IoT Security And Advancement
By Shreya Pohekar
Coding and a Cyber Security Enthusiast
Why internet of things?
Internet of things
All is not well
Hacks on iot
Steps to security
WHY WE NEED IOT?
Computers can’t be installed everywhere that
too for specific works.
Better data, automation, increased efficiency
They are much cheaper
Require less computational power
Are less complex
INTERNET OF THINGS (IOT)
The internet of things is a system of interrelated
computing devices, mechanical and digital
machines, objects that are provided with unique
identifiers(IP Address) and have the ability to
transfer data over a network without requiring
human –to- human or human-to-computer
Formal definition by international telecommunication
A dynamic global network infrastructure with self
configuring capabilities based on standard and
interoperable communication protocols where
physical and virtual things have-
Identifiers , physical attributes and virtual
use intelligent interfaces
Are seamlessly integrated into information
Till 2017 we have 15.4 billion IoT devices
connected over the internet.
And it is forecasted to reach 20.8 billion by
CATEGORIES OF IOT
First class of iot (Public sensors and
Second class of iot
THE SECURITY CHALLENGES
70% of the total iot devices being used today are vulnerable
to cyber attacks
Low level of encryption
Work on different ports
No firewalls or antivirus
most of the times outdated
update file not encrypted
update not verified before upload
Lack of role based access control
Lack of 2 factor authentication
Insecure password recovery
Poorly implemented SSL/TLS
Poor physical security
USUAL ATTACKS ON IOT DEVICES
Brute force attacks
Open ports via UPnP( universal plug and
* UPnP : it is a set of networking protocols that permits networked devices , such as
personal computers, printers, internet gateways, Wi-Fi access points and mobile
devices to seamlessly discover each other’s presence on the network and establish
functional network services for data sharing.
LACK OF SECURITY CONFIGURABILITY
Insufficient security configurability is present when users of the
device have limited or no ability to alter its security controls.
Insufficient security configurability is apparent when the web
interface of the device has no option for creating granular user
permission or for example , forcing the use of strong passwords
Lack of transport encryption
Lack of transport encryption allows data to be viewed as it travels over
local networks on the internet. Lack of transport encryption is prevalent
on local networks as it is easy to assume that local network traffic will
not be widely visible , however in case of a local wireless
network,misconfiguration of that wireless network can make traffic
visible to anyone within range of that wireless network.
KINESIS is an example of a sensor network
system designed to make it possible for
sensors to automatically take response
actions in the event of data transmission
.Is my cloud interface secure??
checking for a insecure cloud interface includes:
Determining if the default username and
password can be changed during initial product setup.
Determining if a specific user account is locked out after 3-5 failed
Determining if valid accounts can be identified using password
recovery mechanisms or new user pages.
Reviewing the interface for issues such as cross site scripting,
cross-site request forgery and sql injection.
Reviewing all cloud interfaces for vulnerabilities( API interfaces
and cloud-based web interfaces)
The terrifying power of billions of IoT devices
botnets can be used to orchestrate Distributed-Denial-of-Service (DDoS) attacks. These
attacks use large numbers of IoT devices to direct traffic to a website or server,
overwhelming it and rendering it inaccessible to real users.
Botnets are traditionally made up of infected computers, but the widespread use of
vulnerable IoT devices provides a far more enticing target for cyber criminals. A lack of
investment in security and the abundance of IoT devices, a result of cheap and quick
manufacturing, means these botnets are potentially far more dangerous than infected PCs.
This lack of security investment was revealed in 2016 when criminals launched the largest
DDoS attack in history. The botnet malware behind the attack, Mirai, infected 100,000s of
IoT devices that then pummeled DNS provider Dyn with a 1.2 Tbps DDoS attack.
The Mirai botnet knocked PayPal, Spotify, Netflix and Twitter offline, causing never-before-
seen levels of disruption to some of the largest websites in the world.
One month later businesses were unprepared when the Mirai botnet struck again. This
time the attack affected 100,000s of Deutsche Telekom customers.
The Mirai botnet source code is now available online, so it’s likely to continue plaguing
poorly secured IoT devices. And in February 2017, researchers identified a new variant of
the Mirai botnet capable of targeting Windows systems, allowing the malware to spread to
even more devices.
Mirai is just the tip of the iceberg and other powerful botnets continue to damage
businesses globally. It’s not just businesses that should worry, one attack against a UK
bank in 2016 resulted in £2.5 million stolen directly from customer accounts.
Security should be there from a
point when the power is supplied
The best option – light weight encryption tools
The RSA Algorithm( concept of factor)
block ciphers, like PRESENT and CLEFIA,
(lightweight versions of the Advanced Encryption
Standard. )There are also hardware-oriented stream
ciphers, like Enocoro, that focus on chip size and
energy consumption; hash functions, such as
PHOTON, which concentrate on data integrity;
and message authentication codes for validating and
authenticating communications between devices.
Elliptic curve based encryption
The RSA Algorithm
The Rivest-Shamir-Adleman (RSA) algorithm is one of the most popular
and secure public-key encryption methods. The algorithm capitalizes on
the fact that there is no efficient way to factor very large (100-200 digit)
numbers. Using an encryption key (e,n), the algorithm is as follows:
Represent the message as an integer between 0 and (n-1). Large
messages can be broken up into a number of blocks. Each block would
then be represented by an integer in the same range.
Encrypt the message by raising it to the eth power modulo n. The result
is a cipher text message C.
To decrypt cipher text message C, raise it to another power d modulo n
The encryption key (e,n) is made public. The decryption key (d,n) is kept
private by the user.
IOT TOO REQUIRE A FIREWALL
The embedded firewall provides a basic
but critical level of security by controlling what packets or
messages are processed.
The firewall enforces its policies by filtering packets as
they are received, comparing each packet to the policies
for that device, and blocking all packets that don’t match
the communication policy criteria.
Rules-based filtering: Each packet is compared to a set
of static rules determining if the packet is blocked or
allowed . All decisions are made based on the information
in the packet. Rules-based filtering enforces policies by
blocking unused protocols, closing unused ports, and
enforcing IP address white lists and blacklists.
SOFTWARE MUST BE SECURED
Many IoT devices are based on processors such as the ARM
processor, which have differences in the instruction set with
respect to other conventionally used processors.
Such diversity has an implication, for ex. On the techniques for
protecting software from attacks, such as return –oriented
programming attacks, as such must be tailored to the specific
instruction set of the platform of interest
One way to provide better security is to isolate sensors and other
permissive devices on a separate virtual LAN. This setup
prevents a hacker from observing the totality of network traffic if
one sensor is compromised, or using it to launch attacks across
the entire enterprise.
Create bug bounty programs and vulnerability reporting systems
GOOD CITIZEN RULES
Don’t connect your devices unless you need
don’t use default passwords
Keep the latest firmwares
Turn off universal plug and play (UpnP)
Do not trust any network , just because it is
introduced by any trusted entity
Not all access point are trustworthy
OPEN SOURCE WOULD HAVE AN IMPACT
to support and connect billions of sensors,
routers, gateways and data servers
Promotes velocity of innovation
Easy exploration and experimentation
Enables permission less innovation
o Data security and privacy in IoT by Elisa Bertino
o OWASP IoT security