IoT Security: IoT Needn’t Be the Internet of Threats

User Review
0 (0 votes)

Comprehensive IoT security requires an integrated group of device management services, including secure device commissioning, certificate management, a mechanism for providing firmware updates over the air, and strong authentication and authorization capabilities. Guess what? If 98% of the data isn’t encrypted, most people don’t have access to these services either.

The bad news

Where to start? IoT fundamentally changes the cost of collecting and acting upon data in an increasingly data-centric world. However, most everybody is focused on the opportunity, conveniently ignoring security. Security is secondary, a cost-center with a difficult-to-measure ROI, but IoT presents real, growing, systemic, and terrifying dangers.

The 2016 Mirai botnet attack targeting CCTV cameras almost brought down the internet, and was the work of teens. The code behind the attack is freely available on the internet.

Things are not improving. Avast recently described IoT threats using terms like “surging” and “dropping kids in a candy store,” saying it will get worse.

Vulnerabilities exist from the devices to the networks to the cloud. The devices contain flawed code and libraries like the Ripple 20 IP vulnerability.

Current encryption approaches are limited. A device’s data is only encrypted until the next stop in the network, so if a network is compromised, so is the data potentially.

In 2020 the UKUS, and Europe all implemented IoT security legislation. Although well-intended, not wanting to over-regulate, they focused on the basics and guidelines.

Even legislative hard requirements like firmware updates over-the-air can be problematic. Firmware updates can patch devices correcting flaws like the previously mentioned Ripple 20. Still, the firmware mechanism must be secure. Too often, this is not the case.

Read more at CPO