Upto: Table of Contents of full book "Internet of Things - a techie's viewpoint"

Security introduction



Security is a million dollar issue for all computer systems. Every week there is news of another major breakin to a commercial or government system. Also it is well known that many governments are actively engaged in cyber-warfare, trying to break into the systems of other governments and other groups.

What does the IoT bring to this picture? Firstly, and obviously, billions more networked devices. And this increases risk. Mark Pescoe states

33 billion connected devices means 33 billion attack surfaces, each with their own exploits, zero day attacks, weaknesses and vulnerabilities.

It's not just the number of new devices that will come onto the market. It's how they are built and how they will be integrated into new systems. Bruse Schneier states in April 2015

This is very much like the computer field in the ‘90s. No one’s paying any attention to security, no one’s doing updates, no one knows anything - it’s all really, really bad and it’s going to come crashing down.

In what ways could it come "crashing down"? Galen Gruman writes

But wait until they can access building boilers and turn them into bombs, disable our door locks, open our garage doors, turn on sprinkler systems in data centers, and set self-driving cars to crash or simply stay put.

The recent demonstration take over of a Jeep Cherokee travelling at 70mph shows that this isn't just fiction. Systems with physical actions are now being linked to logical systems and both systems may have weak or non-existent security (for example, Parrot drones use unsecured WiFi ).

The linkage between the physical and the logical is where the new set of vulnerabilities lies. The most famous example of this (so far) is the Stuxnet worm, believed to be a US_Israeli joint effort which destroyed Iran's nuclear capability.

But in addition, these new vulnerabilities are often unknown or cannot be easily be protected against. For example, I have an Android 2.3 device, made by one manufacturer but distributed under the label of someone else. The seller denies responsibility for upgrades while the actual manufacturer has no doubt moved on. I know it is vulnerable but can't do much about it, except be more careful about purchases in future!

The security triad and beyond

The standard security CIA triad is Confidentiality, Integrity and Availability, often shown similar to

These label the high level goals of a security system and all textbooks discuss them in detail. In addition, Privacy is often added. This will become an increasingly important feature of IoT systems as they are linked into more and more personal and business systems.

Techniques for achieving the Triad (and Privacy) often use Authentication, Authorisation and Non-repudiation. These also carry across into the IoT world.

A new aspect, brought in by the physical nature of the IoT is that of safety. There are many safety standards throughout the world, with a major organisation (now, alas, no longer non-profit) the Underwriters Laboratory (UL). While UL now has a cybersecurity standard, UL 2900, it is available for purchase only, so without spending US$800 no-one will know what it actually claims to certify and whether or not it is adequate for IoT security.

IoT attack surfaces

What can be attacked in the IoT world? Well, probably all components. The IoT spans the hardware and software worlds, and is vulnerable to attacks at any point:

Defence mechanisms

The ARM Security Technology document makes several points:

Defending against all possible attacks is an impossible task; there is always someone willing to spend a significant amount of time and money to break any security scheme using very complex attacks.

The security requirements for a design ... should be described in value terms: “attack A on asset B should take at least Y days and Z dollars”. If a set of countermeasures mean that a successful attack will take too long or will cost too much, then the defense is a success.

Governments are developing cyberwarfare techniques for use against other governments, foreign companies with interesting products and terrorist groups. Their resources available are enough to ensure that they could access nearly any system that they are enough interested in. These groups, or government-sponsored hacker groups will be almost impossible to defend against if they are serious.

There are many professional hacker groups, particularly from countries such as the US and Russia. These also have phenomenal skills in penetrating and taking down systems.

At the lowest level are "script kiddies". These people just use software made available by others, rather than developing their own attacks. Despite the derogatory term, they can do serious damage, and are perhaps more likely to do malicious damage for the fun of it than the serious professionals.

The common opinion is that your system will be broken into one day. The defences are


The IoT adds further dimensions to an already insecure cybersecurity world. It won't be just a matter of getting hold of a list of credit card numbers, but more of getting the ATM to spit out all its money . The proliferation of unsecured sensors leading into weakly secured systems decreases the security of the entire system. The recent LIFX light bulb showed how to get into a system through the "smart" lights.

Hopefully security will be built into systems before "It allc omes crashing down".

[an error occurred while processing this directive]