How to secure the IoT
More than 50 billion devices are predicted to be used by consumers by the year 2020, according to industry analysts and high-tech companies. However, this forecasted boom in the internet of things (IoT) will require the implementation of security measures to protect the entire IoT ecosystem.
Last year, the U.S. Department of Homeland Security issued a report titled “Strategic Principles for Security the Internet of Things,” which says that the IoT ecosystem introduces risks that include malicious actors manipulating the flow of information to and from network-connected devices or tampering with devices themselves, which can lead to the theft of sensitive data and loss of consumer privacy, interruption of business operations, slowdown of internet functionality through large-scale distributed denial-of service attacks, and potential disruptions to critical infrastructure.
“The time to address IoT security is now. Many of the vulnerabilities in IoT could be mitigated through recognized security practices, but too many products today do not incorporate even basic security measures. There is a lack of incentives for developers to adequately secure products, since they do not necessarily bear the costs of failing to do so. While the benefits of IoT are undeniable, the reality is that security is not keeping up with innovation,” the report says.
The government report also set a number of recommendations to secure the IoT including:
– Incorporate security at the design phase
– Advance security updates and vulnerability management
– Build on proven security practices
– Prioritize security measures according to potential impact
– Promote transparency across IoT, and
– Connect carefully and deliberately
These principles are designed to improve security of IoT across the full range of design, manufacturing, and deployment activities. Widespread adoption of these strategic principles and the associated suggested practices would dramatically improve the security posture of IoT. There is, however, no one-size-fits-all solution for mitigating IoT security risks,” the report added.
“The emerging internet of things has tremendous potential, but also tremendous dangers. As we have seen with the Internet worm infecting the first networked computers in 1988, Nimda in 2001, and SQL injection attacks since the late 2000s, new applications and software present tremendous security threats,” the University of Stanford said in a white paper. “New systems and protocols, developed quickly and through grassroots efforts, do not foresee these threats, with the result that it takes decades to react and make these systems secure. For the internet of things, this danger is even more acute due to scale and interaction with the physical world. Internet threats today steal credit cards. Internet threats tomorrow will disable home security systems, flood fields, and disrupt hospitals.”
The white paper also said that existing approaches to secure computing systems are insufficient for these new cyber-physical applications, as they have very different trust models and network architectures, bridging pervasive local area networks, personal mobile devices, server storage, and web-based applications.
“IoT applications will need novel cryptographic protocols that are able to work on tiny, low-power devices yet also scale up to enormous stores of data in the cloud,” the white paper added.
A recent security attack revealed the need to address IoT security. Dyn, a company that monitors and routes internet traffic, was hit with a severe distributed denial of service attack in October 2016 that flooded its servers with so many fake requests for information that they could not respond to real ones, causing the servers to crash. Unknown hackers took down the company’s routing network, which allowed them to knock many popular websites such as Amazon.com, Twitter and Netflix offline.
By hacking into unsecured IoT devices, mainly home surveillance cameras, hackers took control of these devices to attack other devices on the network, which served as gateway to take down the company’s routers and attack the entire corporate infrastructure including the popular websites.