Illustration: © IoT For AllThe Internet of Things (IoT) is quickly gaining popularity in all spheres of life, healthcare systems in particular. In a nutshell, the technology allows multiple connected devices to collect and share information with each other. What does this mean for healthcare?In fact, the applications are …
Illustration: © IoT For AllInternet of Things (IoT) devices make our lives more efficient and our day-to-day more convenient. They allow us to monitor our homes from afar, control our lights, thermostats, and locks and beef up the security of our homes—among a host of other things. But because …
IoT & Security
IoT technologies offer many remarkable benefits. They can make complicated tasks, such as tracking a fleet of thousands of vehicles, monitoring and adjusting manufacturing processes or automating a smart home or office simpler, easier and more cost-effective than ever before. By inviting IoT devices into our homes, workplaces and public spaces, however, we also expose new attack surfaces. When we assign an IoT system to be responsible for a critical task or trust it to monitor sensitive information in our most private spaces, we want to ensure that the system can be trusted. For this reason, it is vital that security best practices are applied at all stages when developing an IoT solution.
Familiar Old Friends
Although IoT systems introduce a slew of new security considerations, we must also remember all of our old internet security best practices. The goal of many if not most IoT systems is to monitor and surface information to human users. We need to be sure to use best practices for user management, authorization, and authentication and data storage. Hashing passwords, sanitizing inputs, using SSL for all connections and using tools like two-factor authentication are standard practices across the technology industry. The IoT sector is—or should be—no different.
Because of the often sensitive and sometimes personal nature of the information gathered and generated by an IoT system, access control is also of paramount importance. Permissioning needs to be considered at a project, sub-system, device class, or even a specific device-level basis. One of the most important steps in creating an IoT solution is considering who should have access to what data. While the permissioning for this type of system might be more granular than many others because of the sheer number of devices involved, the same basic principles apply.
In addition to all of the old familiar security considerations, IoT systems introduce a host of new risks and perils.
It is crucial for any company considering the deployment of an IoT system to identify a trusted hardware partner as so many of the security risks inherent in IoT systems begin at the hardware level.
IoT devices store and use cryptographic keys to transmit their data through a gateway and (often) onward across the broader internet. Access to these cryptographic keys can allow malicious actors to spoof device data and wreak havoc on IoT systems. Because physical access to these devices in many cases can’t be controlled as rigorously as it can be with traditional computing devices, it is important that measures are taken to prevent physical device-level tampering. In some cases, where proprietary data and code are stored on the device, it may even be appropriate for the device to self-sabotage, destroying all onboard data when unauthorized access is detected.
In a world in which IoT devices control physical processes involving business operations and human safety, failure to properly secure IoT hardware can result in lost revenue, or in the worst case, lost lives. Even attacks that are seemingly less ominous can be extremely damaging to a company’s brand and the trust of their customers. Recent attacks on IoT devices, particularly webcams, in order to create giant botnets used for launching Distributed Denial of Service (DDOS) attacks are prime examples of this. A key part of these types of attacks is that the attack remains undetected. By their nature then, these attacks are not immediately damaging to hardware and software systems of targeted companies. Once it is discovered and disclosed that a company’s IoT devices have been compromised, the loss of trust that customers have in that company’s products can be devastating.
In many ways, IoT software solutions are only as good as the data being fed to them by hardware. If a hacker were to gain access to a device, extract its cryptographic keys or patch its firmware with malicious code, it would be very hard to detect that the device had been compromised because IoT data—being generated in the asymmetrical real world—is often unpredictable. It can be helpful, however, to run data analysis to ensure that devices are reporting as expected. For instance, if a device seems to be reporting more frequently than expected, it could be a sign that a device’s unique id is being used to spoof data. Setting boundaries and expectations on your data can highlight data irregularities that may indicate nefarious activity on your network. It is also appropriate in many situations to know the exact parameters that a device’s message specification should follow and to only allow certain types and fields of data to be written to storage or acted upon.
IoT Security for the Future
With the introduction of IoT solutions composed of many thousands or even millions of devices, the attack surfaces for these systems are greater than perhaps any other. However, balancing out these risks are the promise of huge, world-changing rewards. As is always the case, working with an experienced IoT solutions provider who can help you navigate this new, exciting, and sometimes frightening world is crucial.
Source: IoT For All
The growth of connected devices is unlocking new services across M2M and consumer IoT use-cases. ABI Research predicts annual revenues from IoT services will hit $460 billion by 2026.
IoT services are enabled by devices collecting, processing and sending data, quite often sensitive or personal, to the cloud. A key factor in the widespread deployment of IoT services is the ability for key stakeholders – end-users and service providers – to trust that the data gathered and transmitted to the IoT cloud is done so securely, in order to protect its integrity and the resulting integrity of the service.
Global authorities, industry bodies, governments and regulators are therefore working collaboratively towards defined IoT guidelines and mandates. This activity is particularly advanced in Europe. The General Data Protection Regulation (GDPR) defines strict penalties for device manufacturers and service providers who do not protect consumer privacy. A robust certification framework has also emerged, with the ENISA Cybersecurity Act and Eurosmart IoT Certification Scheme requiring IoT devices to undergo penetration testing from state-of-the-art independent security laboratories prior to deployment.
The challenges of remotely provisioning, managing and updating credentials across millions of different devices throughout their entire lifecycle to ensure this security and privacy are myriad. It’s the ability to protect IoT data communications in a simple, standardized manner at scale, however, that has emerged as a key industry challenge.
Market Fragmentation – A Key Challenge
Leveraging a hardware secure element (SE) as a “Root of Trust” to execute security services and store security credentials is an essential step in the development lifecycle to guarantee end-to-end security for IoT products and services. It’s also a key recommendation of the GSMA IoT Security Guidelines.
There are several proprietary hardware SE solutions available to deliver this root of trust, but market fragmentation introduces a key challenge. Connected devices must be modified to access security services from different SE providers, which creates significant design issues and is unsustainable at scale given the ever-increasing size and diversity of the IoT ecosystem.
The SIM on the other hand, in combination with supporting over-the-air provisioning and management infrastructure, is fully standardized. When used as the hardware Root of Trust in an IoT device, it promotes interoperability across different vendors and more consistent use by IoT device makers and service providers.
An additional advantage is that the SIM has advanced security and cryptographic features, including a securely designed central processing unit (CPU) and dedicated secure memory to store operating system programs, keys and certificate data. This protects IoT devices from various hacking scenarios, such as cloning, physical attacks to a single device and remote attacks from the internet to numerous devices.
Although this advanced functionality and infrastructure means the SIM can effectively function as the hardware Root of Trust in an IoT device, the fragmentation challenge isn’t completely removed. This is because device middleware must still be modified to enable access to the SIM services.
It was apparent, therefore, that removing this design hurdle was critical to the development of a scalable, secure IoT ecosystem.
Introducing IoT SAFE
It’s widely recognized that industry collaboration is key to promoting a secure, interoperable connected future. To further extend the capability of the SIM, GSMA and SIMalliance have partnered on IoT SAFE (IoT SIM Applet For Secure End-2-End Communication).
IoT SAFE directly addresses the significant challenge of industry fragmentation. By specifying a common API and defining a standardized way to leverage the SIM to securely perform mutual authentication between IoT device applications and the cloud, it’s far easier for IoT device makers to execute security services and manage credentials across millions of devices.
And as all of the critical security functions are executed on the SIM rather than untrusted areas of the device, the robustness of the mutual authentication is assured. Also, a remote interface enables the management of the secure IoT applet throughout its lifecycle.
Delivering Flexibility and Maximizing Investments
The benefits of IoT SAFE go beyond scalability and security. For example, as security functions can be delegated to the SIM, device makers aren’t solely dependent on cloud provider services to secure their products and solutions.
In addition, SIMs are already widely deployed to ensure trusted connectivity across the mobile ecosystem.
“For over 25 years the SIM has been the ‘Root of Trust’ for the mobile industry, its security constantly evolving over this period so that today the SIM secures over 9.4 billion cellular-connected devices,” said Graham Trickey, Head of IoT, GSMA. “IoT SAFE extends the security capabilities of the SIM even further to secure new IoT services end-to-end, underpinning a new generation of IoT services and billions of new IoT devices.”
An estimated 5.6 billion SIMs were shipped in 2018 alone, with estimated total shipments from 2013 to 2018 hitting 32 billion. This can be leveraged to deliver enhanced security for devices with minimal additional investment.
IoT SAFE enables all ecosystem players to homogenously leverage the advanced features of the SIM and the supporting infrastructure to deliver enhanced security at scale, increasing flexibility and maximizing investments. To find out more about IoT SAFE and delivering privacy and security by design, click here and contact SIMalliance.
Written by Remy Cricco, Chairman of the SIMalliance
Source: IoT For All
According to Juniper Research, the number of IoT (Internet of Things) connected devices will number 38.5 billion in 2020, up from 13.4 billion in 2015: a rise of over 285 percent. Consumer IoT, especially as it relates to the smart home, has received significant attention, especially because of the prevalence of online gaming, video streaming, home audio and home video security systems. With the new year on the horizon and smart home devices set to remain among the top purchases in 2020, this article focuses on the top reasons that devices are expected to malfunction over the next 12 months.
IoT is rapidly becoming a transformative force, delivering the digital lifestyle to billions of people. Integrating an amazing array of smart devices with internet connectivity, the IoT market already includes more than 25 billion devices in use. Smart home devices include products, including smart speakers, smart displays, smart plugs, smart light bulbs, smart thermostats, web-connected home security systems and literally thousands of other products.
As consumers acquire and implement interconnected IoT devices, the number of malfunctions is growing, which has been an unresolved problem. If only 1 percent of devices suffered a malfunction annually, that would be 250 million failures this year alone. But, 1 percent is far below the actual failure rate; almost two-thirds of IoT-technology consumers already report having experienced device failures. On average, consumers experience 1.5 digital-performance problems on a daily basis. That’s an overpowering message to tech support organizations as customer experience will be negatively impacted unless this issue is addressed.
The Top Five Reasons for Device Failures
After intensive corroboration with top research firms, five distinct factors are projected to increasingly contribute to the malfunctioning of smart devices in 2020, all of which can be considered detrimental by both manufacturers and users. Until the recent availability of technologies to diagnose the causes of IoT/smart device failures, these problems have required manual diagnosis and repair:
- Operating environment: The wide range of operating environments will be a key factor in smart device functionality. This includes issues with IoT uptime caused by environmental conditions, including extreme temperatures, rough device handling, WIFI availability/signal blockage, etc.
- Integration problems: Many new smart home devices require their own app that may or may not integrate with various routers, smart hubs and other systems in the home. Popular apps and services may only be available on specific devices. As the number and variety of devices proliferate, consumers in 2020 can expect to see higher malfunction rates.
- Device configuration: Smart device configuration should be very user-friendly. However, many devices still require manual intervention. The requirement for AI-based configuration is obvious in this situation in order to ensure a fast and effective setup for devices. The ability to auto-configure such devices will be critical for smart device/home enablement as consumers bring a broader range of more complex smart devices into their homes.
- Connectivity: Smart device connectivity (or lack thereof) will be a significant contributor to device malfunctioning in 2020. The problems include a lack of signaling or bidirectional communication between devices for collection and routing purposes. There’s also the issue of presence detection, where the smart hub/router must be able to detect when a smart device drops offline and when it rejoins the network. This gives the ability to monitor the device and fix any problems that may arise.
- Device load: Device load and bandwidth limitations are other challenges expected to increase in 2020. As the device load increases and the volume of devices rise and project activity volumes to the service provider, this requires a large-scale server farm to handle the large amount of data. Instead, enhanced management and processing will allow for the seamless transfer of data between devices and servers.
Malfunctions Wear Many Disguises
When devices were simple, it was easy to address malfunctions. If a music speaker failed to deliver sound, the problem was usually with the speaker wire or speaker. The problem was either fixed or a new item was purchased. However, in the era of integrated smart-device systems, the actual cause of a malfunction can be difficult to identify. Just like in many human medical cases, the symptom might disguise the underlying cause and lead to a misdiagnosis.
For example, if a smart garage door opener isn’t responding to a remote “close” command from your mobile phone while you’re at work, the fault could be a mechanical problem with the door mechanism. Or perhaps there’s an electrical problem in the motor. Or even a general electrical issue like a blown circuit breaker in the fuse box. Maybe the mobile phone app has a bug or has been infiltrated by a cyber virus. Maybe the signal to the opener is blocked because of radio frequency bandwidth overload or a transient environment condition. The cause could be in the garage door itself—maybe last night’s ice storm is preventing the door from freeing itself from the ground. What if the user looked at all of those conditions and none of them seem to fix the problem? How about the internet router or in-house hub? The situation can become quite complicated. Multiply this simple garage-door opener example by the tens of other connected devices in the home, and it’s easy to understand how confusing it can be to properly diagnose, let alone fix, a malfunction.
Service and Support Are the New Success Factors
In the face of so many inevitable malfunctions, the ability to quickly detect, analyze and repair problems will determine success for device manufacturers, integrators and service teams. Device manufacturers will need to provide warranties and software updates along with a helpful support center. ISPs and integrators will have to take on responsibility for the performance of a very wide and growing variety of complex devices. Company IT departments will be inundated with hundreds of new devices to support. Most of all, billions of individual consumers will turn to efficient service desks when the inevitable problems occur.