By Andreea Andrei, Marketing and Business Administration Executive at The Cloud Computing and SaaS Awards
This article is part of an A to Z series by Cloud and SaaS Awards, continuing with I for Internet of Things (IoT)
Internet of Things (IoT) is the process that allows users to connect everyday physical items to the Internet. From common household objects, such as lightbulbs, to health care resources, such as medical devices; it also encompasses smart personal apparel and accessories; even smart city systems.
In IoT, physical objects, such as automobiles, televisions, air conditioning, etc., that surround us are uniquely identifiable and interconnected. Through the network of communication, objects connect by collecting useful information from each other. The information is transmitted to the different devices that will take action by running a task.
According to Gartner, there were roughly 25 billion networked things in the network world in 2020 as a result of society’s acceptance of integrating these connected gadgets into daily life in past years.
Due to the significant vulnerability of today’s devices, there are threats to their security and privacy: making such devices operate to serve the attackers’ interests, rather than the purpose for which they were intended.
The analysis and assurance of device security is a top-priority endeavor, because these devices directly affect users’ lives and risk violating their privacy.
Analysis and assurance of the existence of infrastructure with appropriately established security protocols that restrict potential risks are required, pertaining to IoT security, availability, and scalability.
The main security objectives in IoT are to guarantee mechanisms of proper identity authentication and provide data confidentiality. A well-known model for developing security mechanisms in IoT is based on three areas:
Confidentiality of Data
It is the ability to provide trust and reassurance to the user about privacy and confidentiality of their data which must be fully protected. For this, mechanisms such as the data encryption, verification of two steps, among others, are used.
Refers to preventing data from being altered unless the threat is recognized in time by protecting it from hackers or outside interference that may be caused during transmission and receipt. Mechanisms that ensure this exercise include the checksum and Cyclic Redundancy Check (CRC).
Ensures that the authorized person will always have immediate access to resources, even in adverse circumstances. Data availability and dependability are ensured by copy methods redundancy security and failover, which duplicate system components in the event of a system failure or other system conflicts.
The overall IoT architecture is composed of four layers: perception layer, network layer, mid level layer, and application layer.
The following describes the different parts that make up the IoT architecture:
Layer of Perception
Uses its sensors to reassemble data. Employees that work with sensors are often thought to be using various technologies, such as RFID (Radiofrequency Identification) sensors, which expose them to hazards of:
1. Tags: The majority of RFID systems lack a robust authentication mechanism, allowing the label access without authorization. Readings, updates, and data removals are all permitted.
2. Tag cloning: is the process of making a duplicate tag that has been corrupted so that the reader cannot tell it apart from the original label.
3. Spoofing: False information is disseminated through RFID to make it appear as though the source is authentic. The system becomes vulnerable in this form.
Transmits data obtained from the layer of perception through Internet, mobile network or any other type reliable communication network. Problems in the network layer are:
1. Sybil attack: A single node is given multiple identities. This results in the system showing incorrect information.
2. Sleep Deprivation Attack: Keep nodes powered on, which drains the battery, leading to nodes shutting down.
3. Code Injection: Injects malicious code on a node. This could result in having control of the network.
Middle Level Layer
It is in charge of guaranteeing the same type of service between the connected physical objects. The security problems occur in the communication channel. Problems, such as:
1. Unauthorized access: Since the attacker might disable access to IoT services or remove important data from the system, this could be deadly to the system.
2. DoS attack: Causes the shutdown of the system, making services not available.
It is in charge of IoT applications from the broadest range of sectors, including smart cities, smart hospitals, and smart transportation, among others. The security of this layer is affected by:
1. Malicious code injection: Injects malicious code into the system to steal different sorts of information.
2. Denial of service attack (DoS): Attempts to break the defensive system and therefore the privacy of user data, while
tricking the victim into believing that the real attack is happening in another place.
3. Spear-Phishing Attack: Impersonates the email in which the victim, a high-ranking individual, is persuaded to open the email in order for the attacker to gain access to the victim’s credentials and then, under the guise of another request, retrieve more confidential information.
IoT Security Models
Software security is the science and the study of software protection (including software data) against the unauthorized access.
There are various principles, approaches and techniques for improving software security threats, such as hacking attacks, buffer overflow, reverse engineering and alteration, among others. Most popular models that allow to counteract and identify threats are:
Network Threat Model
The attacker attempts to gain privileged access that will permit malicious actions, such as launching another attack, consuming resources, or collecting information.
Insider threat model
The hacker has access to the network or hardware that is running the destination program, depending on which. This makes it possible to access private information that can be changed or stolen.
Non-host threat model trustworthy
The hacker is local and possesses all rights. Thus, the hacker can alter the data license of the application, remove protection against copying, remove constraints that would have made the system remain in a stable state, and remove protection against information theft.
Before the Internet of Things is implemented and integrated into society, the classification of this concept aims to highlight the extensive research done on privacy and security measures, risk evolutions, architecture, authentication problems, among others.
Additionally, in this area of in-depth research on the Internet of Things, approaches, tactics, and tools that contribute more to the steady development of safe technologies are being developed.