March 23, 2018
Internet of Things has enabled users to do things differently in a never imagined fashion. IoT is growing at a very fast pace, IPV6, 4G, and 5G technologies have added fuel to this growth. Researchers estimate that by 2022, the number of active wireless connected devices will exceed 40 billion.
The advent of IoT has opened new possibilities to hackers. Less than 10 years ago, it was impossible to imagine that a microwave oven could be used to hack the Facebook account of a user or multiple refrigerators could be used as a botnet to bring down an IT system, but it is happening today. IoT has penetrated our lives via these connected devices, which allow themselves to be controlled and operated remotely. Launching a “Denial of Service” attack is easier on embedded devices, as these devices are scarce on computing resources. Untrusted code such as worms, viruses, spyware, and other malware can be easily installed on these devices by leveraging design flaws commonly found within embedded software.
Researchers have found critical vulnerabilities in a wide range of IoT baby monitors, which could be leveraged by hackers to monitor and control live feeds. In another development , connected cars were compromised and hackers were able to take control of the entertainment system, unlock the doors, and even shut down the car while in motion .
As newer IoT services are evolving, many of these services are dealing with critical control and user data. Security concerns for these systems are also becoming a fundamental design requirement.
Undoubtedly securing these IoT systems is a challenging task. Traditional security measures cannot be directly applied to these systems due to various factors specific to the IoT ecosystem . This blog discusses the major challenges/ concerns for providing security for IoT systems.
Wikipedia defines attack surface as “The attack surface of a software environment is the sum of the different points (the “attack vectors”) where an unauthorized user (the “attacker”) can try to enter data into or extract data from an environment. Keeping the attack surface as small as possible is a basic security measure.” 
Since an IoT system comprises of multiple edges and tiers, it has a large attack surface area, including device physical interfaces, device web interface, device firmware, network services interface, administrative interface, cloud web interface, vendor backend APIs etc.
All these attack surface areas need to be examined while devising a security solution for the system. Each attack surface opens an opportunity for a hacker.
Man in the Middle (MitM) attacks are very common when devices communicate via plain text version protocol. MitM is a general term for when an attacker secretly positions himself between an application and the user to access and/or relay the altered communication. Furthermore, along with encrypted communication, the data stored on the devices should also be properly encrypted.
IoT system comprises of a large number of heterogeneous connected devices with each device being a potential risk to the system. It is important for the service provider to preserve the confidentiality and integrity of the data collected and sent across the network. The heterogeneous nature of these devices makes the task of securing all these devices even more challenging. The weakness in one device could open access to other devices on the network 
IoT devices are essentially embedded devices that have their own limitations the three most prominent limitations being:
These constraints imply that the same security features used in desktop computers can’t be used for IoT devices and alternate solutions are required. One of the alternatives is to use a central hub. These hubs link the long-range network connections requiring large amounts of power like cell-networks, parabola-connections or Wi-Fi connections, while the shorter-range network connections requiring low power are provided by technologies such as ZigBee, Z-Wave or Bluetooth Low Energy . Edge devices report their data to the hub, and the hub forwards either processed or unprocessed data to central storage.
Most of the time, IoT devices are installed and operate outside the physical possession of the service provider. Any compromise of the device can lead to the introduction of a rogue device within the network. Any unsecured storage or ports are targets for the hacker to tamper with the device. Security credentials stored within the device control all the security aspects of the device, hence utmost priority needs to be given to securely store the security credential within the device.
IoT devices allow themselves to be controlled and operated remotely thus robust authentication and authorization is required to prevent access by malicious users. Some strategies include certificate-based authentication, password/PIN-based authentication, biometrics etc.
Since these devices are generally provisioned online, the device should have the capability to auto-update their credentials over the air without manual intervention.
For authorization, there is a need to implement a security strategy that safeguards users and data while providing granular control over data privileges, such as specifying what data can be copied to external devices.
Untrusted code, such as worms, viruses, spyware, and other malware installed on a device, often compromise the device. Device manufacturers need to implement security measures that stop the untrusted code from launching and unauthorized changes from being made.
Also, software bugs and vulnerabilities can lead to undesired functionalities, aiding attackers in extracting sensitive information. Thus, it is a good practice to follow proper guidelines and agile methodologies to avoid any software vulnerabilities.
Whenever a vulnerability is detected, it is the vendor’s duty to mitigate the risk and minimize the consequences. Thus, how well prepared a vendor is to deal with a risk greatly determines the severity of the impact. The vendor must have processes and procedures in place to prevent, protect and respond to security threats.
The rapid increase in the installation of rogue and counterfeit IoT devices in networks makes the management of the network an uphill task. Not only do these fake products cause revenue losses to OEMs but can also be configured to function as rogue access points and thus pose a security threat. They can cause malfunctions an can be used to tap into company networks.
Security is as strong as its weakest link, so providing the best security for cloud, network and mobile applications is not enough, one should essentially consider the vulnerabilities on the tiny embedded devices that are an integral part of the system. Any security solution catering to the security requirement should be able to understand the overall security requirement of the system. This is a challenge as it involves multiple stakeholders, device manufacturers, cloud platform providers, IoT Service providers etc.
As is evident from the above, providing a holistic solution is one of the major challenges in IoT security. HSC, with its expertise in IoT, embedded and networking has the right mix of experience to put the pieces together and provide an end-to-end security approach for the IoT system. HSC’s solution aims to secure storage for storing the device credentials which could be used to authenticate and identify the device whenever it communicates with the cloud . It also provides a mechanism to securely update and provision the credentials of an IoT device.
The solution works in conjunction with the IoT server &device applications and supports credential management by managing x.509-based certificate lifecycle. One of the approaches for secure storage is to use a UICC-based solution as they are considered safe even when installed in a hostile environment. Some areas of focus are:
View this blog as an infographic.