The Perils Of Trivialising The IoT Security

By Sumanth Naropanth


This article is based on a talk by Sumanth Naropanth at India Electronics Week 2019 organised by EFY Group, where he talked about whose responsibility it is to secure data.

Broadly, the Internet of Things (IoT) refers to a network of Internet-connected devices that are capable of gathering and sharing electronic information. It could be consumer goods, industrial equipment, traffic lights, construction equipment, healthcare devices and so on.

Data is the blood of IoT devices and, hence, it is important to manage and protect it. But how do you ensure integrity of data, its management or whether things are interconnected? These are some of the complexities and problems one may face from security as well as functional points of view.

There are a number of IoT protocols including ZigBee, Zwave, radio frequency (RF) and 4G, which means multiple options to choose from. So the question arises, is having multiple standards way too many? Or, are too many standards an indication of having no standards that are good enough for security purposes?

The IoT ecosystem: an engineer’s viewpoint

If you look at the IoT ecosystem from an engineer’s perspective, there are four parts to it, namely, devices, mobile (which may or may not exist in some form factors), cloud and all networking aspects of it, including protocols.

Form factor devices (gateways, nodes, Edge, etc) are small devices of varying sizes. Depending on functionality, these might collect just sensor data and sensor values. Among these, gateways have a rich stack in the sense that these send all collected information back to the cloud. However, architectures may vary depending on use-cases and hardware.

In some cases, you will see cellphones acting as a conduit or channel.
For instance, in the case of a fitness tracker, you install an app on Android or iOS, create an account and then start pairing the device and pushing all data to the backend. On the cloud side, typically, you have Amazon Web Services (AWS), Google Cloud Platform (GCP) or other types of private cloud. It is just an implementation like backend Web service, hosted on a server.

The cloud, the third component, has a much richer stack. This is where all data is processed, managed and presented in a way that is useful to customers and businesses.

Why care about the IoT security: what should be secured

One of the problems with the IoT, particularly in India, is that it is broadly done by small- and medium-sized businesses. Many companies feel that as they are paying the supplier for hardware/software, and security is not their own responsibility, they blame the supplier for any security bug.

Also, many vendors talk about not needing security as they do not store confidential information. But security is not just about confidentiality. Security is also about integrity and availability.

Security is often an afterthought in the design process of IoT devices. Many companies think of shipping the product first and only worry about its security when it gets hacked.
Unfortunately, nothing is hundred per cent secure in this industry, and attacks on the IoT are happening actively. IoT devices in automotive and healthcare sectors have been attacked in the past by hackers. Consequences of such attacks could be data loss, danger to physical safety and damage to online reputation. For example, cryptocurrency firm Bitcoin was shut down after a massive data attack.

So, if you are a vendor or product manufacturer, do not just think about security of the end-users of your product(s) but also security of your own firm.

As mentioned above, an IoT product architecture includes gateway, nodes, mobile, cloud and protocols. You must secure all these things. There are security best-practices that offer security by design for each of these solutions.

Is the IoT security being trivialised

Security is often seen as something having zero return on investment (ROI). This is partly true because a lot of time, energy and money are invested in getting product security validated, but this does not help in getting more sales. Adding security sometimes impedes prototyping and delivery.

Also, many vendors think that consumers will buy even without addition of a security feature. Poor awareness and lack of options contribute to this behaviour.

Moreover, liability laws are not iron-clad. This means if a vendor does zero security and someone gets hacked, the buyer cannot sue the vendor or get compensated.

Are you still wondering about why you should care about security? Some of these cases should convince you.

Our company Deep Armor recently worked on an Industrial IoT (IIoT) solution that used a ZigBee-like 802. 15.4 based communication protocol. The use-case for this was logistics and asset management. To demonstrate how spoofing of a valid node can be done in a wireless IoT sensor network, and to send rogue data for temperature values, we used some market hardware that can be easily bought from online stores to masquerade as a node, a gateway and an attacker. If a unit is transporting medical vaccines (and has a lot of nodes), the entire package can be destroyed without the gateway suspecting anything. If you are transporting vaccines and temperature is dropped, the vaccines could turn toxic and have completely undesirable effects. Cost of the attack was almost ` 10,000, which is nothing in terms of a high-value attack.

Second, we worked on consumer IoT in the wearable space using Bluetooth/Bluetooth Low Energy (BLE) protocol. We wrote a malware application that was hooked onto Bluetooth service and then started extracting data. When you have an application, all it requires is Bluetooth and Bluetooth administrative permissions. And when that malware is installed, it can keep sniffing everything in the background. It can also send values and commands to that wearable device. That means, your wearable can be made unreliable in a second. Cost of the attack was zero rupees. It just needed some know-how on how to write Android applications.

Challenges in securing IoT devices

The IoT is a bag of parts. There is no one manufacturer or vendor who makes everything. You do not do your cloud service, write your own SSL libraries or implement your own crypto-algorithms. Instead, you buy hardware from China and software from Europe, and then put all these things together.

Another challenge is that existing security development life cycle (SDLC) frameworks cannot be applied easily. Rampant reuse of open source software, nascent security research and hardware/software size restrictions are other challenges in terms of securing IoT devices.

Regulations: the future

In terms of regulations in the future, the first step has been taken in California in the US, where a Senate bill has been passed, which states that all connected devices should have reasonable security features. This statement is a bit vague. Reasonable security can mean anything; it can mean using just Transport Layer Security (TLS), which is not enough. But the positive part is that it also says connected devices, which is a very broad statement and can include any type of IoT device.

Unfortunately, this will not change the world because it limits security features to just not setting the wrong admin/password. Also, it is only in one country. It needs to be rolled out for the rest of the world, too.

In the meantime, IoT businesses can implement defensive security best-practices and put security into their products. The sooner bugs are found and fixed, the sooner the products can be made cheaper.

Sumanth Naropanth is founder and chief executive officer, Deep Armor