Essay: Safeguarding the Internet of Things Fortune: Reposing “Cyber Security” at the core of IoT

Abstract:

IoT world is growing at a breathtaking pace from nothing to everything. The adoption of Internet of Things technologies has certainly been on the rise and about every organization across the globe has put a step forward with IoT projects. Still IoT is not at all able to challenge the cyber attacks around the globe. The problems include inefficient architecture of entire IoT system, no specialization in security skill set framework etc. which are not effective in blocking cyber attacks and cannot be utilized in the resource limited IoT devices. The maximum cyber attacks of IoT products which are due to password attacks, identity spoofing attack, data modification attacks etc. can be reduced to some extent as of now. There is a need to remove these liabilities so we can save this extraordinary opportunity of IoT. Inefficient IoT product development process can be made efficient by secure remote firmware update and secure communication process and reducing expanded attack surface. This paper presents our perspective on how organization can prepare them to address these threats and secure the IoT opportunity.

Keywords: Cyber bulling, Data Privacy, HVACs, Internet of Things (IoT), Security framework

I. INTRODUCTION: Internet of Things

Internet of Things is yet another revolution of this century. This new rustle is everywhere nowadays. This new technology is expedient into our lives at a fast plod. The IoT is all about connecting things with each other via internet. The internet of things will change the world probably more beastly than today’s scenario [5]. The IoT is one of the nascent technologies in the field of technical, social and by profitable point of view. Dilatation for the impact of IoT on the internet and economy are transforming the way we work, live and play. It has become top headline news in technology press and the famous media. According to a recent report by international media, the number of industries and research organizations are working on a wide range of projects about the higher impact of IoT on the internet and economy during the upcoming years.

Figure 1: Growth of IoT products business (in $Billions)

II. INTRODUCTION: Cyber Attacks on IoT

There is a little arguing the transformative potential of the Internet of Things (IoT). However, the IoT business opportunity rests precariously on one critical factor – security. A spate of recent hacks and breaches has revealed glaring vulnerabilities in the IoT. The security risks of IoT apply equally to the world of connected consumer devices as they do to industrial systems. While these experiments required physical access to the device, possibility of remote attack is not as farfetched as it might seem, given the pace at which technology is advancing. Even the largest data hack was resulted in theft of 40 million credit cards numbers through internet enabled HVACs in US retail hub As the IoT continues to grow to an estimated 26 billion devices by 2020, Internet-enabled system will become increasingly attractive targets for cyber attacks. This means IoT will be more and more vulnerable to these malicious attacks. In the following paper you will examine how organizations approach security issues, assess the challenges they face in securing their IoT products and present a blueprint to make security the corner stone of an IoT strategy.

Figure 2: Reasons behind Cyber Attacks

III. TOP SECURITY THREATS TO IoT

3.1 Password Attacks:

The significant risk factor is the continued use of the default password provided by the manufacturer, which can often be easily cracked by hackers. According to a survey conducted it is found that 7 out of 10 devices failed to require a password stronger than “12345”. These vulnerabilities arise due to lack of encryption features. Assuming an example of connected car it is found that in year 2014 there was a hardware system which tracks a car performance to provide drivers with instructions on improving driving efficiency, did not encrypt communication between the device and server. They steal the data of car’s location and performance and unlock doors remotely. Around only 10% of companies are there in world which provides password security to IoT consumers.

3.2 Inefficiencies in IoT product development :

There are many reasons for inefficiencies in IoT product development. Since most IoT products are built using inexpensive, low-margin chips, chip manufacturers are not adequately incentivized to provide patches for them. At the same time, vendors of IoT products, unlike PC and Smart phone manufacturers, may not necessarily have the technical expertise required to develop patches. However, consumers may not be aware of updates or have the expertise to install them. According to our survey 68% of customers lack awareness regarding security best practices as a major cause of security breaches.

3.3 Expanded attack surface:

Securing an IoT system is a challenge because of its multiple points of vulnerability. These include the IoT product and the embedded software and data residing within it. They also include the data aggregation platform, data centers used for analysis of sensor data, and communication channels. Securing all these surfaces is a major challenge for organizations. It requires implementing multiple features at the system level such as access control, account management, segregation of network and account, the use of secure protocols for data transmission and the management of firewall and antivirus updates.

3.4 Lack of Data Privacy:

Data privacy is also emerging as a major concern for consumers. A survey conducted by us proves that 67% of retailers expressed concern for customers about data privacy issues which have a stem from IoT products. Also according to our research from 100 startups of IoT across the world 46% do not provide any privacy related information regarding their IoT products. Also these industries rarely enable consumers to control the collection and sharing of data from their IoT products. Only few companies like Fit Bit allow customers to opt-in or opt-out data collection and sharing service. Hence we need to have proper data privacy policies.

3.5 Lack of specialized security skills:

Despite growing awareness about the risks of cyber attacks, most organizations are not working towards building specialized security skill-sets. Securing an IoT product requires multiple skills to cover the app, device, infrastructure and the communication channel. According to our survey 35% of organizations are found with shortage of specialized security experts in their organization as a key challenge to securing the IoT products. In country like India only 5% companies are hiring IoT security experts in order to improve the security.

3.6 Insufficient use of Third-Party support:

Every organization must tie up with some another party to strengthen their products security. But as we know these third parties are today’s of course of no use since they only bug money and needs to be financially rich without supporting and providing security framework to IoT consumers. But there are few organizations who are taking their proactive steps to strengthen security by partnering with, or acquiring, specialized security firms. According to our research only 30% of companies are partnering with specialized security firms as a part of their IoT security strategy.

Figure 3: Type of cyber security incidents

IV. RESEARCH METHODOLOGY

We have done extensive research to understand the current state of security for IoT products. The research is followed by two core areas: the main survey concerning the security of the IoT and highly assessed information from organizations and privacy policies. We surveyed approximately 50 small to large industries and some startups, conducted special sessions with their executives and cyber security experts and evaluated the data privacy policies governing the use of IoT devices in these organizations.

4.1 The Security of the IoT survey:

We started conducting surveys in July 2016 and covered more than 50 industries and executives involved in the development of IoT products. Survey came from a range of industry segments, including wearables, medical devices, automotive, home automation, smart metering and industrial manufacturing. The survey focused on gathering information on the following areas- current level of security in IoT products with key challenges that organizations face in securing their IoT products and the approach to secure the IoT products.

4.2 Data Privacy Policy:

We researched the IoT data privacy policy of 50 companies across the wearable, medical devices, automotive and home automation segments. We evaluated all the information with high level of transparency that we need to provide to IoT consumers.

Table 1: Comparison of Cyber attacks from present to upcoming 5 years

Sr.no Countries Present Cyber Attacks (in %) After 5 years Cyber attacks (in %)

1 Singapore 30 12
2 Australia 17 2
3 Brazil 38 6
4 France 9 4
5 Germany 13 8
6 Hong Kong 26 12
7 UK 13 7
8 Japan 14 4

V. APPLICATION BASED CYBER ATTACKS

5.1 Wearables

Wearable activity tracking devices are one of the hottest gifts in this scenario and it appears criminal hackers are paying attention towards it. According to survey conducted by us, numbers of wearable manufacturing company’s product accounts were recently discovered to have been compromised. This is not a large-scale breach where the customer account database/server was compromised. In this case it sounds like individual account passwords were stolen, guessed, or brute-forced. Scammers can obtain compromised account credentials on the black market, sometimes from criminal hackers who have managed to infect computers with key logging malware. Attackers can also try username/password combinations harvested from prior attacks on different systems to see if they work on the target website. Note that there is no indication that any of the account passwords were stolen from, or compromised by, wearable systems. These particular scammers changed the information on the account as soon as they accessed it, thus preventing the real account holders from logging in. The scammers then used the hacked accounts to request new devices to replace “faulty” ones under warranty. Not surprisingly, the higher end devices were targeted. One way to get rid of such auspicious attacks is that if you see an account that was used in a suspicious way or a large number of login requests for accounts are coming from a small group of Internet addresses, and then you need to lock the account and have the customer reconfirm specific information.

5.2 Smart Home Automation

It is very easy for hackers to lead the “smart home” automation system and essentially get the PIN code to a home’s front door. They use “lock-pick malware app” which is one of four attacks that the cyber security researchers leveled at an experimental set-up of Samsung’s Smart Things, a top-selling Internet of Things platform for consumers. The work is believed to be the first platform-wide study of a real-world connected home system. At least today, with the one public IoT software platform we looked at, which has been around for several years, there are significant design vulnerabilities from a security perspective. One way to think about it is if you’d hand over control of the connected devices in your home to someone you don’t trust and then imagine the worst they could do with that and consider whether you’re okay with someone having that level of control. Regardless of how safe individual devices are or claim to be, new vulnerabilities form when hardware like electronic locks, thermostats, ovens, sprinklers, lights and motion sensors are networked and set up to be controlled remotely. That’s the convenience these systems offer. And consumers are interested in that. As a researcher of Smart Things’ growing use, its Android companion app that lets you manage your connected home devices remotely has been downloaded more than 100,000 times. Smart Things’ app store, where third-party developers can contribute Smart Apps that run in the platform’s cloud and let users customize functions, holds more than 500 apps. We performed a security analysis of the Smart Things’ programming framework and to show the impact of the flaws we found, we conducted four successful proof-of-concept attacks. We demonstrated a SmartApp that eavesdropped on someone setting a new PIN code for a door lock, and then sent that PIN in a text message to a potential hacker. The SmartApp, which we called a “lock-pick malware app” was disguised as a battery level monitor and only expressed the need for that capability in its code. As an example, we showed that an existing, highly rated SmartApp could be remotely exploited to virtually make a spare door key by programming an additional PIN into the electronic lock. The exploited SmartApp was not originally designed to program PIN codes into locks. We showed that one SmartApp could turn off “vacation mode” in a separate app that lets you program the timing of lights, blinds, etc., while you’re away to help secure the home. We also demonstrated that a fire alarm could be made to go off by any SmartApp injecting false messages.

5.3 Connected Cars

According to an experiment conducted it is found that hackers could potentially gain access to the engine or the steering wheels of the connected car. It has also showed how hackers could then wrench the wheels of the car to one side or even turn off the engines without warning. The car manufacturers are presently focusing mainly on connectivity of cars via internet in coming years by which we will be able to see many more developments in the field of car-to-car communication and remote diagnostics. But due to this we will be more and more vulnerable to malicious cyber attacks. But we found some new startups that offer a telematics device for connected cars, informing customers that it may permanently delete customer data at its own discretion, upon termination of service.

Figure 4: % of customers who rate the IoT products in their industry high on suffering to cyber attacks

VI. CYBER APPROACHES TO SECURE IoT PRODUCTS

6.1 Integrated team of Security Specialists

The first step in securing an IoT system is to treat security as a fundamental element of the product value proposition. This means product manufacturers and security specialists must work together to plan the IoT product and conceptualize the essential features and functionality of the product. To achieve this, organizations should set up an integrated team structure for IoT product development. This will help to ensure the business and security considerations well balanced.

6.2 IoT product development process

The IoT product planning process should begin with a detailed risk analysis so that organizations have a clear view of the cyber threat landscape and a firm basis for choosing the right security features for their IoT products. The analysis should include a study of disruptive attack scenarios, especially those arising from new and advanced types of threats. In addition, organizations must quantify the financial and non financial impact of potential attacks on the organization as well as end-users. The results of the risk-analysis should feed into the IoT business plan, so that decisions on proceeding with product development and launch are based on a strong understanding of the potential risk factors.

6.3 Embedded Security at IoT product design process

This includes the design, coding, testing and evaluation.

6.3.1 Secured Design:

Security mechanisms must be defined and implemented in the hardware and software architecture, during the design phase of the product. Organizations must also pay special attention to the implementation of cryptographic mechanisms.

6.3.2 Secured coding:

A significant number of software vulnerabilities can be addressed if organizations adhere to secure coding standards and best practices. Specific mechanisms such as code obfuscation should be implemented to prevent the reverse engineering of source code.

6.3.3 Rigorous testing:

IoT products should be subject to stringent security testing – including application security testing, functional testing and penetration testing – for the hardware as well as software components of the IoT system.

6.3.4 Security evaluation:

As the final step of securing their IoT products, organizations should liaise with specialized third-party security firms that have an Information Technology Security Evaluation Facility (ITSEF) to ensure that these products go through a formal security evaluation process, such as Common Criteria. Such an evaluation from a certified lab could in turn enable an organization to obtain an international security certificate for its IoT products.

VII. MOTIVATION

Since the purpose of all IoT processes is to take in information at a physical point and motivate a decision based on that information (sometimes with physical consequences), security measures can focus on one or more parts of the IoT process. As noted earlier, the risks to IoT begin with the specific device, but are certainly not limited to it. Developers, manufacturers, and service providers should consider specific risks to the IoT device as well as process and service, and make decisions based on relative impact to all three as to where the most robust measures should be applied.

VIII. ADVANTAGES:

• Protects system against viruses, worms, spyware and other unwanted programs.
• Protection against data from theft.
• Protects the computer from being hacked.
• Minimizes computer freezing and crashes.
• Gives privacy to users

IX. LIMITATIONS

• Internet – As all the devices are completely dependent on the internet. They are more prone to cyber attacks. Thus the connectivity of Internet with these devices must be encrypted with high security.
• Power supply – After the Internet connection another major utility the main power supply for the appliances at all times. If power supply is lost or switched off i.e. comes under the control of hackers via installed HVACs through internet, the system will no longer be controlled by the user. Thus secure power backup system must be there.
• Expensive — Although no matters we love smart technologies that are for our luxurious life and we love to buy them. But still as the market is emerging nowadays these IoT based secure system are too expensive out of the reach of common men.

X. CONCLUSION AND FUTURE WORKS

This paper has been addressed an overview of Cyber Attacks on IoT technology and its various approaches to secure the IoT products. By employing these basic capabilities various exceptional attacks can be destroyed. The formation of major IoT products of many large scale automation industries would be enhanced by following these cyber security approaches to an IoT technology. More attention to both the capacity and capability of the cyber security workforce is needed. Although the need for cyber security workers is likely to continue to be high this will capitalize this tremendous opportunity. However, future planning or future thinking started in military intelligence circles as a way to create flexible long-term plans. “Future planning may involve aspects of systems thinking, specifically the recognition that many factors may combine in complex ways to create surprising scenarios.

XI. ACKNOWLEDGEMENT:

We are grateful to executives of IT Companies of India who not only provides insight and expertise but also shared their experiences that greatly assisted us during the course of this paper. Also we are very thankful to Prof. Mrs. xxx and specially our parents for their constant support and motivation.

XII. REFERENCES:

1. Yang, G., Xu, J., et al.: Security Characteristic and Technology in the Internet of Things. Journal of Nanjing University of Posts and Telecommunications (Natural Science)
2. Weber, R.H.: Internet of Things-New security and privacy challenges. Computer Law & Security Review
3. Liu, Y., Hu, W.: Security Model and Key Technology of the Internet of Things. Digital Communication
4. Study of IoT: Understanding IoT Architecture, Applications, Issues and Challenges by Soumyalatha, Shruti G Hegde in International Journal of Advanced Networking & Applications (IJANA), ISSN: 0975-0282
5. Baecker and Zanetti – “The Role of Smart Prevention Technology within the Internet of Things”
6. Sripan, Xuanxia Lin, Ponchan Petchlorlean and Mahask Ketcham, “Internet of things”, MIT
7. ComputerWorld, “Target attack shows danger of remotely accessible HVAC systems”, February 2014
8. Bloomberg, “Target’s Data Breach: The largest retail hack in U.S. history”, May 2014

XIII. BIOGRAPHY:

xxx was born in India in 1996. He is pursuing B.tech in Electronics and Communication Engineering from xxx Engineering College, Mohali (India). He is a student member of Institute of Electronics and Telecommunication Engineers (IETE), New Delhi. His main areas of research interests are Wireless Communication, Robotics, Optical Fibers and Internet of Things.

xxx was born in India in 1996. He is pursuing B.tech in Electronics and Communication Engineering from xxx Engineering College, Mohali (India). He is a student member of Robotics Society of India (RSI). His main areas of research interests are VLSI, Robotics and cloud computing.

2017-2-22-1487745622