by Süleyman Petek
28. September 2015 20:30
Internet of things aka "IoT" is a very popular word recently. Many large companies are investing about this issue. We can also say that another popular word "Big Data" is overlapping with IoT. The architecture of the original Internet was created long before communicating with billions of simple devices such as sensors and appliances was ever envisioned. The upcoming explosion of these simple devices creates gorgeous challenges for the current networking paradigm. The scope and range of the devices to be connected are huge and the connections to the edges of the network where these devices will be setup will be low-speed, lossy and by snatches. Within a few years, devices on the IoT will overdose human beings on the planet and the number of devices will continue to grow.
Here are some basic design guidelines;
- It should specify as little as possible and leave much open for others to innovate.
- Systems must be designed to fail gracefully seeking not to eliminate errors, but to accommodate them.
- Graduated degrees of networking functionality and complexity are applied only where and when needed.
- The architecture is created from simple concepts that build into complex systems using the analog provided by natural phenomena.
There are many products on the market today under the label of IoT with the lack of basic security architectures. It is very easy for a knowledgeable person to take control of devices for malicious purposes. The management knows how to manage known risks but they don't know how to measure them in the field of IoT and computer communication. We can list the attack types as:
- Denial of Service
- Breaking the Stored Credentials / Guessing the Credentials
- Man in the Middle
- Network Sniffing
- Port Scanning / Web Crawling
- Search Features & Wildcards
And how can we protect ourselves ?
- Virtual Private Networks
- Certificates & Encryption
- Authentication of things
According to the HP Fortify 2014 IoT Security
report;
- Six out of 10 devices that
provide user interfaces
were vulnerable to a range
of issues such as persistent
XSS and weak credentials
- 70 % of devices used
unencrypted network
service
- 90 % of devices collected at
least one piece of
personal information via
the device, the cloud,
or its mobile application
- 60 % raised security
concerns with their user
interfaces
etc.
You can also check the OWASP for
IoT as they list the top 10 for 2014 as below
- I1 Insecure Web Interface
- I2 Insufficient Authentication/Authorization
- I3 Insecure Network Services
- I4 Lack of Transport Encryption
- I5 Privacy Concerns
- I6 Insecure Cloud Interface
- I7 Insecure Mobile Interface
- I8 Insufficient Security Configurability
- I9 Insecure Software/Firmware
- I10 Poor Physical Security