At first glance, IoT is just an expansion of the cloud, which sometimes leads to the misperception that as long as the IoT application runs on a cloud system that has been secured then it will inherently possess the same level of security. However, the inherent interconnected characteristics of IoT applications present special security challenges that are not present in traditional cloud systems and are therefore not addressed by existing cloud security practices.
As a case in point, user management in the cloud is simplified by the fact that permissions are typically granted to one human being using one application. The presence of that human puts firm boundaries around the authentication and authorisation process. With IoT, on the other hand, devices may authenticate as themselves, as a human or on behalf of a human, requiring a much more complex permissions and trust model. For instance, the absence of a human user for the vast majority of IoT devices eliminates the possibility of using techniques that rely upon the human user for authentication, such as entering a user name and a password or for authorisation, such as by clicking OK to permit a software update.
Another difference between the cloud and IoT is that IoT typically has many more devices, often several orders of magnitudes more, and these devices typically come in many different flavours and use many different operating systems and protocols. In order to do serious damage, a hacker typically does not need to penetrate all or even many of these devices but rather can focus on a small number of or even a single weakly protected device. Another element of the IoT security challenge is the variety of types of devices that must be managed and secured.
In many applications it’s necessary to assume that IoT endpoints deployed in the field can easily be scanned and probed, disassembled and studied by a potential hacker in an effort to identify their weaknesses. As a result, organisations that are designing new connected products need to ensure that all of their devices and applications are secure even from an attacker that has perfect knowledge of the operation of their IoT endpoints.
The security challenges of IoT are heightened by the increasingly critical types of devices that are connected and the potential damage that could be produced by taking control over them. For example, security researchers recently demonstrated that they could remotely disable the wheels and brakes of a popular sports utility vehicle (SUV).
Students remotely took control of the pacemaker implanted in a robotic dummy patient used to train medical students and showed they could cause life-threatening injuries to or even kill a real patient if it had actually been implanted in one. Hackers demonstrated the ability to take control of a Wi-Fi connected rifle in order to aim it at a different target or prevent it from firing. One of the most damaging real-world IoT hacks to date is the attack on the Ukrainian power grid in late 2015 that left 230,000 homes and businesses in the dark for up to six hours during the cold Ukrainian winter. Application vulnerabilities present another serious security issue. Hackers can potentially gain instant, high-level access to IoT deployments by targeting security weaknesses in the firmware and applications running on embedded systems. If your IoT implementation is not properly managed a single compromise of one device could potentially lead to compromise of your entire system. This is particularly important in environments where the devices are deployed in other organisations’ networks. Your organisation’s ability to mitigate security issues for these devices can be difficult as you don’t control the environment. For this reason, among others, avoiding application vulnerabilities in your IoT solution is extremely important.
Read “Protecting Smart Devices and Applications” for a practical discussion of: