RTC Magazine, September – ANDY WEITZNER, IKANOS COMMUNICATIONS
Along with the complexity of competing IoT standards comes the challenge of security – the security of every one of the billions of connectable devices that are already in use, not to mention the billions more that are on the way.
Quite simply, if those devices provide an entryway to homes or cars, it’s safe to say they are already vulnerable to attack by hackers. A study by Columbia University found security problems in just 2.46 percent of connected business products—but in 41.62 percent of consumer products.
The security problem is multifaceted. Security risks with IoT fall into one of three categories:
Taking control of devices—Taking control of a device can mean logging in as an authorized user, perhaps by figuring out the password, finding a backdoor, or compromising the authentication mechanism.
Stealing information—Stealing information can come in the form of eavesdropping on a system to collect data, such as patient information from a medical device or credit card numbers from a TV used for home shopping. It can also mean commandeering a phone system, printer, or video camera to collect and transmit data.
Disrupting services—Disrupting service usually happens when an attacker floods a system, such as a home-security or vehicle-control system, with messages in order to make it unable to function.
Arguably, device manufacturers who fail to secure their products are experts in product design, but not in security. Or, at best, security is an afterthought. But applying security, like anything else, requires a methodology. Here is a best-practices methodology:
Lock down the IoT hub – The hub can be the central nervous system in an IOT system. It provides direct access to home devices as well as to the cloud. These systems should use a hardened OS and be designed to protect against hacking. A recent study found the need to address these concerns on some popular IoT hubs.
Encrypt all traffic – strong encryption should be used in communications between devices, as well as between Cloud-controlling applications. In addition, stored data should be encrypted.
Authenticate and authorize – Use a firewall to ensure that only authorized traffic is allowed, using a whitelist to limit communication to authorized devices. In addition, it is critical to authenticate users and devices before providing access to any device, application or customer data.
The prpl Foundation recently announced the formal organization of its Security PEG (prpl Engineering Group). The formation of the Security PEG follows months of intensive planning by a subset of prpl members dedicated to defining an open security framework for deploying secured and authenticated virtualized services in the IoT and related emerging markets.
The aforementioned IoT hub can be a weak link in the IoT chain of command. By instead using the home gateway, which relies on a more powerful communication processor, many of these security challenges can be fully addressed.
Some of the challenges that can be met head-on with the home gateway are:
Support for a fully hardened OS, such as Linux, with powerful firewall and authentication support; hardware encryption that operates at broadband line rates, and secure boot, which eliminates backdoors that hackers can exploit
Broadband service providers may already have these new or existing powerful systems in place using their existing broadband home gateways. An insecure IoT hub can be replaced by an IoT software package that is installed on a more powerful and secure gateway that has been upgraded with appropriate IoT wireless radios. In addition to security, this ensures a higher level of performance and reliability as well as a longer lifecycle, driving higher end-customer satisfaction.