Security for IoT Devices and Why It’s Important
IoT
We do use Personal Computers (PC) and server/client computers that run Windows, Linux, etc. PCs are used for helping human activity, thus the computer network is basically for displaying/output info/video/audio to humans and input by humans, so it is Human to Human (H2H) network. When we talk about CyberSecurity, that refers to those server/client PCs and TCP/IP security.
Other than PC,s there are Micro Computers/Embedded Computers that are used for Home Electronics, Factory machines, live cameras, or small devices. Most of them were used to work for in-house tasks and were not connected to the Internet with TCP/IP protocol until recently.
By the way, I think the iPhone is the most successful computer device that uses the Internet in the history of computers. However, the iPhone (and iPod touch) is not the first handheld device of Apple. Apple released the “Newton” in 1993 which can perform a variety of tasks like the iPhone. However, the sale of the Newton was not good and the project was canceled.
We are not concerned here with the question of Newton's failure, however, what the iPhone has and what Newton hasn't - is the ability to connect to the Internet.
As a result of the mass production of iPhone and other smartphones, microcomputers, GPS receivers, and small sensor devices became inexpensive and mass-produced, and Internet connectivity became possible with inexpensive components.
Naturally, Micro Computers/Embedded Computers are combined with cheap network access devices - the combination of these microcomputers and networks is called Internet of the Things (IoT).
In most cases, IoT devices relay data from sensors which is attached to the IoT devices, and it relays to other IoT devices to aggregate the data for processing – the IoT devices are connected, and the communications are done among IoT (machines): so it is Machine to Machine (M2M) network. So the IoT devices are also to be M2M network devices.
One of the well-known examples of IoT devices is the Arduino board which is an open-source electronics platform based on easy-to-use hardware and software. Arduino is easy to program, and deploy, and can use many types of sensors, and the cost is quite low, thus it has been used in thousands (or more) of projects and applications.
As IoT devices are much cheaper and easier to produce compared to the PC, the number of IoT devices increases rapidly, and no limitation on the producing number. In contrast, the demand for PCs (and smartphones) is limited by the number of humans.
The number of IoT devices that are connected (cite from statista)
| 2019 | 8.6 billion |
| 2023 | 15.14 billion |
As the number of IoT devices increases, the network connecting IoT devices (M2M) increases geometrically.
By the way, BigIP LTM has a profile to use one of the protocols which is used for IoT networks ( Local Traffic ›› Profiles : Services : MQTT ).
Security Concerns
What problems will arise from IoTs?
Attack surface
First, unlike servers and PCs, these IoT devices are small and can be transported anywhere (laptop PC is portable, but limited to the space where human goes). A good example is drones – which has microcomputers and network connecting devices thus IoT - that can move autonomously from place to place, even to the place humans can’t go. Therefore, they are not restricted access by physical location and can be connected to the Internet wherever they are located. Therefore, unlike servers and PCs, it is difficult to know the location of all IoT devices in the world. The problem is that IoT devices are directly accessible by malicious attackers: they can be everywhere and the number of devices are too many to track all of them.
From the network perspective, servers and PCs are always protected because they have limited physical access points = Attack Surface, and even if they become the source of an attack, the locations of the malicious attacker’s host can be determined to some extent. The CVSS metrics score low when the PC/Servers are not accessible via the network.
In contrast, since it is hard to know all the locations of IoT devices and their M2M network connection points, the Attack Surface is everywhere. If an IoT device that is located in an unknown (physical) place is compromised and becomes a jump host, it might be difficult for a defender to know where the attack is coming from. In other words, being everywhere because it is convenient also means not knowing where they are. We need to think about expanding the attack surface.
You may recall the Mirai botnet - Mirai's primarily targets IoT devices such as IP cameras and home routers - IP cameras can be placed on the outside of the building so easy to access for the malicious attacker.
In the Keynote speech of BlackHatAsia 2019, the presenter of the speech said that “IoT is next asbestos!”
Not only physical access, the range of the network is going to be expanding. As the number of network devices increases, the amount of network connecting them also increases geometrically, so the network that needs to be monitored will also expand.
Network protocol
Second, many IoT devices use protocols other than TCP/IP. Since they were used in the closed network before the IoT era like in the factory or car, the design and implementation of such protocols do not need to consider security and privacy. However, once it connects to the Internet, attacks against them are often easy due to the nature of those protocols, which are not security-conscious, and the lack of research that has been done on them may make these attacks possible.
For example, the CAN network is used for in-vehicle (i.e. car) networks, which have no destination or source address. Therefore, it is difficult to identify and block the source of an attack through the CAN network.
Some IoT devices communicate through TCP/IP and HTTP protocol, but not HTTPS – it is because those devices are designed to be using small memory and narrow network bandwidth. Of course, it is not secure.
The amplified DDOS attack
As mentioned above, the number of the PC is limited while the IoT devices are limitless. And the protocol has some security weaknesses – so the IoT devices could be compromised and used as jump hosts for DDOS campaigns. The jump hosts which is used for the DDOS attack will be amplified - more than that of the H2H network, and it make it difficult to defend.
Mirai botnet is one of the most famous IoT attacking bots. Quote from What was the Mirai botnet?
"In late 2016 in France, telecom company OVH was hit by a distributed denial-of-service (DDoS) attack. Experts were struck by how the assault was 100 times larger than similar threats." This incident happened in 2016 - as shown above, we have more and more IoT devices.
Defense
IoT devices behave differently than PC/Servers and require their own cybersecurity rules depending on how they operate. To reduce the risks of IoT devices, some system standards and security guidelines for IoT have been published by governments and non-profit organizations.
USA IoT Cyber Security Improvement Act of 2020 https://www.govinfo.gov/content/pkg/COMPS-15863/pdf/COMPS-15863.pdf
NIST IoT Device Cybersecurity Guidance for the Federal Government
https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-213.pdf
USA DHS : Strategic Principles for Securing the Internet of Things https://www.dhs.gov/securingtheIoT
IEEE IoT security best practices white paper
To mitigate the risk, IoT devices need to consider implementing security measures when it is designed. For example, access control feature and user(machine) authorization to change the config, implement encryption (while it is a performance trade-off), monitor the abnormality, and use Edge computer to filter the data and proxy the connection.
And, of course, not using default user/Password is essential – the Mirai botnet will use them.
In most cases the data from IoT devices will be uploaded to cloud service and processed on the application layer – thus application firewall can be one of the protection measures.
Future
Think about the future – the number of IoT devices, the M2M network, and the amount of data on the M2M network will be exponentially increased, thus humans might be overwhelmed to monitor and analyze the network. Recently generative AI has been used for large amounts of data, so AI will also be used for IoT security. As discussed in another article, the security of AI is also important, and, if AI and IoT are united, things need to be considered might be more.
Further study
Thesis of IoT security in arxiv:
A Survey of the Security Challenges and Requirements for IoT Operating Systems https://arxiv.org/abs/2310.19825
A Unified Taxonomy and Evaluation of IoT Security Guidelines https://arxiv.org/abs/2310.01653
Navigating the IoT landscape: Unraveling forensics, security issues, applications, research challenges, and future https://arxiv.org/abs/2309.02707
A Large-Scale Study of IoT Security Weaknesses and Vulnerabilities in the Wild https://arxiv.org/abs/2308.13141
Unleashing IoT Security: Assessing the Effectiveness of Best Practices in Protecting Against Threats https://arxiv.org/abs/2308.12072
IoT and Man-in-the-Middle Attacks https://arxiv.org/abs/2308.02479
5G Networks and IoT Devices: Mitigating DDoS Attacks with Deep Learning Techniques https://arxiv.org/abs/2311.06938
IoT in the Era of Generative AI: Vision and Challenges https://arxiv.org/abs/2401.01923