The Internet of Things and Security

| July 6, 2017

Internet of Things (IoT) refers to the growing number of smart connected products or things, which has given rise to a huge set of opportunities on the one hand while at the same time causing many challenges.

The first technology revolution, in the 1960s and 1970s, was mainly to do with automation of activities, especially in the value chain – from order processing to bill paying, to computer aided design and manufacturing. The second wave produced the Internet in the 1980s and 1990s, with its connectivity and enabling integration of activities and processes between various parties. We are within the third wave with IT becoming an integral part of the product itself, particularly with the Internet of Things and the interconnection and services via the cloud. Embedded technology and software, together with cloud enabling storage and analysis of data, are driving dramatic improvements in product functionality and performance.

Clearly, security is paramount for the safe and reliable operation of IoT connected devices. In fact, security is the foundational enabler of IoT. But what is also clear is that the growth rate of the Internet of Things (IoT) is outpacing security efforts. This has been the usual case with most technologies, where technological developments run ahead of security. Security has often been an after-thought or an add-on, which has led to many problems.

In the case of IoT, it is critically important that security cannot be, and must not be, thought of as an add-on. It should be seen as integral to the device’s reliable functioning. Software security controls need to be introduced at the operating system level, and should take advantage of the hardware security capabilities, to maintain continuously the trusted computing base.

One of the biggest security challenges in the IoT arena is that it introduces an overwhelming amount of new and diverse devices with different operating systems, networks and associated protocols. The devices are often mobile, and connected to the Internet via different providers, during different times. They use a range of wireless protocols such as Bluetooth, 802.11, WiMAX, Zigbee and UMTS.  The sheer scale and huge heterogeneity will have a profound impact on IT and cybersecurity strategies. Some studies have put a figure at as many as 50 billion IP connected devices by 2020.

With new and different technologies, new security vulnerabilities and threats arise. At present many IoT devices do not have any security functionality, and even the ones that have are often primitive and can be easily attacked. With the increasing number of threat vectors and the growing attack surface, it is likely that if they have not already been attacked, they will be in the future.

We have recently seen some well publicised attacks leading to data breaches; however, the direct impact on the user has been mainly the divulging of personal contact information. But in the case of IoT attacks and data breaches, the impact can be serious on the end users, because the sensitive data may be linked with personal devices, such as their door locks, cars, baby monitors, security cameras and heart pacemakers. Such information, in the hands of a cybercriminal, can have a direct and devastating impact on the users and result in a serious breach of privacy. Attacks on smart devices such as in a smart car can lead to loss of control and accidents causing serious injury, and attacks on heart pacemakers can potentially lead to death.

Let me conclude by raising a couple of key security challenges with the Internet of Things.

Firstly there is the substantial increase in the security attack surface giving rise to new threats, due to a large number of devices and endpoints with different operating systems, network protocols and infrastructures. This problem is further aggravated as the devices become smarter. The increased functionality can lead to more attacks. The IoT makes the malware attack surface both deeper and broader. The weakening of one, or more, devices in the infrastructure can lead to malware proliferation and can lead to the compromise of the whole network system.

Furthermore, it is not just the outside attacks that one needs to worry about; more importantly we need to address malicious insiders in the IoT infrastructure. With a large scale IoT infrastructure and a large workforce, the exposure to both inadvertent as well as malicious insiders could be significant.

Lastly there is the immediate and direct consequence of every physical and virtual device in the IoT infrastructure generating huge quantities of data.  Just because data is accessible, it does not mean the data is trustworthy or should be relied on, or even ethical to access and use it. There are a number of research questions that are not easy to answer: how trustworthy is the data? How to reliably identify and secure the data provenance in the IoT? Who should be allowed to see the data and modify it? As the data moves over the IoT infrastructure and gets aggregated, the issue of dynamic security policy management on the data needs to be addressed.  Data coming from multiple smart devices over distributed IoT infrastructures, with different policies, under different administrative jurisdictions adds to the complexity.

Vijay Varadharajan
Vijay Varadharajan is Global Innovation Chair Professor in Cyber Security at the University of Newcastle since March 2017. He is also the Director of Advanced Cyber Security Engineering Research Centre (ACSRC) at Newcastle. Previously he was Microsoft Chair Professor in Innovation in Computing at Macquarie University (2001 till March 2017). Before this he was Dean/Head of School of Computing and IT at University of Western Sydney (1996-2000).

One Comment

  1. Alan Douglas

    July 22, 2017 at 3:44 pm

    The recent attacks have shown that even large corporations and governments are quite lax in keeping their security systems up to date. The fact that two attacks using virtually the same techniques can cause so much damage indicates that relevant management is not even using the free and easily accessible patches put out by the software companies. It usually boils down to human error as HAL stated in 2003 A Space Odyssey.

Leave a Comment