SBM4304 Security and Risk Management
Any of the devices in the Internet of Things are known as IoT devices, that can be considered as non-standard computing devices that connect to a network wirelessly and are able to transmit data. IoT’s associate themselves with devices that can connect to the internet and are beyond standard electronic devices like laptops, desktops, tablets and smartphones to any range of non-internet enabled appliances and everyday objects. Interaction among the devices get easier and efficient when all the devices are connected to the internet under a similar setup. The narrative below attempts to understand the security and privacy concerns of such devices and understand the different vulnerabilities that such devices may pose to the user and the population general. The paper will classify the different types of IoT devices and attempt at understanding the different levels of threat that they may pose.
IoT device examples and applications
In a scenario of connected IoT devices, every device that is connected to the internet can interact with each other and operate in sync. Such networks can be used for automating domestic and industrial activities and communicating sensor data to users, corporations and other interested parties. IoT devices can work for people in concert with each other at home, in industries and in an enterprise to reduce the workload and increase efficiency. Enterprise,consumer and industrial are the basic segments in which a general network of devices can be brought forward.
Consumer connected devices include smart speakers, smart TV’s, toys, wearables and other smart appliances that use the internet to anticipate the needs of the consumer and make their life easy by automating various functions thus increasing the efficiency of the said consumer (Wurm, et al. 2016). These devices are able to send consumer data to different third party interests that can use these datasets to improve the performance and update the device to function more effectively in the future. Smart home devices have come a long way from their base models and now have fully automated various aspects of the domestic life thus reducing various domestic tasks and increasing the productivity of the user.
Smart meters, smart city technologies and commercial security systems like those used to monitor traffic and weather conditions are examples of enterprise and industrial IoT technologies. These record, analyse and propagate data on a much larger scale and create various efficient systems that reduce that workload of governments and corporations. They help monitor the population with ease and provide security at a much proficient level. They help detect anomalies with much more efficiency. For example, sensors mounted on factory assembly lie machines provide sensitive data to the plant operator and predict which parts may be in need of replacement and reduce the chances of anomalies and in severe cases accidents that may otherwise jeopardize the whole operation. Such devices can prevent unexpected downtime, loss of productivity and profits (Khan and Salah, 2018). Infield such devices and systems may help reduce can send notifications and to reduce the workload of carefully diagnosing the issue to find out what is wrong.
In enterprise smart sensors located in various levels of the workplace can ensure the overall efficiency of the workforce by various tools that can calculate productivity and measure the quantity of work that is being done. Smart networking devices can help streamline the workflow ensuring that it's running i9n the most efficient way possible and reducing lag. Other features include automatic adjustment of temperature to suit the ambience and other comfort settings that will streamline meetings and giving proper issues a chance to be discussed without having any technical difficulties. Such systems record data continuously to update themselves and perform better with time.
Threats against IoT devices.
The interconnection of no internet devices raises many number of questions relevant to security and protection of privacy of the data that is being collected by such devices. IoT technology has progressed exponentially in recent times due to the auto-update feature and the mechanisms that are in place to safeguard and secure the data collected has not reached the side efficiency. Thus the threat to privacy and security of users remain relevant and an issue of concern in modern times. The data collected can be exploited easily by various elements who might use information as a weapon. Some IoT systems have become medically critical and essentially life-saving but without security, they can be equally fatal and become the cause of death.
Pacemakers, for example, have now been connected to a network in order to monitor their efficiency and detect anomalies. Networked pacemakers have become lifesavers as dysfunctionality can now be detected more efficiently and the product can be repaired or replaced without delay. But such IoT pacemakers have the possibility of getting hacked as researchers have proved and remain a threat to users who may face fatal accidents and intentional attacks on them (Miettinen, et al. 2017). A recent variation of the pacemaker hacks have evolved to direct malware installations that may make the pacemaker vulnerable and cause it to stop at a random moment or a time chosen by a perpetrator. Such incidents can occur and render the pacemaker useless taking the life of a user. This is one of the many threats that the IoT devices in the healthcare sector face and without proper security measures, such fatal incidents can increase the risk to reward ratio of such devices causing more harm than good.
Another incident that has become a relevant threat to IoT devices is the threat of ID leaks and the leaking of sensitive user information by hacking into the IoTs mainframe and collecting the data. In July of 2019, a flaw was detected in the Bluetooth communication protocol that caused modern devices to expose sensitive user information. Such devices could be used to track and leak identity information to perpetrators with malicious intent. These hacks could be used to spy on users despite native protection and built-in protective firmware and could have infected various operating systems. But the issue had been addressed by several service providers and does not remain relevant anymore according to sources.
Another recent incident of exploiting IoT devices for malicious intent is the use of Home Smart Assistant to eavesdrop on users and gather knowledge without consent. They have also been known to use such information in order to trick users into handing over sensitive information like financial accounts and passwords that protect sensitive data (Xiao, et al. 2018). The threat remains relevant as cases continue to emerge. Though main the main vendors of these services Google and amazon have responded to such allegations by saying they have updated the firmware to reduce the risk it has still not been mitigated and remains a threat to IoT devices.
Countermeasures Against IoT Threats.
With such a rapid development of IoT technologies, the threats have also updated and are certainly relevant to the current users of IoT tech. Countermeasures have to fund it, challenging to update themselves at the frequency by which the devices have upgraded themselves. It is now critical that we protect our data being individuals as well as organisations which are critically dependent or such technologies in our day to day life. It is also critical that we understand how such protection may be taken and update ourselves of the abuses that leave us vulnerable as users. The first step to ensuring protection is to be attentive to our own data and allow manufacturers to put more focus on the primary objectives of IoT devices that are to improve the quality of life. Thus dictating the terms of using IoT devices is our responsibility and policies should be framed accordingly to protect the privacy and digital security of users.
Safeguarding IoT devices their networks can be challenging as they connect to and are manufactured by various vendors and developers. It is also difficult to anticipate the security needs of such devices as they are resource-constrained devices. In some cases, the problem can be traced back to default passwords that are more often than not, not changed by the user. Thus it is easily accessible to elements with malicious intent (Bertino and Islam, 2017). A strong password, authentication, identity management and authorization , network segmentation, encryption and cryptography are some suggested security measures that can make the use of IoT more secure and encrypted.
The Cybersecurity improvement act of August 2017 was introduced by the Senate of the United State in addressing the cyber security issues which directly impacted the internet of things devices.. On proper evaluation it was found that the act only determined the regulations that Federal government authorities need to follow while buying internet of things devices. Following the similar guidelines presented in the act of August 2017 by the United States Senate around the world there will surely be security in cyberspace..
Ensuring IoT security is primarily user-based. The user has to take initiative in order to protect sensitive data be it personal or organisational (Dorri, et al, 2017). Corporations are as much vulnerable to hacks uch as individuals. Ensuring security is largely dependent on the amount of security that has been updated to protect the system. Some measures include being continuously informed about the latest update of specifications and databases that are frequently upgraded in order to protect systems from the latest threats. Updating the definitions of malware in anti viruses and protection softwares is critical to ensure a safe system. Using verified protection softwares from reputable software goes a long a way in protection of softwares from intentional harm
Disabling the remote access feature of IoT’s when not in use or not part of the core function is also a proven way of protecting the system.open chanelstha remain active when using remote access is another way of making systems vulnerable and prone to hacks. Different cracks in the system may emerge when the remote access is not disabled for a long period of time. Ensuring a proper firewall and disabling the system of remote access without failure makes the system more secure and ensures that malicious elements cannot get in the system during three periods via remote access channels.
Authentication Protocols for IoT Devices
AMQP can be defined as an application layer protocol that is binary in nature and designed to support a wide range of communication patterns and messaging applications effectively (Blythe and Johnson, 2018). It provides message-oriented communication, flow controlled and guarantees of message delivery such as at-most-once (where each message will be delivered once or never), at-least-once (where each message will certainly be delivered, but may be delivered multiple times) and exactly-once (where the message will always arrive only once with certainty), and authentication encryption and/or authentication based on SASL and/or TLS. It functions by assuming an underlying reliable transport layer protocol, for example Transmission Control Protocol (TCP).
Constrained Application Protocol (CoAP) refers to an Internet Application Protocol designed for constrained devices specifically, as defined in RFC 7252. It attempts to enable those constrained devices referred to as "nodes" for communicating with the wider Internet using congruent protocols (Simpson, Roesner and Kohno, 2017). CoAP is designed to be used between devices that are part of the same constrained network (e.g., low-power, lossy networks), between devices on different constrained networks and between devices and general nodes on the Internet, both combined by an internet. Mobile phone networks also use CoAP for connecting with other mechanisms in the communication world.
This paper is an attempt at understanding the various IoT devices that are currently in the market and how they have changed the digital world. The paper focuses on the threats to security and privacy that such devices pose to users both individuals and corporations. The paper discusses the failure of countermeasures to effectively face the problem as these devices have updated themselves exponentially and it has been ineffective for the counter measures to keep themselves updated. Various cases of such breaches have been pointed out and several countermeasures have been specified in contrast to balance the rhetoric. A couple of authentication protocols have also been narrated in order to understand the specific techniques that can be utilised in order to protect systems from malicious elements that may use data in order to cause harm.
Wurm, J., Hoang, K., Arias, O., Sadeghi, A.R. and Jin, Y., 2016, January. Security analysis on consumer and industrial IoT devices. In 2016 21st Asia and South Pacific Design Automation Conference (ASP-DAC) (pp. 519-524). IEEE.
Khan, M.A. and Salah, K., 2018. IoT security: Review, blockchain solutions, and open challenges. Future Generation Computer Systems, 82, pp.395-411.
Miettinen, M., Marchal, S., Hafeez, I., Asokan, N., Sadeghi, A.R. and Tarkoma, S., 2017, June. Iot sentinel: Automated device-type identification for security enforcement in iot. In 2017 IEEE 37th International Conference on Distributed Computing Systems (ICDCS) (pp. 2177-2184). IEEE.
Xiao, L., Wan, X., Lu, X., Zhang, Y. and Wu, D., 2018. IoT security techniques based on machine learning: How do IoT devices use AI to enhance security?. IEEE Signal Processing Magazine, 35(5), pp.41-49.
Bertino, E. and Islam, N., 2017. Botnets and internet of things security. Computer, 50(2), pp.76-79.
Dorri, A., Kanhere, S.S., Jurdak, R. and Gauravaram, P., 2017, March. Blockchain for IoT security and privacy: The case study of a smart home. In 2017 IEEE international conference on pervasive computing and communications workshops (PerCom workshops) (pp. 618-623). IEEE.
Blythe, J.M. and Johnson, S.D., 2018. The Consumer Security Index for IoT: A protocol for developing an index to improve consumer decision making and to incentivize greater security provision in IoT devices.
Simpson, A.K., Roesner, F. and Kohno, T., 2017, March. Securing vulnerable home IoT devices with an in-hub security manager. In 2017 IEEE International Conference on Pervasive Computing and Communications Workshops (PerCom Workshops) (pp. 551-556). IEEE.