Why is it taking so long to secure IoT?

WHY is it taking so long to secure #IoT - ? 🔒 #security #ai

  • Apparently, securing IoT devices seems trivial: We simply need to adopt well-known security techniques such as encryption, access control, isolation, and authentication.
  • First of all, the heterogeneity among IoT hardware makes it difficult to tailor security techniques according to all types of hardware involved in an IoT network.
  • Popular encryption techniques such as RSA require multiple encryption operations that are very expensive for IoT devices.
  • In another type of attack, an attacker can trick IoT devices by mimicking the legitimate server and install vulnerable software thereby gaining full-privilege access to the device.
  • We don’t really need new security mechanisms instead, we need to revisit the already-developed security techniques in the context of IoT to develop safe and secure IoT systems.

The security of Internet of Things is crucial for its widespread adoption. IoT’s ability to produce huge amounts of data makes it an attractive platform for attackers. Three years ago, HP found that on average 25 vulnerabilities were present in a single IoT device. Consequently, vendors started building more secure devices but the vulnerabilities kept on popping up. At DefCon last year, hackers uncovered 43 new vulnerabilities in 23 new devices.

@tobyruckert: WHY is it taking so long to secure #IoT – ? 🔒 #security #ai

The security of Internet of Things is crucial for its widespread adoption. IoT’s ability to produce huge amounts of data makes it an attractive platform for attackers. Three years ago, HP found that on average 25 vulnerabilities were present in a single IoT device. Consequently, vendors started building more secure devices but the vulnerabilities kept on popping up. At DefCon last year, hackers uncovered 43 new vulnerabilities in 23 new devices.

As a result, we have seen the largest denial of service attack that utilized IoT devices, we have seen attacks on FitBits that revealed geolocation of users and their activities to adversaries, and we have seen how medical devices can be manipulated by an adversary to increase or decrease heart rate of a patient (luckily, this was a demonstration). Everyone understands the importance of security in IoT so why is it taking so long to secure it?

Apparently, securing IoT devices seems trivial: We simply need to adopt well-known security techniques such as encryption, access control, isolation, and authentication. However, it is easier said than done. There are several challenges that arise from the core design of IoT network.

First of all, the heterogeneity among IoT hardware makes it difficult to tailor security techniques according to all types of hardware involved in an IoT network. In other words, “one size fits all” is no more valid in IoT world. Many IoT devices use ARM-based processors which are different from processors that are conventionally used in desktop PCs and laptops. Their instruction set is different and that causes difficulties in using already-developed security techniques, which are tailored for non-ARM processors.

Even if we try to design these techniques while keeping hardware heterogeneity in mind, we face another more important issue: processing capability. IoT devices usually possess limited processing power. Popular encryption techniques such as RSA require multiple encryption operations that are very expensive for IoT devices.

Furthermore, IoT systems require low response times and high scalability. For example, connected cars cannot compromise on response time in order to avoid accidents. If we use RSA encryption scheme in these cars, encryption/decryption operations will slow down the communication process and hence result in high response time which will deteriorate the usability of these cars.

IoT devices also require the ability to remotely update the firmware and other software. Doing so opens the door to more sophisticated attacks where an attacker can hijack the session and push vulnerable software to the devices. In another type of attack, an attacker can trick IoT devices by mimicking the legitimate server and install vulnerable software thereby gaining full-privilege access to the device.

Over the years, researchers have managed to come up with novel security techniques that protect user data and machines. We don’t really need new security mechanisms instead, we need to revisit the already-developed security techniques in the context of IoT to develop safe and secure IoT systems.

As a start, we need to have uniformity in the design of both hardware and software involved in an IoT network. Secondly, we need to use an open-source code on these devices so that bugs/vulnerabilities can be identified and fixed quickly. Using open-source code will also allow users to verify the code running on their devices by using existing techniques such as Trusted Platform Module or others.

These are some of the reasons why it is taking so long to secure IoT. Do you think the security situation will ameliorate as global interest in the IoT domain grows? Let us know in the comments section below!

Mazhar Naqvi is a CS grad student with research interests in computer networks and security. He can be reached at mazhar.naqvi@hotmail.com and you can follow him on linkedin athttps://www.linkedin.com/in/mazharnaqvi

Why is it taking so long to secure IoT?