Keeping the peace in the Internet of Things – Part 1
When the Wright brothers made their famous pioneering flight in December 1903, did they have safety officer in attendance insisting on parachutes and shock absorbing landing gear? No, all the focus would have been on getting off the ground – and that was their triumph. Four years later safety became a concern, and it was not long after that safety and security became top priorities for the aviation industry.
That’s how it goes with technological innovation. The first burning issue will be “will it work?”, then comes the excitement about the opportunities technology innovations presents, and finally concern about misuse or exploitation. Internet of Things (IoT) devices are becoming more prevalent in our day to day lives, and with becoming mainstream focus is increasing on reducing security risks, says Sameer Dixit, senior director, Security Consulting Spirent.
Specific IoT challenges
For a start there is a straightforward risk of connecting any simple, low cost device into the Internet: whereas a PC is a relatively sophisticated endpoint with plenty of resources to host its own internal firewall and anti-malware systems, you cannot build expensive protection into a five dollar monitor.
There is a lot of interest in a new generation of tiny low cost computers like Rasberry Pi to bridge that gap, but much of the security burden falls on the network itself that must be secured if we are going to get the full benefits of an IoT connecting millions of tiny sensors.
Next there is the challenge of complexity, when many different protocols share the same complex network. Choosing which type of wireless connection for an IoT device means balancing a number of factors such as data throughput, range of dispersion, endpoint battery life and latency, as well as the size and cost of the receiver. Each system has its own benefits and drawbacks.
Cellular data is available almost everywhere, but uses a lot of battery power, relatively expensive hardware and on-going network charges. WiFi is nearly everywhere in office buildings, uses relatively inexpensive hardware, but its password security provisioning would be unsuitable for, say, linking smart light bulbs. Bluetooth is even cheaper and offers long battery life, but operates over a very short range and would need a central access point to link back to the IoT network.
Mesh networks are much more complex to set up, but do offer a highly resilient network solution. Inexpensive, low power wide area network (LPWAN) technologies such as Sigfox, LoRaWAN and Ingenu are ideal for low data traffic such as smart meters, but have little value for more sophisticated communications.
Companies developing IoT technologies and devices have core competency in these markets, but do not have the exposure or knowledge of the ever changing threat landscape. This is where a company like Spirent Communications can be leveraged. Spirent has has many years of experience of in-depth protocol knowledge as well as testing complex environments end-to-end.
Testing the performance and security of mobile phones, for example, requires a deep understanding not only of the various mobile telephony technologies, but also of Bluetooth, Wi-Fi, GPS and the additional vulnerabilities of a handset operating simultaneously on all those different networks.
Testing such networks end-to-end brings Spirent into close collaboration with a very diverse customer base, spanning many vertical markets and it is clear from these contacts that there are currently five key areas of IoT innovation, namely: Smart Cities, Heavy Equipment, Automotive, Healthcare and Monitoring.
The author of this blog is Sameer Dixit, senior director, Security Consulting Spirent
About the Author:
Sameer Dixit is a leader in cyber security with over 15 years of experience in penetration testing and security research. At Spirent, Sameer is leading the ethical hacking and security research team called Spirent Security Labs.
Prior to Spirent, Sameer has worked for leading security companies such as Trustwave-SpiderLabs and Cenzic Inc. where he led the penetration testing, vulnerability scanning and managed security testing services team.
Sameer has contributed research for OWASP, been quoted in various industry-leading security and business publications such as Security Week, Business Insider, ZDnet, SC Magazine, and more. Additionally, he has spoken at various Cyber Security Threat Summits, Universities, conducted webinars, and actively blogs on emerging Web & Mobile security trends.
Comment on this article below or via Twitter: @ VanillaPlus OR @jcvplus