When considering the Internet of Things (IoT) as a whole, it is easy to get excited about the current benefits and expanding potential of connected devices and sensors. From smart cities, to connected homes, and even autonomous networked medical devices, the application of IoT technologies is growing at a phenomenal rate. While there is no argument that IoT will bring unprecedented benefits, convenience, and functionality to governments, businesses, and consumers, there is always going to be the question of security. Unfortunately, some industry insiders and IoT users don’t think about security enough. Besides the technological challenges of designing and implementing IoT devices and infrastructure, security is the biggest hurdle to overcome.
The Current Security Challenges in IoT
Defining the security challenges in IoT could be described as difficult, and even that would be an understatement. With numerous proprietary networks, devices, and use cases, the security challenges are as varied as the actual applications of IoT.
To understand how vast the challenges are, it can help to compare IoT to a relatively closed network, such as a Wireless LAN. Within a typical WLAN, devices connect through a single access point. To secure the network, authentication is implemented. Password protection protocols like WPA and WPA2 are used, with the latter being notoriously difficult to crack. To introduce further security, MAC address restrictions can be enforced, meaning that only known devices can interact with the access point. Are these protection completely impenetrable? No, but they do provide an effective obstacle.
Now, considering that the above scenario operates on a standardized platform, with devices conforming to the standard, it is easy to see how unstandardized networks that are immense in scope, would be much harder to secure.
The Internet of Things is fragmented, that is a fact. In some cases, sensors could communicate without encryption and without security, simply because early adopters have failed to understand the value in security, or are ignorant to the needs in the first place. In some cases security is trivial. How much damage can an unauthorized party cause by accessing a connected lawn sprinkler system? In other cases, damage could be extensive, such as in the case of a corporate alarm and access control system, a motor vehicle with internet connectivity, or an IoT based patient drug dispenser or vital signs monitor.
Part of the problem is in design and deployment. Operators are often more concerned about functionality than security. And engineers are pressured to push devices and systems out quickly, which can mean that security is neglected, or comes as an afterthought. As an example, some devices might be designed to use AES encryption for down and upstream traffic, but these same devices may be connected to LAN or WAN networks that are unsecured or that were not designed to provide robust security for the devices that connect to them.
Exploits exist, and there are even IoT devices that communicate using older protocols that already have numerous known exploits. OpenSSH 4.3 is one example. Although the secure shell offers encrypted network traffic communications, when not provisioned correctly, it could allow for exploits through roaming patterns and other behaviors. A default OpenSSH configuration could allow for plain text data to be compromised by hackers or software with a relatively high level of success. Newer implementations of OpenSSH mitigate some of the vulnerabilities, but again, with IoT we are looking at non standardized systems and deployments that are often unsecure by design.
A Different Approach is Necessary
Although IoT is rapidly growing, it is still considered an emerging market. Because of the rate of growth, it could be argued that security has not kept up with functionality design and deployment. Cost is also a factor. To keep device costs down, it is feasible to expect that security implementations would be lacking, especially with smaller companies and niche devices and sensors. In some cases, designers may not even consider security to be essential, or there could be technical limitations. Low power devices that perform basic functions may not even have the necessary processing power to decrypt and encrypt the data packets that are sent.
The future of security in IoT will depend on a number of factors. Networks must be secure by design, and with expanding standards like NB-IoT, we are seeing this happen. Device designers will also need to look at security from a perspective that goes beyond the scope of their device. Rather than looking at the functionality, they also need to think about other devices that interact with sensors, and how malicious parties or software could exploit connected devices to reach more critical systems.
As the market for IoT expands, the need for security experts will grow, and it represents a huge opportunity for existing IT security professionals looking to move into the connected device industry.
Do you think security awareness (and innovation) is lagging behind other technology, possibly an after-thought? We would love to hear your thoughts in the comments below or tweet us @kadenzSearch