Yes, you heard it right! The “S” in IoT stands for “Security”!
With increasing number of applications, hardware prototypes, Operating Systems, Software platforms and Cloud solutions, IoT is appearing in almost every domain we can imagine of! However, how many of these solutions are actually safeguarding our connected devices and networks from the attacks of hackers? The answer is rhetorical to the topic of this article.
IoT being the open field of innovation from Big Bang companies to small enthusiastic, it is essential to understand if the IoT product that we are using is made “full-proof” from attacks. The problem is that IoT is used in almost every domain, from home automation to smart agriculturing, from toys to self driving cars, from small houses to big industries and the idea of Internet of Things (IoT) is still at the very early stages that there are not fixed standards to keep it safeguard. The “Internet” and “Things” in IoT are not that recent though! The internet has grown substantially over the last few decades that the security and safety standards are renewing every year. The internet has seen from its early obscurity ideas to strongest encryptions. The “Things” in this context are also not too age olds. We have seen quite a huge amount of solutions with embedded systems that our legacy machines are now have become compact and smart. The Internet of Things now connect these two most renowned innovations to create cognitive intelligent system to ease out human lives. Today we have thousands of IoT platforms, hundred odd cloud solutions and millions of people working for IoT. However, the most important question of “Security”, is it prevalent in IoT?
Before we begin to cash out our IoT solution, it is important that we answer this question. The security is not as that difficult as it seems to be! There are some basic rules that are already prevalent in todays world. Before there comes the proper standards that could take place to secure it, we can still follow these basic rules to safeguard our IoT products.
Today, there are several IoT prototype boards and Operating Systems available that use default credentials for the bare installation. The most important thing is to get away with these default credentials and change them to more secure credentials, that only your system will know. Do not ever keep those default credentials on your project when you take out your product to your client.
Authentication & Authorization
The authentication and authorisation works like passport for your system. With the right kind of authentication, you can make the life of hackers miserable and the those for your customers easy. Keeping dynamicity of the authorisation is very important, knowing that many customers would like to see them as similar to their banking systems – Secured and full proof! Keep limited amount of time for the validity of your authorization and keep it renewable with user. The authentication can be kept more obscure using cryptography which are difficult to reverse-break.
Hackers can hack to any network easily so it is important that you keep your communication secured and obscured. Ciphering/Encryption using TLS/SSL is good, it provides encryption of data along with authorisation with secured certificates. All the communications that are established by your end devices or gateways to the cloud or with each other must be secured and obscured. For example, if you are using M2M communication where your end devices talk to each other or to the gateway, keep that communication encrypted, irrespective of whatever protocol is used.
All the IoT products connects and exchange data in one way or the other with the cloud. It is essential that whatever means of actions we take to secure the IoT network, we take them on the cloud as well. If you are using databases, keep them hidden and communicate with them only using the secured APIs. Not only the authentication (such as OAuth, API keys) but also apply encryption (HTTPS instead of HTTP, SSL instead of TCP etc). Along with common authentication, add extra layer of authorisation that can distinguish one user with the other so that even in case if one specific user device is compromised, it doesn’t affect the entire system. One user’s vulnerability shouldn’t affect the other users or the entire system. It will be good to create micro-services on your cloud that can maintain these unique authorisations and also keep track of any attacks which can be reported to the system admin.
Your end devices and in case if your IoT solutions uses IoT gateways or routers, must also be made tamper proof from attacks and malware. One basic rule is that you maintain different code base for your development and for the production. Blow off the fuses or lock the ports when you create production version of your software. This way you keep them secured by hackers. Also do not bundle the source code or unencrypted files on your device memory. Use binaries, if possible wrap them up with secured wrappers and if any local databases or files are used, then keep them encrypted.
The security of your IoT product is in your hand. The more we care, the more it becomes safe for the use! It is inevitable that in coming years we will have “Internet of Secured Things” and not just IoT that we are known of!
IT and IoT Professional
Disclaimer : The opinions expressed in this article are those of the author, and do not reflect in any way those of the organizations or institutions of which he is a member.