NSEIT

10 Security
Checks

I S S I N
O R D TO M
T
F F
N
A
E
N ’ T
M
A
P
YOU C
D E V E L O
IOT
www.aujas.com | North America. Middle East. APAC
 NSEIT

50 Billion devices
online by 2020.

From classrooms to industry floors and from hospitals to homes, Internet of Things
is making our world smarter, easier and more efficient. The need to connect,
communicate and remotely manage an army of networked devices via the internet,
either automatically or manually has become a reality today. Cisco had estimated
that we will have 50 Billion devices online by 2020. But given current trends, we
might be beating those estimates sooner than 3 years.
 NSEIT

The biggest challenge is

“Security” .
We have transitioned from closed loop networks to
enterprise networks to connectivity over internet, and
this has accelerated at a tremendous pace. By design
and by functionality, IoT devices leverage the Internet’s
reach and capabilities, which has historically been a
challenge from the security perspective.

Although we have caught up with the security protocols

and best practices for traditional networks and hence
taken care of them to a large extent, security of IoT
devices is still in the initial phases and hence is grossly
inadequate.

Imagine the complexity given that we are talking about

billions of IoT devices. Now add to it other parameters
like custom OS, memory, hardware, protocols, so on
and so forth. Given that our traditional security
appliances are designed to handle standard devices,
we need better innovative ways for managing security
in this new connected world.
 NSEIT

A typical architecture of Internet of Things

Web, Mobile and cloud Apps
1

Services &
Apps

API Lifecycle Management

{ API }
Platform API Design & API Management 4
Develop Platforms

3
Cloud Platform
Framework

IoT Platform Device Profile Service Content

Mgmt Mgmt Platform Mgmt
5

LTE/ 3G/2 G WiFi Bluetooth

Connectivity
6

Sensors Actuators Infrared GPS

Hardware
2
 NSEIT

The layers above depict various levels of integration in IoT at an abstract level. It shows the
design flow from end-user towards the actual hardware performing the tasks measurable in the
physical world.

The flow starts with an input from the end-user. The input could be initiated by human
intervention via any application (Web/Mobile) or it could be automated where no human
intervention is needed. Then the web services responsible for handling the request from
end-user kicks into action. These web-services or APIs are managed by an API platform. API
platform not only manages the lifecycle of the APIs but also acts as a middleware for interaction
between itself and the underlying IoT Platform. The IoT platform can be tightly (or loosely)
coupled with the API management platform. Both the platforms can communicate with cloud (or
local storage) as per the design considerations of the IoT solution architecture in scope.

The IoT platform takes care of connecting
different cyber-physical systems. It acts as a
medium for different types of sensors,
actuators etc. to communicate with each
other and share data when required. The
platform can handle multiple communication
and operating protocols utilized by multiple
types of underlying devices. The IoT platform
is responsible for management of data
generated by the IoT sensors, devices,
actuators etc. and supplying them to the
APIs for users to comprehend.
As you can visualize, information passes
through a large number of information
processing nodes before it is consumed by
the end-user. This is where the security
challenge comes into picture. As the number
of hops increase, there is an increase in the
opportunities for data manipulation,
interception and other malicious activities.
Hence security at each level of interaction
(API, Communication Channels, Data
Storage, Applications etc.) must be
thoroughly verified.
NSEIT
 NSEIT

security incidents
that highlight the need for better
Security iN ioT

1 Manipulation of hacked Smart Cars

Security researchers Chris Valasek and Charlie Miller created a

stir in security community when they hacked into a Toyota Prius
and a Ford Escape using a laptop interfaced with the vehicle’s
diagnostic port. With this research the team was able to
manipulate the cars breaking, headlights and steering. The same
researchers were earlier involved in manipulating a Jeep
Cherokee over the internet by sending carefully crafted
messages on the vehicle’s internal network known as CAN bus.

2 IoT Medical applications hacked

As early as 2014, after a two-year study on vulnerabilities in

connected medical devices, Scott Erven and his team of security
researchers revealed major security flaws that could pose very
severe threats to well-being of customers. The team found
examples like drug infusion pumps meant for delivering
medicines could be remotely manipulated to change the dosage
volumes for patients, Bluetooth enabled defibrillators can be
manipulated to deliver random shocks to a patient’s heart, etc.
The healthcare org was merely one of "thousands" with
equipment discoverable through Shodan, a search engine for
things on the public internet.

3 MIRAI Botnet
In September 2016, "KrebsOnSecurity.com"
became the target of a massive DDoS attack
(approximately 620Gbps) that eventually knocked
the site offline. Similarly, OVH, a well-known Web
hosting provider was also a victim of a massive
DDoS attack, bigger than the one that hit Krebs.
According to a tweet from OVH founder Octave
Klaba on 22 September 2016, a simultaneous
DDoS attack of 990Gbps (combined) was
launched by a botnet consisting of more than
145,000 compromised IoT devices like IP cameras
and DVRs.
NSEIT
4 IoT, SCADA and ICS
The December 2015 cyber attacks on Ukrainian power
utilities provide evidence of widespread infiltration into
organization’s operational systems. The initial breach
was caused by using the usual culprits – phishing and
social engineering. But once inside the network,
attackers exploited the fact that the ones controlling
the infrastructure were connected to regular windows
system. Then using the “Black Energy” malware,
attackers were able to sniff network for user
credentials and in turn allowed themselves access to
the Industrial Control Systems and manipulate the
electricity supply.
 NSEIT

6 Security
Challenges
with Internet of Things
1 Data Privacy Issues

a Data Privacy Issues B Unintended public profile

The sheer volume of data generated by number
of IoT devices is huge. This data typically would
contain information corresponding to device
activity and usage patterns, but also PII
(Personally identifiable information) and PHI
(Protected Health information). This data is not
easy to manage due to limitations of available
resources and existing security mechanisms. The
number of IoT devices on the network creates
more entry points for hackers and leaves
sensitive information vulnerable.
Due to negligence of consumers, the data being
collected by the various IoT devices or sensors may be
used by third parties handling this data. This data can
be used to gather personal information and usage
patterns of the user by using data analytics. For
example, an insurance company might gather
information from you about your driving habits through a
connected car when calculating your insurance rate.
The same could occur for health or life insurance,
thanks to fitness trackers.
 NSEIT

C Illegal Surveillance
Manufacturers and hackers could actually use a connected device to virtually invade a person's home.
Cameras, DVRs, Medical devices, smart home sensors etc. can be used by rouge agents for eavesdropping
and intruding into the personal life of its users. Different IoT devices transmit data autonomously amongst
themselves as well as other devices via various communication channels. Interoperability is one of the basic
pillars of IoT functioning. Even if data transmitted by a single device does not breach someone’s privacy, a
collection of fragmented data from various devices on the network can be a risk.

2 Device Security Issues

A Data Encryption & Authentication:
IoT applications collect tons of data, and data retrieval and
processing is integral part of the whole IoT environment. As
most of the generated data is personal (hence sensitive), it
needs to be protected using various encryption techniques.
These encryption techniques generally are resource intensive
and hence a challenge due to the limited resource availability
in devices, unlike general purpose computing systems.
Therefore these issues are neglected to a great extent.
Unfortunately, the same reason holds good for weak
authentication and authorization mechanisms in the IoT eco
system.

B Hardware limitations
Due to the exceeding estimates interest in a connected eco-system, hardware that was not specifically
designed keeping IoT security in mind is being ushered into the market. While chip makers like ARM, Intel etc.
are implementing security features on SoC itself, it will be expensive to start with. Also the complex design leads
to higher battery consumption which is definitely a challenge for IoT applications. Affordable solutions will not
be able to use such chips, which means there is a need of a different approach.
 NSEIT

Similarly most of the IoT devices are running on a small footprint

embedded systems with processing power limited as per the
application needs. Hence these devices have very limited
resources in terms of CPU, and Memory to protect
themselves against a large onslaught of requests. Also,
security mechanisms seen on traditional OS like DEP, ASLR are
difficult to implement on these devices due to the limited
resources. Similarly, as IoT devices are low on processing
resources, maintaining end to end data encryption is a tough
task.

Hardware/Software
3
patching issues

IoT devices are deployed on a range of hardware platforms,

many of which are highly constrained. These platforms have
specific requirements in terms of firmware and connectivity
options, making it difficult to develop and manage updates.
Moreover, with very limited processing resources available, these
devices are not designed keeping updates (both software and
hardware) in mind. Another challenge with updates is that they
must be done securely and with zero risk of bricking the device.
 NSEIT

The Update Mechanism must also contain checks to verify the update package source, data integrity etc.
Malicious firmware files could be uploaded to the device memory and direct the device to perform
malicious activities and may even brick the device. As firmware works at a very low level, it can execute
malicious tasks with system level privileges.

Another one of the main area of concern for IoT devices is that they are very hard to patch. As the IoT eco
system is growing at a rapid rate, ubiquitous deployment of unattended devices throughout our homes,
offices, factories, and public spaces is taking place. All these devices by design need to connect to the
internet for working smoothly and eventually hackers find out and exploit un-patched vulnerabilities.
Various incidents of devices being vulnerable to decade old exploits in Linux are bubbling up. For
example, in case of Industrial IoT most of the devices are legacy devices and no proper replica
environment is available, even to test patches before deploying on production environments.
 NSEIT

4 Compliance & Regulatory Issues

As IoT eco-system is in its initial phase, there is a working on compliance model for IoT.
lot of catching up to do in terms of robust Regulatory requirements also differ among different
Compliance and Regulatory frameworks. geographies. As IoT devices are working with sensitive
General purpose Information Security data (both personal as well as industrial), different
compliance and regulatory frameworks are not countries handle this data differently causing confusion
very well suited for IoT for reasons covered among manufacturers. Given that most Internet of Things
above. As a compliance issue, the lack of devices do not disclose where they send collected data,
control over security of IoT devices and the data let alone what data is collected in the first place, IoT is
they collect is a concern issue. Organizations making compliance management more difficult. Similarly,
like IoT Security foundation are working on the as IoT devices getting adapted in diverse sectors like
compliance framework and have released IoT construction, manufacturing, agriculture, healthcare,
Security Compliance Framework Version 1. energy, etc each of these sectors have their own set of
Similarly organizations and government guidelines and regulations which is also contributing to
agencies like NYC, DHS, CERT, NIST are also difficulties in compliance management.

5 Connectivity Issues
IoT devices have come to forefront due to broad penetration of easy
connectivity options like Internet, Bluetooth and their derivatives. By
design, IoT systems rely on intermediaries to reduce response time,
bandwidth, and energy consumption. The dependency on proxies and
gateways for caching requests and responses has increased as many
IoT devices sleep for most of the time because of high power
consumption for radio reception and transmission. As the number of
nodes increase, it also increases the attack surface. Even by using
SSL/TLS like mechanisms the data can be protected at transport level,
large number of intermediaries may allow malicious data injections and
manipulations.

Devices which are mission critical are connected and live 24*7, which can be a huge benefit for a hacker
in the case of a botnet. These devices could also be target specific and in the case of medical applications
of IoT it can have fatal consequences on an individual or an organization.

6 Lack of User awareness
Though IoT privacy issues are going on for a while, not all
people are aware that security has been a growing issue.
The majority of users, in fact, who are normally
security-conscious when using their personal computers,
tablets, or even their smart phones, but many are less
concerned when using their connected fitness trackers,
smart meters, smart cars, etc. Cyber-criminals who
compromise IoT devices not only can give physical harm
to the owner of the objects (tampering medical machinery,
disabling home security systems, turning off electricity or
heating systems, and, potentially, affecting car driving),
but can also intrude networks and computing systems to
NSEIT
which the devices are connected and gain
access to PII information, bank data or
company vital information.
Users should also spend some time
understanding what data their devices
collect, who they share them with and how
they transmit/receive them. Understanding
where data is stored and if the connection is
encrypted is essential in deciding what to
share and if privacy settings need to be
activated in the accompanying software of
the devices.

10 Security
Checks for
Internet of Things
Ecosystem
1 Implement Secure Booting
Verifying the device’s firmware for data
tampering using cryptographically generated
digital signatures.
Implement strong
2 Encryption Mechanism
Encrypting data at rest and in transit between
IoT edge devices and back-end systems using
standard cryptographic algorithms, helping
maintain data integrity and preventing data
sniffing by malicious entities.
Maintain Role Based
3 Access
Access control mechanism must be built in the
operating system for limiting the access of device
components to their required resources only.
NSEIT
Verify Device
5 Authenticity
As soon as device is connected to the network, it
should be authenticated based on device id or
another device specific identifier.
Change the Default
6 credentials
Devices with weak or default credentials can be
easily compromised by brute force attacks as
they are mostly online 24*7.
Keep the devices
6 up-to-date
Update IoT devices with the latest firmware and
patches as soon as possible to ensure that the
known vulnerabilities are addressed.
 NSEIT

7 Maintain IoT API Security 8 Device Status Monitoring

API security will be essential for protecting the In industrial as well as consumer IoT network, it
integrity of data transiting between edge devices is critical to monitor device status (Online/Offline,
and back-end systems to ensure that only Unusual activity).
authorized devices, developers, and apps are
communicating with APIs.

Ensure proper Firewall/IPS

Secure Provisioning
8 Configuration and Network 10 of IoT Devices
Security All the IoT devices must be checked and certified
The device also needs a firewall or deep packet
before connecting them to the Home or Industrial
inspection capability to control traffic that is
Network.
intended for specific nodes in the network. Also,
inbound ports must be monitored closely and
should be in closed state when not required.

About Aujas
Aujas is a pure-play cybersecurity services company with deep expertise in Identity and Access
Management, Risk Advisory, Security Verification, Managed Detection and Response and Security
Engineering services. Our unique products and services help businesses build and transform security
postures while mitigating risks. The service focus is to strengthen security resilience by minimizing the
occurrence of attacks, threats, and risks, so that you drive change, innovate, and accelerate growth.

For more information, do visit us at www.aujas.com or you ou can also write to us at [email protected]

Ottawa

Jersey City

UAE
Cupertino
Dallas Gurgaon

Saudi Arabia Mumbai

Bangalore

Copyrights © 2020 All Rights Reserved by Aujas.

No part of this document may be reproduced, stored in a retrieval system, transmitted in any form or by any means, electronic, mechanical, photocopying, recording, or otherwise, without the express written
permission from Aujas Cybersecurity. The information contained herein is subject to change without notice. All other trademarks mentioned herein are the property of their respective owners.