With billions of connected devices already deployed worldwide, IoT security is becoming a thorny issue. The Mobile Ecosystem Forum Global Consumer Survey found that 60% of people worry about connected objects, naming privacy and security as their main concern. Nearly one third of consumers name home security being among most untrusted objects connected to the internet. Other smart things that raise major concerns when linked up with the internet are cars, TVs, irons, heating systems, smoke detectors, ovens, and lighting.
Whilst people become increasingly concerned about securing connected devices from intrusions that might compromise their information and privacy, IoT developers face a number of impediments to ensuring protection from security threats.
The key roadblocks that stand in the way of secure IoT are as follows:
The number of connected devices continues to rise significantly across many sectors, with industry forecasts expecting it to at least double between 2016 and 2020. This presents an exponentially larger attack surface. Moreover, the extreme proliferation of IoT requires developers to switch to a rapid development cycle in order to bring their solutions to market faster and stay competitive. As a result, manufacturers might cut corners and design their connected devices with a lack of security features.
The pace of innovation has generated requirements for millions of devices, most network (primarily wireless) connected in some capacity. Unfortunately, most of these devices have little or no protection at the software and infrastructure levels.
Data privacy remains a burning issue in the IoT industry for both developers and consumers. Enormous volumes of data from a big range of inputs are collected and analyzed every day, which makes it difficult to process data securely. Worse still, consumers are unaware of what personal data is being collected and how it is being used. You can’t be 100% sure that a smart TV with voice recognition that listens to conversations and transmits data to the cloud is not accessed by third parties.
The great diversity in connected devices makes it difficult for manufacturers to adopt a uniform agreed-upon standard of IoT security. There are many IoT standards being developed, such as Linux-backed AllJoyn, Intel’s Open Interconnect Consortium, IEEE P2413, and the ITU-T SG20 standard for smart cities, but they all have little chance to gain widespread acceptance. Without the proper standardization to guide and regulate IoT manufacturers, security is jeopardized.
Many IoT devices fall down when it comes to authentication, because they are often protected by a default password or a weak basic password. Statistics show that 73% of adults use the same password for everything, which is explained by difficulties in creating secure passwords and remembering them. As a result, IoT security is compromised. Manufacturers should consider this seriously and start implementing new approaches to authentication, such as biometric authentication or digital certificates.
Unsecured IoT gives more entry points to malware and ransomware attacks, aimed at hacking connected devices. Suffice it to recall such high-profile attacks as Mirai, Brickerbot, and Reaper. They affected a huge number of users and incurred considerable financial losses to businesses.
For example, the Mirai DDoS attack infected over 600,000 vulnerable IoT devices and resulted in a financial loss to the popular DNS provider Dyn, as 8% of Dyn’s customer base stopped using their services after it was compromised. Popular services—Twitter, Spotify, Netflix, and Airbnb—were taken down for hours as a result of the Mirai infection. Therefore, IoT security needs to be taken seriously, particularly before businesses start to connect mission-critical devices and systems.
The more dangerous scenario is when a connected device is hacked not to gain money, but to hurt or cause physical damage to the end user. In a smart home consumers might suffer from extremely low or high temperatures if a cybercriminal hacks a connected thermostat. The consequences of IoT attacks might even be fatal if someone breaks into life-sustaining medical devices, like insulin pumps or heart defibrillators.
One of the possible solutions to protect people in a connected world is applying the triple‑A (AAA) security approach, where the three “A”s stand for authentication, authorization, and accounting. This is a generally accepted model allowing to control access and ensure data privacy.
Authentication allows verifying user’s identity based on a unique set of criteria, the most traditional being a username and a password. If authentication credentials coincide with those stored on the AAA server, a user gains access to the connected device. As noted above, a password is the most commonly-used but least secure method for authentication. The more advanced authentication mechanisms—digital certificate, biometric credentials, response questions, and tokens—enable greater IoT security. Several mechanisms might be combined; this is referred to as multifactor authentication.
In the IoT, we are also talking about device authentication, which is carried out in a way similar to user authentication. Based on certain credentials, a connected device authenticates itself and gets authorized to transfer the data. The device authentication process makes it possible to verify that only trusted devices can send data.
Authorization defines whether a user has rights and permissions to see certain information and to perform certain tasks. Typically, it follows authentication: after a user logs in to a device, the server receives a request for a certain action and approves or rejects the access rights to different resources. The quantity of information and services a user has access to will vary depending on their authorization level. Without a strong authorization, hackers will be able to get unauthorized access into IoT devices and gain control of them. They might cause complete chaos in smart cities by controlling all the lights or traffic flow, for example.
Accounting, the final element of AAA security, allows tracking and measuring user’s activity while working with an IoT device: time spent in the system, data that a user sends or receives during a session, actions that a user performs, and more. This is done mainly for analytical and planning purposes, but might also be used to bolster security. For example, by utilizing special accounting mechanisms one can detect unusual behavior, such as invalid login attempts, which might indicate an attack.
The three “A”s of IoT security rely heavily on each other. The implementation of only one or two of the components opens up safety holes which might be used maliciously. By applying authentication, authorization, and accounting all together, companies that render IoT development services will ensure greater security of their connected devices.
The triple‑A approach is not a solution to all security issues, but it might help to stem the flow of attacks and eliminate at least two of the above-mentioned major challenges encountered in the IoT ecosystem. First, this approach addresses the data privacy protection needs by managing who has the access to the data the connected device is generating, processing, sending, and receiving. Second, it serves as a means of opposing poor authentication, provided that improved methods of user verification are used instead of a plain password-based login.
To achieve maximum security and reliability of connected devices, the IoT industry should deploy a multifaceted approach affecting every aspect of design and development.