Securing the IoT tsunami

By : Ian Hall, Manager, Client Success, APAC, At Synopsys Software Integrity Group | Thursday, April 29 2021 - 22:55 IWST

Four IoT security challenges
Four IoT security challenges

INDUSTRY.co.id - The Internet of Things (IoT) is a reality. Gartner forecasts 25 billion IoT devices by 2021, and other industry sources and analysts predict even larger numbers. Although projections of unprecedented growth are ubiquitous among industry pundits, the efforts to secure this tsunami of connected devices are in their infancy.

The IoT is still relatively new, so it lacks regulations that mandate security. The potential for misuse, however, is massive-and could lead to major embarrassment (and worse) for businesses and consumers. 

Connected devices have already been utilised to launch massive DDoS attacks on websites, in-home security cameras have been hacked and used to spy on people, and sensitive consumer data has been compromised. 

Timely testing and securing of IoT is the need of the hour.

Four IoT security challenges
IoT systems (including the Industrial Internet of Things [IIoT] and connected machinery) are quite complex from a security perspective, and they pose several contrasting challenges.

Scale

Unlike traditional web apps, IoT software is deployed on thousands and even millions of devices and are always on, so vulnerabilities are magnified over a much wider attack surface.

Lifespan

A lot of IoT devices are embedded within equipment that lasts a long time — even decades (automobiles, subsea devices, HVAC systems, and so on).

It’s often hard to deploy patches on or upgrade the software contained in these devices as frequently. 

The likelihood of vulnerabilities persisting in these devices for months to even decades is extremely high.

Open source operating systems

The large majority of IoT devices run on open source operating systems and on off-the-shelf hardware and networks. The inherent vulnerabilities baked into open source software makes them even more susceptible to attacks.

The 5G network effect

5G is expected to usher in the IoT era to an even greater extent. With its high bandwidth and speed, it will connect everything and remain always on. 

This increases the likelihood of an attack, and a public network is always more susceptible to an attack.

Facets of an IoT deployment
Consider IoT systems within the context of medical devices, automotive equipment, and consumer electronics. 

From a security testing perspective, these mixed-technology deployments have a multitude of potential attack surfaces and technologies that must be protected.

The cloud. The IoT and cloud computing are a match made in heaven. The capacity needed to handle the sheer volume of data as well as the processing required for large-scale IoT adoption can only be driven by cloud computing. 

Smart devices will be connected by default to either edge data centers or centrally located data centers, which will process and store the data they generate. The cloud could also be utilised for IoT device security controls.

Embedded devices. 

Each “thing” within IoT is essentially an embedded computing device that sends and receives information over a network. 

Embedded devices run software and have a smaller memory footprint, along with an operating system and a processor. 

Just like the network they are connected to, these things are all susceptible to attack-especially as they might run old, general purpose, open source software that isn’t often updated for patches.

Web applications. 

Often, IoT devices connect to a web app, and some IoT devices even have an embedded web server. That’s why web app security testing principles apply to IoT security.

Custom applications. 

The IoT is vast and spans apps that power smart cities, automobiles, agriculture, healthcare, and more. Given the wide variety of devices, standards, and technologies applied to IoT, there’s a lot of incompatibility in the ecosystem. Custom apps are therefore widespread in IoT.

The network. 

Most smart devices are always connected by default. They’re connected to the gateways and the back end via a variety of network protocols. 

And just like the cloud, embedded devices, and web/customised IoT apps, the network itself is highly prone to attack.

Mobile devices. 

With the increasing adoption of 5G, the IoT will have the mobile network speed, device density support, and data transfer speeds to support the billions of mobile IoT devices, as well as the mobile apps to control these devices. 

The network, mobile, and the cloud are the three pillars of IoT.

Thick client testing. 

IoT data processing is increasingly moving to the edge to facilitate faster decisioning. Decentralised thick client computing at the edge is common, particularly in devices that may need to operate without connectivity from time to time.

Fuzz testing.

If an IoT device becomes unresponsive or acts abnormally due to inconsistent input, it may affect real-world operation. Fuzz testing simulates what a hacker would do by creating a wide range of corrupt input that will cause the app to fail.

News Comment

Today's Industry

Chevron SG Chairman Law Tat Win Credit: Chevron

Rabu, 07 Desember 2022 - 19:44 WIB

What hinders manufacturing firms from lowering their carbon footprint

Chevron Singapore Country Chairman Law Tat Win said the right policies and partnerships are needed for a cleaner energy shift.

Gojek Used for Transportation and Logistics in Indonesia. (Photo: tirto.id)

Rabu, 07 Desember 2022 - 18:48 WIB

Gojek Most Used for Transportation and Logistics in Indonesia

The latest study done by the economic research center Institute for Development of Economics and Finance (Indef) found Gojek to be the most used application (app) for transportation and logistics…

PT Sariguna Primatirta Tbk (Tanobel Group)

Rabu, 07 Desember 2022 - 15:30 WIB

Expand Aggressively, CLEO To Builds 3 New Plants and Develops Distribution Network in 2023

PT Sariguna Primatirta Tbk (Tanobel Group), a listed company, manufacturer of Bottled Drinking Water (AMDK) with the IDX ticker code: CLEO: IJ, will continue the Company's aggressive expansion…

Asahi Kasei Europe GmbH

Rabu, 07 Desember 2022 - 14:15 WIB

Asahi Kasei Participates in Investment in Circularise

Asahi Kasei has decided to invest in Circularise B.V., a startup company in the Netherlands that provides digital product passports and mass balance bookkeeping software, together with Brightlands…

(Photo: © 2022 KRAIBURG TPE)

Rabu, 07 Desember 2022 - 13:18 WIB

KRAIBURG TPE THERMOLAST® H TPE For Medical Valve Applications.

Medical valves control or deliver fluids (liquids and gases) and are essential in operating rooms, intensive care units, outpatient facilities, laboratories, and even homecare settings.