperability of IoT devices without compromising network security.
Internal Security Challenges
Internal security challenges often arise due to human errors. For instance, a Wifi dedicated to IoT network is often used by the employees to connect their personnel mobile devices and tablets. According to a mobile security study conducted by the United States of Homeland Security (DHS)1, mobile users are vulnerable to a number of cyber-attacks including DOS, information disclosure, spoofing, and information tampering attacks. Therefore, users should not be allowed to use or access organization resources from unauthorized gadgets like personnel mobile devices.
Lack of Physical Security
An IoT network may comprise sensors and other smart devices that are deployed in an open or unsecured environment. Physical access to these devices may allow hackers to physically tamper the devices, inject malware, or extract information using peripheral devices. The physical security of these IoT devices is as important as securing the devices from a virtual cyber-attack.
Use of Default Credentials
Many IoT devices come with publically known default usernames and passwords. It is also a fact that a large number of people and organizations don’t bother to change these default credentials, offering an easy opportunity to hackers. Mirai botnet is an example of a similar cyber-attack where the malware managed to infect around 600,000 IoT devices that were using the default secret credentials. The users must change the default credentials to avoid password brute-force attacks. The vendors must ensure that the users update the default passwords during the first interaction or deployment phase of the IoT devices.
Authentication is one of the core challenges in IoT devices. The majority of the IoT devices are resource-constrained in nature. Hence they lack the capability of adopting the classic authentication protocols that require aggressive computing powers. Without authentication, any rogue device can become a part of the IoT network. Lightweight authentication protocols should be introduced to ensure mutual authentication prior to data communication among network devices.
Data Encryption Issues
The constrained nature of IoT also imposes data encryption challenges for smart devices. The majority of IoT devices share data in plain text with other IoT devices. Data transfer over insecure channels in plain text is vulnerable to a number of threats including eavesdropping, data modification, information disclosure, and data destruction attacks. Lightweight data encryption techniques should be used to ensure the confidentiality and integrity of data transfer over insecure channels.
The IoT buzz has taken the world by storm but many organizations are struggling in achieving the desired security level due to various challenges mentioned in the article. Through periodic security audits, organizations can identify and rectify potential IoT security threats. There should be strong IoT security policies and guidelines to help organizations in mitigating the growing IoT security threats.