Security of IOT
IOT security.
 IoT devices are being deployed into networks at a phenomenal rate, up to
1 million devices each day.
 While IoT solutions are enabling new and exciting ways to improve
efficiency, flexibility, and productivity, they also bring a new risk to the
network. Frequently designed without security, IoT devices have become
a new threat vector for bad actors to use when launching attacks. One of
the biggest concern of the IOT was make sure networks, data and devices
are secure.
 IOT devises are small in the scale and there was large number of devises so
that regular security updates and mechanisms are lack in the nature.
IOT Security Issues
 Unfortunately, many IoT devices are not designed with security in mind. In many cases,
these devices lack the processing power and storage capabilities to support the
installation of additional security on the device itself, which means that companies and
users cannot protect the endpoint beyond the existing security features. Instead,
organizations must rely on network security capabilities to prevent attacks, as well as
detect and remediate threats as they arise.
 Even those devices that support the installation of additional security measures may
not be compatible with the company’s existing cybersecurity tool set. Disparate
operating systems and a variety of hardware almost guarantee that the organization
will not be able to protect all connected devices using the same tools, policies and
procedures.
 Further, IoT devices, like traditional endpoints, require patching and OS updates. The
sheer number of connected devices makes it difficult for organizations to manage this
activity, especially if the devices are owned by employees.
 Finally, connected devices may not require strong password practices — a point that is
compounded by the fact that many people underestimate the risk posed by nontraditional connected devices.
IOT Security.
 Threat to users.
1) Data Theft.
IOT device contains vast amount of data. Which is unique to its
individual users, including online browsing/purchase records, credit card
details and personal health information. Improper secure device leaves data
vulnerable to the theft.
2) Physical Harm.
For commonplace in the medical industry including pacemakers,
heart monitors and defibrillators. Doctors can fine tune these devises remotely.
So that there is a heavy chance that other people mislead the devices.
IOT Security.
 Threat to others.
IOT devises are vulnerable to being hijacked and used in a Botnet. A
collection of malware infected internet connected device.
Discovering unprotected devices is not difficult and can be easily achieved by
running widely available scripts or tools. This is best exemplified by the
existence of Shodan, a publically available search engine made for the
discovery of such devices.
Vulnerabilities and security issues.
 Unpatched vulnerabilities.
Connectivity issues or the need for end-users to manually download
updates directly from a C&C center often result in devices running on
outdated software, leaving them open to newly discovered security
vulnerabilities.
Vulnerabilities and security issues.
 Weak authentication.
Manufacturers often release IoT devices (e.g., home routers) containing
easily decipherable passwords, which might be left in place by vendors and
end-users. When left open to remote access, these devices become easy prey
for attackers running automated scripts for bulk exploitation.
Vulnerabilities and security issues.
 Vulnerable APIs – As a gateway to a C&C center, APIs are commonly
targeted by a variety of threats, including Man in the Middle (MITM), code
injections (e.g., SQLI), and distributed denial of service (DDoS) assaults.
How to put the S (for security)
into IOT development.
Authenticate all Services.
 IOT systems deal with end user communication and M 2 M communication.
 End user authentication can done with username/password certificate or two factor
authentication. Machine to machine authentication requires a public key infrastructure
and certificate that are deployed to each device within a system.
 In many IOT devices, there is no console.
 Authentication is a model for building trust in the identity of IoT machines and devices to
protect data and control access when information travels via an unsecured network such
as the Internet.
 Strong IoT authentication is needed so that connected IoT devices and machines can be
trusted to protect against control commands from unauthorized users or devices.
 Authentication also helps prevent attackers from claiming to be IoT devices in the hope of
accessing data on servers such as recorded conversations, images, and other potentially
sensitive information.
IOT Authentication.
 One-way authentication: in the case where two parties wish to
communicate with each other, only one party will authenticate itself to the
other, while the other party will not be authenticated.
 Two-way authentication: is also referred to as mutual authentication, in
which both entities authenticate each other.
 Three-way authentication: is where the central authority authenticates the
two parties and helps them to authenticate each other.
 Distributed: using a distributed straight authentication method between the
parties to the communication.
 Centralized: using a centralized server or a trusted third party to distribute
and manage the authentication certificates used.
Encrypt data with the industry
standards.
 IOT devises deal with data. Data must be protected as it transitions from the
device, across the internet and into the clouds.
 Best to utilize industry standards, peer review cryptographic functions.
 Encryption Standards.
1) DES standard
 The Data Encryption Standard (DES) is a symmetric-key block cipher
 DES is an implementation of a Feistel Cipher. It uses 16 round Feistel
structure. The block size is 64-bit. Though, key length is 64-bit, DES has an
effective key length of 56 bits, since 8 of the 64 bits of the key are not used
by the encryption algorithm
Encrypt data with the industry
standards.
 2) AES is an iterative rather than Feistel cipher. It is based on ‘substitution–
permutation network’. It comprises of a series of linked operations, some of
which involve replacing inputs by specific outputs (substitutions) and others
involve shuffling bits around (permutations).
 Interestingly, AES performs all its computations on bytes rather than bits.
Hence, AES treats the 128 bits of a plaintext block as 16 bytes. These 16
bytes are arranged in four columns and four rows for processing as a matrix
Implement built in security
 IOT devises continues to expand amount of data they contain also
expands. Built in security is very important because of above factor.
 So that IOT must embrace security and security user stories, understand
encryption and that is utilized.
 Need to track open source software and do the regular updates.
Secure automatic update over the air
updates to patch devices.
 A secure update mechanism is one that receives a cryptographically
signed update from the vendor and checks the signature of update to
ensure that it is valid.
Secure automatic update over the air
updates to patch devices.
 Over-the-air firmware updates refers to the practice of remotely updating the
code on an embedded device. The embedded hardware must be built with
OTA functionality for this mechanism to work.
 OTA Firmware Benefits
 Bugs and product behavior can be continuously improved even after the
device is in the hands of your consumers.
 Companies can test new features by sending updates to one or multiple
devices.
 Companies can save costs by managing the firmware across their fleet of
devices from a seamless, unified interface.
 Developers can deploy frequently and reliably, knowing that products will stay
functional as updates are released.
 OTA firmware augments scalability by adding new features and infrastructure to
products after they are released.
Manage and Update the open source
software.
 Open-source software suffers from vulnerabilities at the same rate as
custom-written code
 Open source software also suffer with the vulnerabilities.
 Challenge with the open source software is that many developers it in
projects and then experience amnesia when it comes to updating it.
 With larger set of devises we need to access and update the softwares
which run in the devises.
Types of Attacks in IOT
BotNet.
 A botnet is a network that combines a number of internet devises and
which is running one or more bots.
 Cyber criminals control botnets using command and control servers to steal
data, send spams, phishing and allow attacker to access to the particular
system.
 E.a Mirai Botnet.
 IOT devices are connected to the internet and also to the laptops,
computers and other wearable devises. So using these devices easily
access to the main devices.
Social Engineering.
 Is the term used for a broad range of malicious activities accomplished
through a human computer action.
 Social engineering attack techniques.
Baiting.
Likes a real world Trojan horse. that uses physical media and relies on the
curiosity or greed of the victim.
Scare ware.
Involves victims being bombarded with false alarms and fictitious threats.
e.a Systems are infected with malwares and try to install software that has no
real benefit.
Advance persistent threats.
 Intruder gain access to the network and stays un detected for the long
period of time. Attackers aim to monitor network activity an steal crucial
data using advance persistent threats.
 In IOT have large amount of critical data, transferred within the several
devises.
 An advanced persistent threat (APT) is a covert cyber attack on a
computer network where the attacker gains and maintains unauthorized
access to the targeted network and remains undetected for a significant
period. During the time between infection and remediation the hacker will
often monitor, intercept, and relay information and sensitive data. The
intention of an APT is to exfiltrate or steal data rather than cause a network
outage, denial of service or infect systems with malware.
Ransomware
 Hacker uses a malware to encrypt data that may be required for business
operation.
 Ransomware can be one of the most sophisticated IoT security threats.
 Ransomware uses asymmetric encryption. This is cryptography that uses a pair
of keys to encrypt and decrypt a file. The public-private pair of keys is uniquely
generated by the attacker for the victim, with the private key to decrypt the
files stored on the attacker’s server. The attacker makes the private key
available to the victim only after the ransom is paid, though as seen in recent
ransomware campaigns, that is not always the case. Without access to the
private key, it is nearly impossible to decrypt the files that are being held for
ransom.
 Many variations of ransomware exist. Often ransomware (and other malware) is
distributed using email spam campaigns or through targeted attacks. Malware
needs an attack vector to establish its presence on an endpoint. After presence
is established, malware stays on the system until its task is accomplished.
Denial of service.
 Deliberately tries to cause a capacity overload in the target system by
sending multiple request.
 Unlike phishing and the brute force attacks attacker who implement the
denial of services don’t aim to steal the critical data.
Man in the Middle Attack.
 Hacker breaches the communication channel between two individual
systems in attempt to intercept message among them. Attackers gain
control over their communication and send illegimate message to
participating things.
 Attacks can be used to hack IoT devices such as smart refrigerators and
autonomous vehicles.
IOT security Best practices
 Private users.
 Staying up to date with all patching and OS updates required by the
connected device.
 Using strong password practices for all connected devices.
 Enabling multi-factor authentication whenever possible.
 Routinely taking inventory of your connected devices and disable any
items that are not used regularly.
IOT security Best practices
 Developing and implementing an IoT device policy that outlines how employees can
register and use a personal device, as well as how the organization will monitor, inspect
and manage those devices to maintain the organization’s digital security.
 Compiling and maintaining a master list of all IoT devices — both those owned by the
organization and those owned by employees — to better understand the attack surface
and the security measures needed to maintain a safe environment.
 Consider implementing a cloud access security broker (CASB) to serve as a security check
point between cloud network users and cloud-based applications to manage and
enforce all data security policies and practices including authentication, authorization,
alerts and encryption.
 Monitoring all network devices and taking immediate action if and when any devices
show signs of compromise.
 Encrypting all data being transmitted to and from connected devices from its original
format to an alternative.
References
 Data Encryption Standard – Tutorialspoint
Thank You.
Q & A.