June 3rd 2020
Andrey Koptelov is Technology Observer at Itransition.
With billions of connected devices already deployed worldwide and companies resorting to IoT development services more frequently, IoT security issues remain a matter of concern.
According to the third annual survey on IoT risks conducted by the Ponemon Institute and Shared Assessments in 2018, 84% of the surveyed said their companies are very likely to experience a data breach caused by an unsecured IoT device, while only 11% reported educating employees on risks associated with using IoT devices at work.
Other smart things that raise major concerns when connected to the internet are cars, TVs, heating systems, smoke detectors, ovens, lighting, and kid’s wearables.
Security challenges of IoT development
Whilst people become increasingly concerned about the security of their connected devices, IoT developers face a number of impediments to ensuring protection from security threats.
Here are the key roadblocks that stand in the way of secure IoT.
IoT scope and scale
The number of connected devices continues to rise significantly. According to Statista, the number of IoT devices has reached 26.66 billion in 2019, and it is expected to double by 2023.This presents an ever-growing attack surface.
Moreover, the extreme proliferation of IoT requires developers to switch to more rapid development cycles to market their solutions faster and stay competitive. As a result, manufacturers might cut corners and design connected devices that lack security features.
Data privacy remains among the major IoT security issues for both developers and consumers. Enormous volumes of data are collected and analyzed every day, which makes it difficult to process data securely.
To make matters worse, consumers are unaware of what personal data is being collected and how it is being used. You can’t be sure that a smart TV with voice recognition that listens to conversations and transmits data to the cloud is not accessed by third parties.
Lack of a uniform standard
The great variety of connected devices makes it difficult for manufacturers to adopt a uniform agreed-upon standard of IoT security.
There are many IoT standards, such as IEEE P2413 or ITU-T SG20 for smart cities, but they all have little chance to gain widespread acceptance.
Poor authentication methods
As a result, IoT security gets compromised. Manufacturers should take this seriously and start implementing new approaches to authentication, such as biometric authentication or digital certificates.
Why is unsecured IoT so dangerous?
Unsecured IoT contains more loopholes for malware and ransomware attacks aimed at hacking connected devices. It is sufficient to recall such high-profile attacks as Mirai and Brickerbot. They affected a huge number of users and led to considerable financial losses incurred by businesses.
Among more recent incidents, Kaspersky detected 105 million attacks on the IoT connected devices in the first half of 2019 through its honeypots deployed all around the world.
Google’s Alexa was abused by hackers in 2018. In 2019, the attacks reoccurred, with hackers tricking oblivious users into providing sensitive information.
A more dangerous scenario is when a connected device is hacked in order to cause physical damage to the end user. In a smart home, consumers might suffer from extremely low or high temperatures if a cybercriminal hacks a connected thermostat.
The consequences of IoT attacks might even be fatal if someone breaks into life-sustaining medical devices, like insulin pumps or heart defibrillators.
What is triple-A security, and how does it work?
One of the possible solutions for protecting people in a connected world is applying the triple-A (AAA) security approach, where the three As stand for authentication, authorization, and accounting.
Authentication allows verifying user identity based on a unique set of criteria, the most traditional being a username and a password. A password is the least secure method of authentication.
More advanced authentication mechanisms—biometric credentials, response questions, and tokens—enable greater IoT security. Several authentication mechanisms can be combined.
In the IoT domain, there is also device authentication, which is carried out in a way similar to user authentication. Based on certain credentials, a connected device authenticates itself and gets authorized to transfer data. The device authentication process makes it possible to ensure that only trusted devices can send data.
Authorization defines whether a user has a permission to view certain information and to perform certain tasks. After a user logs into a device, the server receives a request for a certain action and approves or rejects access rights to different resources.
The quantity of information and services a user has access to will vary depending on their authorization level. Without a strong authorization, hackers will be able to gain unauthorized access to IoT devices.
For example, they might cause complete chaos in smart cities by controlling traffic lights.
Accounting, the final element of the AAA security, allows tracking and measuring user activity with an IoT device: time spent in the system, data sent and received during a session, actions performed, and more.
This is done mainly for analytical and planning purposes, but might also be used to bolster security. For example, by utilizing special accounting mechanisms one can detect unusual behavior, such as invalid login attempts.
Can AAA solve IoT security issues?
The three As of IoT security rely heavily on each other. The implementation of only one or two of the components opens up safety loopholes which might be exploited.
The triple-A approach is not a solution to all the IoT security issues, but it might help to stem the flow of attacks and eliminate some of the above-mentioned challenges of IoT ecosystems.
First, this approach addresses data privacy protection needs by managing access to the data that a connected device is generating, processing, sending, and receiving.
Second, it encourages using improved methods of user verification instead of a plain password-based login.