clutch clutch-o check-circle-o ruby-plain react-original rails-plain php-plain nodejs-plain jquery-plain java-plain javascript-plain html5-plain css3-plain angularjs-plain android-plain greenvaro finmatex code-n-forcer baby-compy projects-value-delivered project-challenge hardware_design-icon_development hardware_design-icon_software hardware_design-icon_prototype hardware_design-icon_evaluation hardware_design-icon_concept ux_ui-icon_process_assets ux_ui-icon_process_mockups ux_ui-icon_mockups ux_ui-icon_process_prototype ux_ui-icon_process_architecture ux_ui-icon_process_icons ux_ui-icon_process_layout ux_ui-icon_prototype ux_ui-icon_process_requirements ux_ui-icon_guidelines ux_ui-icon_wireframes ux_ui-icon_analysis support-and-warranty global-delivery research-work experience-in-it hq-location big-data-color mobile-application-color iot-industry-color cloud-solutions-color technologies-methodologies-color computer-vision-color software-engineering-color product-development-color application-development-color ux-ui-design-color qa-automation-testing-color hardware-design-color data-mining-color marketing-seo-color checked iof-industry cloud-solutions big-data computer-vision mobile-application ux-ui-design services-menu-data_mining services-menu-marketing services-menu-hardware_design services-menu-qa application-development date-icon company-menu-education company-menu-products company-menu-terms_and_privacy company-menu-career company-menu-blog company-menu-contact-us industries-menu-financial-technologies industries-menu-energy-utilities industries-menu-healthcare-medicine industries-menu-internet-of-things industries-menu-social-media-ecommerce industries-menu-elearning-communications attach qoute-icon link-icon th cog book map-marker twitter facebook wrench cloud linkedin gavel sitemap angle-double-left angle-double-right angle-double-up angle-double-down angle-left angle-right angle-up angle-down desktop mobile play-circle file-text youtube google joomla cube cubes database file-pdf-o codepen share-alt paint-brush clutch heart-o xing xing-hover skype check-circle slick-arrow Solutions arrow-down circle-with-cross what_is_that-icon what_will_you_get-icon what_is_it_for-icon why_IT_GURU-icon_1 why_IT_GURU-icon_2 why_IT_GURU-icon_3 why_IT_GURU-icon_4 why_IT_GURU-icon_5 user-plus x-circle keyboard_arrow_up "
We use cookies to give you the best experience possible. By continuing we’ll assume you are on board with our cookie policy
Got it

Safety of IoT: progress, hype, headache

19.1.2018
The Internet of Things is the same fashionable term as Cloud Technology. Similarly, it doesn’t make much sense from a technical point of view: it is a brand under which one million of different technologies are hidden. And there are even more options to use. The reason for writing this text was to encourage the discussion about IoT sphere. For example, can home routers be considered an example of "Internet of things", or does the IoT spread production and other industrial high-tech? IoTsecurity In order to avoid such problems in the future, let’s try to formulate a clearer definition of IoT, proceeding not from the tasks of production or promotion of the corresponding devices and systems, but rather from the need of their protection. In addition, we will provide a couple of links to an interesting research of Kaspersky Lab specialists, will try to give an assessment of the situation with the security of the IoT at the moment, and even will try to look into the future.

The source of information about miraculous devices in this article is the Internet of Shit on twitter - its author has been engaged in brave work for exposing the attempts of different manufacturers to direct the development of IoT in the direction of total failure. However, it is better to perceive this channel as a modern techno-satire: while we are rusting over a 100500th teapot with a Facebook inside, the real IoT comes to us invisibly, and without demand. This is the real problem.

Something went wrong in a Smart House

Perhaps the main news in the context of the "Internet of things" this year was turning off the hub for a smart Revolv home. Developed by the similarly named start-up, the device went on sale in 2013. It is a smart home hub, that lets you control various appliances and home automation systems with a central app. Already in 2014, sales were terminated after the vendor bought Nest, which is part of the conglomerate of google companies Alphabet. Sold devices were supported by the vendor, but on May 15th this year by decision of Nest literally turned into a pumpkin. Revolv smart house The owners of Revolv Smart Home Solution were furious, and this is still mildly said. The media attention was attracted both by flowery curses towards the fashionable vendor of smart solutions and by the common problems of any smart devices. It's not even that the device owners lost support from the vendor and all the updates. Devices just stopped working. At all. Absolutely, as they switched off the obligatory connection with the infrastructure. In return, the vendor offered to refund all the money spent on the device ($ 300) but compared to the real price of the entire smart house system, where the main control device suddenly ceased to work, it's a penny.

Attempts to determine the terms

This whole story has a direct bearing on security: the low security of the "Internet of things" devices is caused, firstly, by their permanent inclusion in the network, and secondly by the complexities of vendors with software updates and infrastructure support for a growing fleet of devices. Examples of the latter mass, such as discussion of how the update Google API breaks the work of a smart refrigerator. So let’s try to formulate what is the Internet of things, in the context of security.

This is a collection of digital devices that:

- Communicate over the local wireless network and/or via the Internet.

- They work autonomously, often around the clock, without regular interaction with the person (or even without it at all).

It seems that further refinements are redundant and unnecessary. A photo frame, for some reason permanently connected to the network via WiFi, is the Internet of Things. A clever thermostat and a kettle are just the same. TV with Skype - yes. Pair of scales with Twitter? Add them as friends. Wireless water meters. Controllers of solar batteries.

IoT Security

Evaluation of the safety of IoT (like any other class of devices or technologies) is divided into two parts: theoretical (research of theoretical vulnerability) and practical (analysis of real attacks). An example of the theory is given above.

With practice, everything is more interesting. Tesla and kettles haven’t been broken yet because of their small number: until a critical mass of devices is opened, which opens up an imminent interest on the part of cybercriminals. Tracking and analyzing point attacks, even if they occur, is extremely difficult for ordinary computers. Nevertheless, there are examples, but they relate to devices that don’t want to be classified as IoT - these are routers, IP web cameras, and smart set-top boxes. So once again, in the proposed model of the device counting to IoT from the security point of view, these devices, which have been available for many years, legally occupy a place of honor.
IoT Security So, these familiar and understandable devices clearly demonstrate the security situation in IoT in general. Default passwords, accessible from outside management interfaces with typical Web vulnerabilities, not to mention some examples of holes that allow executing arbitrary code. The result is understandable: tens or even hundreds of thousands of devices permanently connected to the network and not controlled by the owners are united into a botnet used for DDoS attacks and other criminal activities, not to mention the theft of private information. At the end of last week, there was one of the largest DDoS attacks (the goal was the blog of expert Brian Krebs) - 665 gigabits per second. If the preliminary assessment of Akamai (which was never able to repel the attack) is confirmed, it will also be the largest botnet attack from IoT devices.

The Inevitable Future

The attack on ½ bits is already serious, but in the context of "Internet of things" development, it is nothing. The development of IoT assumes that network devices that work autonomously will be estimated not by hundreds of thousands, but by tens of billions. If by this time new methods of their protection are not introduced (obviously better than in the examples of the present time) and methods of closing vulnerabilities (accordingly, the issue of updating the software will be resolved), we will have problems. And, unlike the present time, when we can buy an Internet refrigerator, andwe can not buy, there will be no choice.

Here definitely should be a summing up

The vulnerability and, worse still, the inability to update billions of devices will lead to a multitude of problems that can affect both unsuspecting users and affect the performance of critical infrastructure. The argument is that in industrial systems, another IoT doesn’t seem reliable: firstly, the increase in production will lead to consumerization, and secondly, the criteria for autonomous operation and network connection remain in this case.
IoT protection
What kind of approaches can be used for protection? An example of a Revolv device hints at the fact that sooner or later the market will come to two or three major platforms on which all IoT-systems will be built, and chaos will become less. Most likely it will be, as it has already happened with the number of platforms for smartphones at the end of the 2000s or PC operating systems in the 90s of last century. And if not? The concept of security is unlikely to be built on the basis of market laws.

Perhaps the solution of this problem will be at the junction of the most modern technologies. The right IoT can not be programmed as traditional computers right now. Perhaps we should look for different approaches, without trying to drag into the 21st century the technogenic heritage of the 20th century. In general, that will still be a problem.