Traversing the IoT Security Landscape of Threats
by Exosite, on June 9, 2016
As IoT security becomes a growing concern, it seems every week there are new hacking incidents in the media. With consumer products like Nest seemingly having issues with the security of their data retention, are other industries also in danger? The industrial IoT market is quickly growing with more and more companies adding thousands of devices to a single factory and then replicating this process across hundreds of factories.
As the cost of computation continues to decrease and the number of software-controlled systems that make up IoT continue to proliferate, this problem will only get worse. New devices, networks, IoT connected technologies, and users will all contribute to this phenomenon.
Devices used in IoT solutions have two major attributes that make them more susceptible to attacks than other personal computing applications:
IoT devices are often resource-constrained, making standard security mechanisms (e.g., TLS) difficult or impossible.
IoT devices are becoming more accessible. If an attacker can open a device, disassemble the contents, add a USB drive, desolder RAM chips, convince a user to gain access to them, or use other advanced side-channel attacks (e.g., timing information, power consumption, or acoustic signatures), the device can quickly become compromised.
Perfect security is not possible without disconnecting network interfaces. With so many devices, software packages, deployment configurations, and use cases, key tradeoff decisions must be made between ease of use and high security. How do we make these tradeoffs?
For instance, securing communications sent over the wire so that user information cannot be sniffed is of high importance for almost every application, and there are standard mechanisms for doing that. However, preventing a device from having its flash re-programmed, essentially re-purposing a device, may or may not be a problem, depending on the context, application, and sensitivity of the device of its data.
When designing an IoT security strategy, the goal is to keep the required effort for attacks higher than the level of the hacker's motivation.