Security and the IoT ecosystem

Security in systems design and development tends to be an afterthought, but it should be considered throughout the product lifecycle. One area where the number of exploits is exploding is in the quickly growing market of the Internet of Things (IoT). This article explores the spectrum of security in the context of IoT, including access security (authentication), data security (encryption), and security analytics (policy-based controls).

To understand the scope of security in terms of IoT, you need to understand the Shodan search engine. Shodan focuses on internet-connected devices and enables users to search based on device type, such as web cameras, smart TVs, refrigerators, supervisory control and data acquisition (SCADA), routers, or traffic lights. Users can refine searches to a specific country or city, operating system or web server on a device, or ports that expose a service (such as a Minecraft server). Users can even search devices based on lack of configuration (by using default passwords, for example). Shodan is used by security researchers as well as those with more nefarious intentions, but it demonstrates the state of IoT devices in the wild.

An IHS Markit survey estimated that 80 billion IoT devices currently exist — a number that will grow to 125 billion by 2030. The rapid growth of IoT and the state of its security illustrate an expanding problem.

The IoT ecosystem

This trend, Internet of Things, is called as such because it relies on connectivity through the Internet to gather and centralize data for use in analytics or to expose data to a user. But introducing Internet accessibility to devices makes them targets at many different levels.

In general, you can separate the IoT ecosystem into three levels (see Figure 1):

  • Data center (public or private cloud)
  • Gateways (intermediary communication gateways)
  • Endpoint devices (distributed IoT devices)

    Figure 1. The IoT ecosystem offers multiple levels of attack
    Image showing avenues of attack on IoT devices

At the top level is the data center, represented by a public or private cloud (or a hybrid cloud constructed from both). The data center can serve two purposes: It can be the origin of control of IoT devices, or it can be the endpoint for data that’s coming from dispersed IoT devices. Between the data center and the IoT devices are the intermediary communication gateways (also called edge network devices). These gateways could be factory floor devices that gather data from distributed endpoints through a Bluetooth or WiFi connection and then communicate that data to the data center.

Finally, there are the IoT devices: wearables, vehicle computers, distributed sensors, wireless cameras, weather stations, and the many devices that make up the changing IoT universe. You’ll commonly find a symbiosis between edge devices and IoT devices because when IoT devices become simpler and multiply, they rely on the edge gateway to perform more functions (such as data compression or security functions).

Access security

Authentication plays numerous roles within the IoT ecosystem. As a user, when you log in to a system, you are authenticating yourself to that system. As part of this process, authentication provides for access controls that determine what you can do on the target system. Authentication methods like user logons are based on a shared secret — something known to both sides. In this model, you have a user name and password, and you must correctly provide both to authenticate yourself successfully. The process is similar in machine-to-machine (M2M) models, where an IoT device can authenticate and connect to a gateway to transfer data or to update firmware or configuration.

But static passwords can be problematic and aren’t recommended for production systems (although they’re predominant in consumer systems like web cameras). Weak passwords or lack of configuration that are a result of default passwords (as Shodan illustrates) represents a real vulnerability. Recently, the network-enabled light bulb LIFX was broadcasting user names and passwords in clear text over WiFi, making it easy to exploit.

Data security

When two entities are authenticated to one another, they can exchange information (for example, an IoT gateway communicating collected data to a cloud-based infrastructure). But, sending information over a network in clear text means that data is susceptible to eavesdropping and collection. Similarly, if attackers can access an IoT gateway (either physically or over the network), they can compromise the data on the device.

These issues point to the need for data security, both during communication (in flight) and on media within the device itself (at rest). Data security is commonly performed through encryption, which translates the data into a form that is unreadable without a key to unlock it. Similar to access security, the key used to encrypt the data is another form of a shared secret that has flaws if the key is stored within the devices that need to encrypt or decrypt the data.

Data security isn’t a theoretical issue, and many examples exist of IoT devices that don’t protect their data. Symantec found that 19 percent of IoT devices used unencrypted network communications between the device and the back-end cloud-based application. Lack of transport encryption is number four on the top 10 IoT vulnerabilities (according to the Open Web Application Security Project.

The solution to both access security and data security is public key infrastructure (PKI).

Public key infrastructure

A PKI exists to support asymmetrical cryptography (also called public key cryptography). In this cryptographic system, a pair of keys exists for cryptographic functions (see Figure 2). The public key is not a secret and can be used by any device to encrypt data (in this example, for the gateway). The private key is a secret (known only to the receiver) and can be used to decrypt the data. By encrypting the data prior to communication, no one can eavesdrop on or use the cipher text data (using a man-in-the-middle attack). If a nefarious device tried to spoof itself as an IoT gateway, it could receive data from IoT devices but wouldn’t be able to use that data without the private key.

Figure 2. Public key cryptography
Two boxes side by side showing cryptography between IoT devices and gateways

Statically configuring keys in devices can be a management headache (consider a large IoT system with millions of devices) but can also create security issues. This issue introduces the need to manage keys in a way that the construction and dissemination (and revocation) of keys can be automated. This is where PKI comes in.

PKIs come in many varieties, but at a high level, a PKI binds public keys to devices (such as IoT endpoint devices) through a certificate authority (CA). This binding serves two purposes. First (and most obvious), it allows an IoT device to encrypt data to protect it while it travels across public networks like the Internet. Second, the binding process permits authentication of a device to the IoT gateway, given that the public keys are bound to specific devices (through a secure process itself involving a public key for the CA). As the scale of IoT grows, the use of PKI helps increase the security of an IoT system and limit the effort required to manage its security.

Cryptography can be expensive, in terms of both power and computational complexity. For this reason, lightweight cryptography standards are emerging to help protect low-power, low-bandwidth devices.

Security analytics

In October 2016, a massive distributed denial-of-service (DDoS) attack took down much of the Internet on the US East Coast. The attack focused on Domain Name System (DNS) servers, which translate web addresses to IP addresses (allowing clients to connect to them). What made this DDoS attack unique is that the source of the attack wasn’t a small collection of computers but a large botnet of IoT devices (like DVRs, web cams, or WiFi routers), all of which were infected with a specific type of malware called Mirai. Once infected, the botnet was activated to communicate to DNS servers a SYN packet attack that made them inaccessible to those trying to resolve addresses and surf the Web.

This type of attack didn’t occur overnight, and devices all over the world became infected with the Mirai malware, enlisting them into this latent botnet army. Protecting against this type of attack requires insight into IoT devices. For example, is the behavior of the device different than a typical device? Does the device show failures? Does it connect to or receive connections from endpoints that might not be authorized? Monitoring massive numbers of IoT devices is not a manual task; therefore, something new is required.

This is where security analytics comes into play. Security analytics refers to a multidimensional analysis of an IoT ecosystem (from IoT device to gateways to the cloud). Security analytics must be automated and orchestrated across the ecosystem with minimal human intervention. IoT Platforms like the IBM® Watson® IoT Platform provide a spectrum of analytics capabilities that combine real-time analytics, machine learning, and edge analytics in a scalable manner to protect the IoT ecosystem.

The IoT’s security future

Even with its faults, IoT is here to stay. In fact, it’s not just staying, it’s getting smarter and more distributed and scaling from smart homes to smart cities. The IoT will grow in the context of security capabilities, but computer security will change under the pressure of the IoT.

One area where IoT will drive security is in blockchain. Blockchain is most widely known as a digital ledger in which cryptocurrency transactions (represented as blocks) are added to a growing chain. These records are protected and cannot be altered because they include a cryptographic hash of the prior block in the chain. In the context of a cryptocurrency, these records represent transactions. Blockchain is not a singular chain, but rather a distributed, decentralized system that has no single point of failure and cannot be modified after the fact.

While useful in cryptocurrencies, this technology can also be used to record events such as collected sensor data within an IoT device (to protect against malicious data). It can record historical data about a device as well, such as accesses, firmware upgrades, and other transactions to detect attempted accesses or violations of device policies. Learn more about Blockchain by exploring the articles, tutorials, and code patterns on IBM Developer.

Going further

The Internet first appeared to connect remote computers using standard protocols. But, the evolution of the Internet is expanding to bring together massive numbers of devices that provide a wide spectrum of capabilities. This massive growth brings new problems and requires that devices in the IoT ecosystem incorporate security as a key design element, not just as an afterthought. These devices also require active management based on analytics to ensure that they continue to operate normally. Future technologies, including machine learning, blockchain, and lightweight cryptography, will help ensure that IoT devices aren’t weaponized against us.

M. Tim Jones