The Internet of Things (IoT) is growing exponentially, with predictions of 20 billion to 50 billion connected devices by 2020. The devices themselves aren’t the only thing increasing; the amount of data is also growing as devices share statistics, updates, and analytics with each other and centralized servers. The explosion of available devices and applications combined with the collection and transmission of potentially sensitive information make this environment a hacker’s Candy Land.
The security concerns within IoT devices and protocols fall into two main categories. First, there’s the IoT device and its application. Users must ask if the application is secure and how it’s collecting and storing data. Second, it’s crucial to understand how the devices are communicating, both among themselves and with the centralized servers. Are the communication protocols secure, and can the IoT system ensure that only properly authorized and authenticated entities can view the information being collected and sent?
Protecting the product
There’s a concern that IoT devices aren’t secure and hackers might be able to convert those 50 billion IoT devices into a botnet that can generate Distributed Denial of Service (DDoS) attacks and spam messages at will. No security standards or recommended practices exist concerning the design or protection of IoT applications from malicious high-tech threats.
It’s possible to gain control of, or access, information that IoT devices collect due to poor programming and design practices. Backdoors and default passwords are not uncommon and can give a hacker access to video surveillance, meters, and any other device connected to the internet. In the rush to get products in the marketplace, vendors are not thoroughly testing the security of their components.
Even if the devices and their applications are hardened and secure, the data they share may be exposed. The communications protocols that IoT devices use for sending data and commands across the internet are concerning, and a hacker can hijack a session or masquerade as a trusted component and send malicious commands to the IoT infrastructure. If that happens, it’s possible that hackers can get access to sensitive information and even control or reconfigure the devices remotely. There have been incidents of hackers sending messages through baby monitors and controlling surveillance cameras already.
Securing the communications
There are two leading security protocols being designed for IoT communications: Message Queuing Telemetry Transport (MQTT) and Constrained Application Protocol (CoAP). MQTT is a lightweight client-server-based protocol that utilizes Transmission Control Protocol (TCP) as the transport mechanism. Since MQTT uses the TCP protocol, it can support TLS encryption, but the performance overhead to support encryption is high, so this isn’t a requirement. MQTT can also support usernames and passwords, but that’s not required either.
The other security protocol, CoAP, is a lightweight IoT standard being developed by the Internet Engineering Task Force (IETF). CoAP uses the User Datagram Protocol (UDP) for a more efficient communications method that doesn’t require the handshakes and stateful connections, unlike TCP. Unfortunately, this means that CoAP does not support Transport LayerSecurity (TLS) encryption. Datagram Transport LayerSecurity (DLTS) is available as an encryption alternative for CoAP, but the performance requirements to support DLTS mean that many IoT devices may skip the encryption step.
The industry standard protocol has not yet been determined. It’s possible that we will see a combination of both, similar to how we saw VHS and Betamax co-exist for a time. And there’s always a possibility that another protocol will be created and become the standard.
Lack of security standards
The lack of strict and mandatory security requirements means that much of the data from IoT devices is, and will continue to be, unencrypted and easy to compromise with a simple dictionary attack based on default passwords and shared encryption keys.
The collection of data from multiple points can provide insight into private details that the individuals and businesses do not want exposed. Access to networked thermostats, lighting systems, and surveillance cameras can provide detailed insight into a homeowner’s habits. If networked power meters, kitchen devices, and other smart home appliances are accessed, the information revealed becomes intrusive and compromising.
Strong security policies are necessary for IoT to succeed. Consumer and business acceptance is based on functionality and trust, but the current platform of devices, applications, and communications protocols don’t have a comprehensive security platform that ensures that trust.
It’s unlikely the IT community will be able to impose application security standards upon the multitudes of IoT vendors. Instead, we need to establish mandatory and certified security standards for command and control functions and data communications. Until then, IoT will continue to be a security soft spot on the internet.