IoT Security: Protect IoT devices from enemy access

At a glance

IoT platforms offer great potential for automation and promise great convenience in everyday private and business life. However, for networked devices and applications to work effectively, they must be able to continuously collect and exchange certain data. If there is a vulnerability anywhere in the system, attackers can do a lot of damage. They could, for example, intercept confidential data for criminal purposes, feed manipulated data into the system, or even connect to the system to take over control of equipment or vehicles. IoT security must therefore be carefully considered, especially for sensitive industrial applications or scenarios in which the security of persons could be endangered.

Possible Attacks on IoT Platforms

There are several possible levels at which an IoT system could be vulnerable:

Physical Attacks
Here the hardware itself is at risk, i.e. the networked devices and sensors that are part of an IoT application. Attackers gain physical access to the hardware in order to manipulate selected components according to their wishes. These attacks require that the attacker himself or an accomplice has access to the devices.

Attacks over the Network
IoT applications can theoretically be attacked over the network, since the devices involved have to communicate with each other in some form - often wirelessly. In addition, communication via the Internet is often required in order for the networked systems to function as desired. At this point, an attacker can gain access to the sent data or introduce manipulated data and commands into the system. From industrial espionage to explicit manipulation, various dangers are conceivable. In addition, an attacker can paralyze the network himself if, for example, he disrupts communication via a DDoS attack.

Attacks in the application layer
IoT applications need software that controls them - and often also software that provides an interface for people, e.g. applications for smartphones. Here, too, there is great potential for security-relevant gaps that an attacker can exploit: In contrast to network protocols, there are no standards or guidelines, i.e. each manufacturer is more or less free in the way he programs his application.

Consider information security also for IoT security

Whenever confidential data and sensitive systems are involved, information security plays a crucial role in protecting this information. The objectives of information security for IT applications include the following aspects:

  • Confidentiality: Confidential information must be treated as such by all devices and must not be freely passed on to other devices from the IoT scenario, for example.
  • Integrity: Information must not be manipulable or the manipulation of data must not remain undiscovered.
  • Availability: Certain devices and services must always be available in order to guarantee the smooth running of IoT applications, especially within safety-critical scenarios.
  • Authentication: Only authorized devices and participants may have access to the IoT system; data may only originate from authorized devices and participants. All participants must be uniquely identifiable.
  • Liability: All transactions must be considered as binding so that they cannot be denied later, especially in commercial scenarios.

Approaches for more IoT safety

In addition to maintaining information security, there are various ways of anticipating the weak points in IoT systems.

Network security
The network is the basis for the communication of IoT devices and must therefore be carefully protected, e.g. by firewalls, measures against viruses and malware or intrusion prevention and intrusion detection.

Security through authentication and management of identities
Each individual participant within an IoT scenario must be uniquely identifiable so that only authorized devices and persons have access to the network. Participants can be authenticated using a variety of methods, including passwords, biometric data, certificates, and two-way authentication. This also applies to communication between devices. It must also be possible to efficiently manage the identities of the numerous participants. For identity management, especially in IoT scenarios, there are proprietary solutions, some of which are based on blockchain.

Security through confidentiality
Confidential information should be protected from unauthorized access by encryption. Encryption should be as tailored as possible to the need, if resources permit. For systems with limited resources (e.g. embedded systems, sensor networks, RFID) there are special cryptographic methods (lightweight cryptography).

Security through protocols
Special protocols for data exchange in the Internet of Things help to standardize communication and make unauthorized access more difficult.

Security by following regulations
Observing best practices and regulations (e.g. EU-DSGVO) also helps to create more security in networked systems.