IoT network elements are capable of exchanging data without direct human involvement. Turning devices into independent Internet nodes has led to a significant reduction in system security. All smart devices connected to the network transmit data relevant to their functionality through the network, which is a target for cybercriminals.
The security of IoT devices is primarily ensured by maintaining code integrity, authenticating users and devices, assigning ownership rights to users (including generated data), and the ability to repel virtual and physical attacks.
In 2015, OpenDNS conducted a global study that examined enterprise networks using IoT. The researchers drew an extremely disappointing conclusion for users: the Internet of Things is not secure. The security of the infrastructure used to connect smart devices is often unchecked. HP also conducted an independent study of Internet of Things security, not for businesses, but for ordinary consumers. This study also revealed a huge number of vulnerabilities - from the use of default passwords, to the use of unsecured web interfaces used by most gadgets to connect to the IoT. HP additionally discovered that virtually all of today's devices collect data about their owners without any authorization or notification.
Researchers predict an increase in cybercrime in IoT - this is due to the large number of weaknesses in the system. Analysts identify several important vulnerabilities that pose a threat not only to companies, but also to ordinary users.
One of the biggest IoT security challenges is the sheer number of new devices connecting to the network every day. According to analysts at Gartner, the number of connected devices exceeded 14.2 billion units in 2019, and the number is increasing by millions every day. Assuming each new gadget has just one security problem, we get millions of new vulnerabilities on the overall network every day.
Bots allow attackers to stealthily control infected devices. With the advent of the Internet of Things there are more opportunities to create entire botnets, which is due to the loss of autonomy of physical devices - many things no longer work independently, they are integrated into a single system and are unable to function in isolation from it. And as mentioned above, processes within the IoT are often not controlled.
Modern devices collect massive amounts of data about their users. Some of them require not only a password, but also a user name, contact information, and biographical information. This amount of information requires strong and high-quality security, but at the moment, the IoT can't boast about security. The problem is also exacerbated by the fact that users often do not change their default logins and passwords. This makes it much easier for attackers and botnets.
Every year there are more and more attacks on smart systems. It is expected that in 2022, the biggest threats will be in the credit sector, as they provide the greatest opportunities for attackers to make money, and it is in the banking sector that a very high growth in the number of smart devices involved can be seen. There have been many incidents where hackers have managed to gain access to devices.
In 2017, Verizon reported a powerful cyberattack on a major U.S. university (the name of the institution was not disclosed). In the attack, attackers used 5,000 devices on campus at once. The hackers hacked into all of these devices and made them send DNS queries.
This was the first time local security professionals had encountered an attack through smart devices and could not quickly figure out a way to regain access to the hijacked gadgets. Subsequent analysis revealed that a botnet was behind the attack, taking over the network. Hackers gradually gained access to the devices through password brute-forcing.
A variety of devices are vulnerable to cyberattacks, even smart toilets, as proven by a team of Panasonic's enterprise security experts.
Experts proved it was easy to hack into a toilet that was controlled via Bluetooth from a smartphone. Hackers were able to gain full access to the device, for example, they were able to start the water flush at any time.
The figures provide a better estimate of the scale of cyber attacks on smart devices. Employees of "Kaspersky Lab" since the beginning of 2019 record hacker attacks on smart devices with the help of honeypots - special baits for hackers. They managed to record more than 105 million attacks on IoT devices, which were carried out from 276 thousand unique IP addresses.
In 2018, the experts recorded only 12 million attacks. Thus, attackers have significantly expanded their influence over the year, and there is no reason to believe that the number of attacks will decrease in the future.
Experts recognize that the reason for the security problems of the Internet of Things is not the lack of qualifications of developers, but the pursuit of profit. It is important for companies to speed up the release of a new device on the market. Some manufacturers prefer to sacrifice security to gain an advantage over competitors.
Even today, many companies produce smart gadgets without investing a lot of resoruces and time in code testing and security system improvement. For this reason, the market grows very fast, technologies develop, but users suffer.
The introduction of certification can make manufacturers reconsider their attitude to the security of manufactured "smart" gadgets. It is not a revolutionary idea, but in the long term it gives an opportunity to reduce the scale of the problem. Ideally, certification should be simple and fast enough for the manufacturer not to become an obstacle to progress, but at the same time it should provide users with good protection against any possible attacks.
Several private organizations are currently working on the certification of smart devices, such as the Online Trust Alliance (OTA), which has prepared an initiative to solve the problem. Thus, a unique list of criteria for the developers of new equipment was released, compliance with which can improve security and protect the confidential data of users.
Certification confirms that the device or system provides the necessary level of security, taking into account possible risks. It also confirms that new versions of the device software will not lead to a loss of security.
However, certification cannot guarantee one hundred percent security - it is only one level of protection. And the presence of such a document still leaves the possibility of intruders gaining access to the device.
Security certifications are a way to control manufacturers, but they do not fully ensure the security of users. To improve the reliability of smart devices, work must be done with an eye toward effective methods for securing the Internet of Things as a whole.
An obligatory point in security is the protection of devices, which largely consists in protecting the integrity of the code. It is necessary to guarantee the security of code launching - a cryptographic signature. Special protection during code execution is also needed to prevent it from being rewritten by various hacker programs.
A cryptographic signature confirms that the code was not hacked or rewritten and thus remained completely safe. Code security can be implemented at the application and firmware levels. To keep the entire system secure, it is important that all connected devices can only run signed and therefore fully secure code. Devices also need protection in other stages of operation. In these phases, host protection can be used to provide hardening. It provides the ability to differentiate access, control connections, protect against intrusion, and provide security based on user behavior and reputation.
Unfortunately, even good security cannot guarantee that there are no vulnerabilities: devices have to be patched repeatedly, which takes time. This leads to the reconstruction of the code, which gives attackers the ability to find new problems in it.
This is why gadgets need to be constantly monitored and managed remotely so that the user only ever uses equipment that is protected and secure.
Any protection measures taken sooner or later lose their relevance and reliability, so it is necessary to constantly analyze the security of the entire IoT system and individual devices within it. Analytics systems must better understand the network as a whole, see its peculiarities, and notice suspicious and dangerous anomalies.
IoT security was one of the first uses of blockchain technology. This technology allows the communication protocols and interaction results of IoT devices to be stored in a decentralized system. A distributed blockchain architecture provides greater security for the IoT system: even if some devices are compromised, the entire system will not be affected. A distributed system model allows you to get rid of a compromised device without appreciable damage to the interaction between "healthy" objects.
In the context of security, blockchain can be used in areas where IoT is developing most intensively. For example, it is authentication management, checking the performance of different services, ensuring the indivisibility of information, etc. To date, the main task set by the experts is to develop a blockchain-based distributed database and information exchange protocol between IoT devices.
IoT systems can be very complex and require complex security measures. Today, IoT is just developing, and like any new technology, it still faces many challenges and obstacles.
However, both users and large companies, ready to invest resources in development and security research, are interested in rapid development. There is no simple and universal solution, but by taking steps in the right direction, it is realistic to eliminate any vulnerabilities. It is safe to say that the IoT has a great future ahead of it.