Limited only by designers’ imaginations, the Internet of Things (IoT) is changing how people live. From medical devices and fitness trackers to tank sensors. Heights of mountains to the depth of ocean IoT is everywhere.
However, by relying on wireless networks, those hundreds of millions of IoT devices present a greater “attack surface”. Making them tempting frontline targets for competitors, hackers, disgruntled employees. Unfortunately, the tools and techniques we’ve applied to PC/smartphone platforms often don’t work well in the IoT for copious reasons.
- Limited resources: IoT devices typically have far less battery power, processing speed, and memory. They lack the power and sophistication required to support traditional security measures.
- Data complacency: Many companies view the data in their IoT networks as mundane and having little intrinsic value outside the organization. But many breaches are motivated by other factors, such as competitive advantage, social status, or revenge.
- Tools: even part-time workers and hobbyists can analyze, modify IoT devices with easy access to tools and expertise in IoT
- No physical access necessary: One of the advantages of the IoT is that devices can be remote. Be configured without the need for dispatching a truck. However, thanks to wireless connections, hackers don’t need physical access to devices such as USB or other I/O ports.
Security threats for IoT devices
Confidentiality: This intrusion exposes sensitive or confidential information, including the viewing of data in the actual device or the cloning of device firmware itself.
Service theft: The criminal uses authentication weaknesses or failures to enable unauthorized devices to access data, services, upgrade feature is unlocked without authorization.
Data Integrity: A corruption of information where unauthorized messages are introduced into a network or control of a device is taken over by an unauthorized party
These three are one of the most common security risks faced while constructing an IoT device.
Things to lookout for when constructing an IoT device
Packet Encryption
This is the “go-to” method for protecting data exchanges in IoT solutions with smaller embedded terminal devices. Most systems have the resources to implement basic encryption, such as FIPS-197/AES, which can protect messages from unauthorized viewing or malicious changes.
Every encryption technique is breakable, but its efficiency is calculated with the time it can withstand an attack. But in today’s world, as cloud computing comes with almost unlimited computing resources, the present-day encryption techniques might become inadequate for securing confidential data in transmission and after transmission. Existing encryption techniques, encrypt the whole data packets in a session using the same session key. If a third party can decrypt a single packet during or after transmission, all the packets in that session can be compromised. This work proposes a packet encryption scheme, where a packet key once used will never be used throughout the session, with minimal latency and maximum security for real-time mobile cloud applications.
Replay Protection
A replay attack is a category of network attack in which an attacker detects a data transmission and fraudulently has it delayed or repeated. The delay or repeat of the data transmission is carried out by the sender or by the malicious entity, who intercepts the data and retransmits it. In other words, a replay attack is an attack on the security protocol using replays of data transmission from a different sender into the intended into receiving system, thereby fooling the participants into believing they have completed the data transmission. This can also be part of an encryption mode
that will use this information within a block cipher. Examples of this are the AES counter mode block cipher.
Message Authentication Code
A message authentication code (MAC). Sometimes known as a tag is a short piece of information used to authenticate a message. The MAC value protects both a message’s data integrity as well as its authenticity. Allowing verifiers (who also possess the secret key) to detect any changes to the message content.
Let us now try to understand the entire process
- The sender uses some publicly known MAC algorithm. Inputs the message and the secret key K and produces a MAC value.
- Similar to the hash, MAC function also compresses an arbitrarily long input into a fixed-length output.
- The sender forwards the message along with the MAC. Here, we assume that the message is sent in the clear, as we are concerned about providing message origin authentication. Not confidentiality. If confidentiality is required then the message needs encryption.
- On receipt of the message and the MAC, the receiver feeds the received message. The shared secret key K into the MAC algorithm and re-computes the MAC value.
- The receiver now checks the equality of freshly computed MAC with the MAC received from the sender.
- If they match. Then the receiver accepts the message and assures himself that the message has been sent by the intended sender.
- If they don’t then. The receiver cannot determine whether it is the message that has been altered
Pre-Shared Keys
A pre-shared key (PSK) is a shared secret which was previously shared between the two parties using some secure channel before it needs to be used.
Secure IoT communications require access to compatible keys. The use of pre-shared keys (PSKs) minimizes the demands on the resource-constrained device. Keys can be transferred through an independent, secure channel and then manually entered into the terminal device. While the overall system to share the keys may have some complexity, the demands on the actual terminal device are minimal. When allowed by the application.
Transport Layer Security
Transport Layer Security (TLS) provides a standard framework for PKE and encryption to secure traffic between devices. However, for resource-limited embedded systems, the memory and processing requirements for the TCP/IP stack may be impossible to support. That’s why TLS is often used on larger embedded systems where communication occurs in IP sessions such as TCP. Even smaller embedded systems may have the resources to support TLS, but this requires careful evaluation.
Wi-Fi Protected Access (WPA2)
Wi-Fi Protected Access (WPA) is a security certification program developed by the Wi-Fi Alliance to secure wireless computer networks. The Alliance defined these in response to serious weaknesses researchers had found in the previous system, Wired Equivalent Privacy (WEP).
When an embedded terminal device uses Wi-Fi (802.11) for communication, the WPA2 suite of standards can secure the communication channel. This widely deployed protocol allows the interoperability of systems from different design authorities. However, it is generally beyond the reach of smaller embedded systems unless specialized Wi-Fi-dedicated coprocessors are present.
Conclusion
Security threats to embedded devices in IoT solutions are increasingly common, as attacks have become easier to carry out. These can include confidentiality breaches, service theft, data integrity, and service availability. IoT systems have unique security requirements and challenges, mostly due to resource limitations. Six core methods (packet encryption, message replay protection, message authentication code, Wi-Fi Protected Access, Transport Layer Security, and pre-shared keys) are typically compatible with the unique needs of M2M terminal devices