Inherent Security Issues and Regulatory Concerns with the Internet of Things (IoT)

0 48
Avatar for kevnag
Written by
3 years ago

INTRODUCTION

Many here might be unaware of what the Internet of Things actually is. The Internet of Things is "a system of interrelated computing devices, mechanical and digital machines, objects, animals or people that are provided with unique identifiers (UIDs) and the ability to transfer data over a network without requiring human-to-human or human-to-computer interaction."[Gillis, A. "internet of things (IoT)." https://internetofthingsagenda.techtarget.com/definition/Internet-of-Things-IoT. (Accessed June 12, 2021)]. A somewhat more simple definition of IoT is that it "describes the network of physical objects—a.k.a. 'things'—that are embedded with sensors, software, and other technologies for the purpose of connecting and exchanging data with other devices and systems over the Internet." [Hendricks, D. "The Trouble with the Internet of Things." London Datastore. Greater London Authority. https://data.london.gov.uk/blog/the-trouble-with-the-internet-of-things/. (Accessed June 12, 2021).

It is important to understand the basics as to how IoT works. Smart devices that are web enabled and use embedded systems collect, send and act on data acquired from the devices surrounding environment. IoT devices then share the data obtained from the smart devices through connection with an IoT gateway where data is either analyzed locally or the data is sent to the cloud for analysis. The devices mostly work independently without human attention or supervision, but humans can interact with the system to give instructions to the devices or to access the data collected.

INHERENT SECURITY ISSUES WITHIN THE IoT ECOSYSTEM

Security is one of the major concerns regarding the IoT. These concerns surround the rapid and speedy development of the IoT technology in the absence of consideration as to the magnitude of security issues involved as well as any necessary regulatory changes that may prove necessary [see, e.g. Singh, J.; Pasquier, T.; Bacon, J.; Ko, H.; Eyers, D. "Twenty Cloud Security Considerations for Supporting the Internet of Things." IEEE Internet of Things Journal. 3 (3): 1. https://www.repository.cam.ac.uk/handle/1810/250441. (Accessed June 13, 2021); see, also Clearfield, C. "Why The FTC Can't Regulate The Internet of Things". Forbes. https://www.forbes.com/sites/chrisclearfield/2013/09/18/why-the-ftc-cant-regulate-the-internet-of-things/?sh=10ea0a892242. (Accessed June 13, 2021).

IoT technical security concerns are similar to those surrounding conventional servers. These include: using weak authentication, forgetting to change default credentials, unencrypted messages sent between devices, SQL injections (malicious SQL statements are inserted into an entry field for execution), Man-in-the-middle attacks (where the attacker secretly relays and possibly alters the communications between two parties), and poor handling of security updates [See, e.g. Harbi, Y.; Aliouat, Z.; Harous, S.; Bentaleb, A.; Refoufi, A. "A Review of Security in Internet of Things". Wireless Personal Communications. 108 (1): 325–344. https://link.springer.com/article/10.1007/s11277-019-06405-y. (Accessed June 13, 2014)]. Many of the IoT devices possess high operational limits on computational power available which render them unable to use even the most basic security systems (i.e. firewalls, encryption, etc.) [See, e.g. Liu, X.; Yang, Y.; Choo, K.; Wang, H. "Security and Privacy Challenges for Internet-of-Things and Fog Computing". Wireless Communications and Mobile Computing. 2018: 1–3. https://www.hindawi.com/journals/wcmc/2018/9373961/. (Accessed June 13, 2021)]. As well, the consumer focus and comparatively low price associated with IoT devices make it uncommon for manufacturers to include powerful security patching systems therein [ see, e.g. Morrissey, J. "In the Rush to Join the Smart Home Crowd, Buyers Should Beware". The New York Times. https://www.nytimes.com/2019/01/22/business/smart-home-buyers-security-risks.html. (Accessed June 13, 2021)].

Conventional security vulnerabilities are not prevalent in IoT devices but rather, fault injection attacks are on the rise. These are physical attacks to introduce faults in the system to modify the systems behavior. It is not always the case where faults of this nature are caused by outside influencers, but may be caused by environmental noise or EM fields. "There are ideas stemmed from control-flow integrity (CFI) to prevent fault injection attacks and system recovery to a healthy state before the fault" [Ahmadi, M.; Kiaei, P.; Emamdoost, N. "SN4KE: Practical Mutation Testing at Binary Level." https://www.ndss-symposium.org/wp-content/uploads/bar2021_23017_paper.pdf. (Accessed June 13, 2021)].

IoT devices have access to many new sources of data and may be used to control a wide range of other physical devices. As early as 2014, it could be said that many internet controlled devices could be made to spy on people within their own homes. If a hacker can access the on board network, computer controlled components in vehicles are vulnerable to attack (engine, brakes, locks, etc). As these vehicle components may be accessed by way of the internet they are vulnerable to remote exploitation. Security researchers by 2018 demonstrated that absent authority there existed the ability to control people's pacemakers. Later, this remote access vulnerability was extended to insulin pumps and implantable cardioverter defibrillators. [See, e.g. Loukas, G. "Cyber-Physical Attacks A growing invisible threat." Oxford, UK. https://dl.acm.org/doi/book/10.5555/2818550. (Accessed June 14, 2021)].

Internet accessible IoT devices that are poorly secured may be destabilized to attack others. To demonstrate the severity of this, in 2016, a DDOS attack utilizing IoT devices took down a DNS provider and several major internet web sites using Mirai malware [See, Woolf, N. "DDoS attack that disrupted internet was largest of its kind in history, experts say". The Guardian. https://www.theguardian.com/technology/2016/oct/26/ddos-attack-dyn-mirai-botnet, (Accessed June 14, 2021). Within the first 20 hours of the infection, the Mirai Botnet had effected almost 65,000 IoT devices and by the time it was done the attack reached between an estimated 200,000 to 300,000 devices [See, Antonakakis, M.; April, T.; Bailey, M.; Bernhard, M.; Bursztein, E.; Cochran, J.; Durumeric, Z.; Halderman, J.; Invernizzi, L. "Understanding the Mirai Botnet". Usenix. https://www.usenix.org/system/files/conference/usenixsecurity17/sec17-antonakakis.pdf. (Accessed June 14, 2021)]. In 2017, Cloudflare Computer Scientist, Junade Ali, noted "that native DDoS vulnerabilities exist in IoT devices due to a poor implementation of the Publish–subscribe pattern." [Ali, J. "IoT Security Anti-Patterns". Cloudflare Blog. https://blog.cloudflare.com/iot-security-anti-patterns/. (Accessed June 14, 2021)].

REGULATORY CONCERNS

In an unclassified report available to the public, the United States National Intelligence Council stated it would be hard to deny

access to networks of sensors and remotely-controlled objects by enemies of the United States, criminals, and mischief makers... An open market for aggregated sensor data could serve the interests of commerce and security no less than it helps criminals and spies identify vulnerable targets. Thus, massively parallel sensor fusion may undermine social cohesion, if it proves to be fundamentally incompatible with Fourth-Amendment guarantees against unreasonable search.

["Disruptive Technologies Global Trends 2025". National Intelligence Council. https://fas.org/irp/nic/disruptive.pdf. (Accessed June 14, 2021)]. It is clear that the IoT is a valuable source of information and data by the various Intelligence communities.

The Washington Post, on January 31, 2019, published an article exposing the ethical and security concerns regarding IoT doorbells and cameras noting:

"Last month, Ring got caught allowing its team in Ukraine to view and annotate certain user videos; the company says it only looks at publicly shared videos and those from Ring owners who provide consent. Just last week, a California family’s Nest camera let a hacker take over and broadcast fake audio warnings about a missile attack, not to mention peer in on them, when they used a weak password"

[Fowler, G. "The doorbells have eyes: The privacy battle brewing over home security cameras". Washington Post. https://www.washingtonpost.com/technology/2019/01/31/doorbells-have-eyes-privacy-battle-brewing-over-home-security-cameras/. (Accessed June 14, 2021)]

In 2015, the Internet-of-Things Security Foundation was established missioned with the task of securing the IoT through promotion of best practices and knowledge. Continuously, the large IT Companies are innovating new solutions to further the security of IoT devices. 'Project Things' was created by Mozilla in 2019 which allowed IoT devices to route through a 'safe Web of Things' gateway [See Francis, B. "Building the Web of Things – Mozilla Hacks – the Web developer blog". Mozilla Hacks – the Web developer blog. https://hacks.mozilla.org/2017/06/building-the-web-of-things/. (Accessed June 14, 2021)]. KBV Research estimates growth within the IoT security market at a rate of 27.9% for the period 2016-2022 [See, e.g. Ward, M. "Smart devices to get security tune-up". BBC News. https://www.bbc.com/news/technology-34324247. (Accessed June 14, 2021)].

Some in the technology field argue that governmental regulation is necessary to ensure the security of IoT devices. They maintain that there are insufficient general market incentives to provide the security necessary for safe operation of the devices [See, Feamster, Nick. "Mitigating the Increasing Risks of an Insecure Internet of Things". Freedom to Tinker. https://freedom-to-tinker.com/2017/02/18/mitigating-the-increasing-risks-of-an-insecure-internet-of-things/. (Accessed June 14, 2021)]. "It was found that due to the nature of most of the IoT development boards, they generate predictable and weak keys which make it easy to be utilized by Man-in-the-middle attack. However, various hardening approaches were proposed by many researchers to resolve the issue of SSH weak implementation and weak keys." Alfandi, O.; Hasan, M.; Balbahaith, Z. "Assessment and Hardening of IoT Development Boards", Lecture Notes in Computer Science, Springer International Publishing. Abstracted at https://link.springer.com/chapter/10.1007%2F978-3-030-30523-9_3. (Accessed June 14, 2021).

CONCLUSION

The science of technology is advancing at break-neck speed. Innovations in the field of IoT and its associated devices is likewise becoming more technologically advanced on what seems to be a daily basis. As this technological field grows and matures, the old rules simply do not apply and a new paradigm must be developed to insure the devices utilized in our businesses and homes are safe and fit to be used for their intended purposes.

2
$ 0.00
Avatar for kevnag
Written by
3 years ago

Comments