Professional Documents
Culture Documents
Downs Final nts435
Downs Final nts435
Abstract
Society today has become increasingly focused on technology and the ways it can
provide convenience to our lives. Every facet of the daily routine is becoming interconnected and
woven together for the sake of expediency. Communally we are focused more on how fast
something can be done or how many tasks can be combined to realize the folly in such thinking.
Being fixated on time constraints only, allows important concerns to be ignored. Security is one
such concern that needs to be addressed but often is not, due to the emphasis on convenience.
Identity theft is currently one of the most prevalent cyber-crimes against private
individuals. Over fifteen million people were affected by identity theft in 2016 alone. Identity
theft incidence rate increased by sixteen percent, a record high since Javelin Strategy &
Research began tracking identity fraud in 2003 (unidentified, Javelin Strategy and Research,
2017). These victims had monetary losses of sixteen billion dollars, compared with fifteen
billion dollars a year earlier (anonymous, Insurance Information Institute, 2017). These types of
cyber-crimes are trending exponential increases with no sign of slowing, leaving Internet of
The number of IoT devices on the market also happens to be expanding exponentially
intensifying the probability of becoming a target for attackers. Awareness of the vulnerabilities
have been historically overlooked by consumers but not criminals. The rapid expansion of the
IoT market has the potential to become a criminal playground with endless possibilities for theft
and mayhem. It is the possibility of criminal activities that the consumer needs to be but is not
aware of. Consumers do not make buying decisions based on the potential for cyber-crimes
against them, they do not even understand why this would be a consideration. The welfare of
1
Prepared by John Downs
Security for the Internet of Things
entire families could be at stake simply because a consumer bought a seemingly harmless
Purpose
The reason for this implementation plan is to identify steps, processes and procedures
That can be put in place to heighten the security posture of products within the IoT. The
recommendations laid forth in this plan are intended to guide manufacturers in adjusting
practices in construction and design of their products. The assertion that procedures with
information security as a core principle are an obligation within any computing environment. It
is seen as an obligation of companies producing IoT devices to have the best interests of their
fundamental in making products that appeal to consumers with the importance of their privacy
acknowledged. Counseling and guidance given to IoT users who may not realize the importance
regarding their security and privacy as related to use of IoT products, will enhance an
Offering practical advice on the design and implementation of such programs is the
primary purpose of this report. Further suggestions included in this document can be executed in
marketing plans to leverage growing consumer education and concern for the security of their
home environment, information included. This text is not meant only as an endorsement of any
specific product or service, although certain of these will be referenced for ease of
understanding. Recommendations for strengthening the security stance of IoT products and
enhancing consumer confidence will demonstrate concern for the well-being of the customer.
2
Prepared by John Downs
Security for the Internet of Things
Problem
The number IoT and NoT devices on the market is multiplying at an alarming rate.
Current data suggests that the IoT market will increase to 3.7 billion dollars by 2020, a 32.6
percent increase since 2015 reports of $900 million (Columbus, 2016). This increase is market
share for IoT devices represents an extreme increase in attack surface for consumers and
businesses alike. IHS forecasts that the IoT market will grow from an installed base of 15.4
billion devices in 2015 to 30.7 billion devices in 2020 and 75.4 billion in 2025 (Columbus,
2016). Increasing the number of IoT products at such an astronomical rate has caused the issue
of security for these devices to become imperative. IoT devices gather massive amounts of data
from personal information to buying habits to medical information. As of this date the security
measures in place to insure confidentiality and integrity of this sensitive information are
minimal. The vulnerability issue with IoT devices is that there is a myriad of security flaws. Out-
of-date firmware, shared Wi-Fi credentials that have caused exposed network configurations,
haste to enter market with security as an afterthought and no consistent standards industrywide
are just a few of the issues. Legacy IoT devices pose security issues that are continuously
overlooked because the companies that made them have moved on to new products leaving the
old models to become forgotten weaknesses for consumers. These weaknesses may be forgotten
by the manufacturer and overlooked by the consumer but they are neither to attackers. Creating a
set of security standards for all IoT devices will be extremely difficult. Factors such as legacy
devices, price point and product availability will be hurdles that must be overcome with profits
margins likely to take a hit in the short-term, never an easy sell to shareholders.
The rising potential for attacks is not only because of the growing abundance of devices
comprising the IoT. There are five distinct portions of most IoT devices that present their own
3
Prepared by John Downs
Security for the Internet of Things
weaknesses. Sensors, Aggregators, eUtility, decision trigger and a communication channel grant
IoT devices the ability to perform their assigned functions. All of these components are
susceptible to attacks in various ways that are compounded by the lack of relevant security
measures built into IoT devices. The recommended solutions offered in this report will address
Sensors are used in IoT devices to measure physical attributes of the surrounding
environment. Parameters such as pressure, temperature, location, and acceleration are measured
and delivered to the processor through an interface. These parameters are utilized to illicit the
manual input. Employed sensors have varying degrees of quality, safety and reliability
depending on the application in which they are used. Sensors present many opportunities for
security improvements due to the wide range of attributes they can possess.
The first consideration I take into account when dealing with sensors is communication,
both the type of interface and the state in which the data is transmitted. If the sensor is
communicating directly with another device via Wi-Fi the data should be encrypted. Over the air
communication between IoT devices is often vulnerable because of weak Wi-Fi passwords or
devices that do not require them to be on the network. Personally, I recommend the adoption of a
Blowfish algorithm for IoT communication. Advantages of Blowfish include the fact that is one
of the more flexible encryption methods, is available free in the public domain and has
tremendous speed. Encrypting communications in IoT devices serves to lessen the risk involved
by their use. The use of encryption is directly related to the aggregator, so in turn by deploying
the use of encryption some vulnerability will be designed out of two components of IoT devices.
4
Prepared by John Downs
Security for the Internet of Things
Aggregators are software implementations that convert raw data from sensors into
aggregated data by use of mathematical functions. Two variables are factored into the decisions
that are made by the aggregators, weights and clusters. Clusters are the sensors, physical or
virtual that send information to the aggregator. A weight is the amount of significance the data
sent has in deciding a response. Often there is many points of data sent to the aggregator with
each data set assigned a certain weight or significance in determining the correct programmed
response.
From a security standpoint, I believe that the simplest way to address security would be
in the weights of the system. Depending on the sensors that are sending data, the aggregate
summation could be set to put emphasis on the most reliable sensors. By taking this approach,
the sensors that are more likely to send corrupted or out-of-range data can be diminished in the
capacity to illicit an undesired response from the IoT device. The bulk of the responsibility
would be placed on the complexity of the aggregate summation in determining which sensors are
A communication channel is the instrument the device uses to communicate with the
network and other IoT devices. The communication channel can be physical as in a wired USB
compared to a highway system to handle the input and output of data within the IoT device.
Inputs and outputs may even use the same communication channel for exchanges in both
directions. Reliability and security of the device can be addressed by the type and protocols used
5
Prepared by John Downs
Security for the Internet of Things
channel. I feel that this practice could serve as a nuisance to would be attackers. If for no other
purpose, it would not allow interception of input and output data simultaneously. Limiting the
simultaneous access would make complicate efforts to corrupt the aggregate summation
calculations or altering the sensor input for a desired result. If an attacker were not able to
ascertain exactly how data would need to be altered to provoke a certain reaction, then it would
Redundancy is another way to confirm the validity of the data traveling the
communication channels. Without fail, every communication channel should have redundancy
built in and as removed from each other as possible. Under the hope and assumption that an
attack would compromise only one channel pertaining to a certain data set, the aggregator would
have a better chance in recognizing corrupted data. The ability to notice data that is unreliable
would be invaluable in limiting the affect that any one attack would have on the device. By using
redundancy, the reliability of the device is also improved saving time and money due to reduced
The use of communication channels that are physical in nature as much as possible would
help to improve security also. Wi-Fi is vulnerable for a plethora of reasons from the open nature
to the negligent practices of customers setting up their Wi-Fi at home. Limiting the use of that
medium of communication serves to mitigate a weakness that many customers do not even
realize they have. Obviously, manufacturers of IoT devices cannot completely shield consumers
from their own mistakes but this would serve as a nominal attempt.
6
Prepared by John Downs
Security for the Internet of Things
The basic function of an eUtility is to take the data from the aggregator (Cornelius,
2017). To put it simply the eUtility is essentially the brains of the operation, human input is
considered an eUtility in the IoT. Software or hardware in an IoT device can be utilized for the
eUtility function, on occasion both. The eUtility presents one of the biggest challenges in
fortifying the security aspect of the IoT. Manufacturers of IoT devices must use software for
their devices to operate, this is where the challenges and opportunities lie.
Firms other than the manufacturer of the IoT device are repeatedly tasked with
implementing the software for operation. IoT manufacturers must insure that the companies
chosen are reputable and hold security in high regard. The choice of third party software
developing company is crucial in the security of the device. I feel that two distinct approaches
Microsoft would lend credibility to the IoT device but comes with caveats. Software provided by
a company such as Microsoft would be proprietary and security patches may be released at a
slower rate than needed by the IoT manufacturer. The alternate approach would be to utilize a
smaller company or possibly develop in-house the software from an open source platform.
Updates for security and performance would be developed at a much faster pace allowing for
critical improvements. Updated that are prompt and efficient could be the most crucial aspect of
Authentication is another aspect of the eUtility that presents opportunities for security
improvements. All communication pertaining to IoT devices should take place only when the
Device_ID of all parties involved can be verified. This authentication would take place in the
way of encryption so that devices could verify each other. In the case that human interaction is
7
Prepared by John Downs
Security for the Internet of Things
required, an impromptu type of two factor authentication can be used. Through a mobile
application associated with their device the human interaction could be verified by the user so
A decision trigger, in short, is the final piece of information that initiates the desired
response. I feel that the chief prospect for security improvement lies in the coding of the software
that comprises the decision trigger. Coding the trigger with if, then type language that has very
a deep set of parameters that must be met would strengthen the security. If the list of parameters
that must be met before a response is authorized is lengthy and very specific it makes it that
Cost
Cost is always a determining factor in the design of any product and the IoT is no
exception. Any company that adheres to the recommendations that I have made will incur some
associated costs. For instance, the development of the mobile application that I mentioned two-
factor authentication would cost anywhere from $200,000 to one million dollars to develop. The
adoption of encrypted communication would most likely allot for a similar expense, possibly
more. Partnering with a software company such as Microsoft would be costly with the value
costly but the potential of name recognition may be attractive for a relatively lesser known IoT
manufacturer. The rise in hardware costs to bring some of these innovations to reality would be
negligible in comparison software and protocol upgrade costs. Designing a new IoT device from
the ground up with the recommended upgrades may cost as much as $ 4-5 million for a simple
8
Prepared by John Downs
Security for the Internet of Things
I feel that costs associated with upgrades to the devices will be potentially offset by other
factors. The strength and reliability of processors used in IoT devices has risen exponentially.
This rise in capabilities is in direct contrast to cost, the prices of the chip sets used in these
products have declined by about 25 percent per year (Harold Bauer, 2014).
manufacturing processes should not be altered very much. The personnel needed for the actual
production differences will be light. The added labor will come in partnerships with software
companies or the decision to develop the software in house. The in-house option will require the
addition of software developers and a seasoned veteran developer to oversee development. The
average software developer earns on average $85,000 per year and the lead developer would earn
on average $116,000 per year. These salary costs and hiring expenses would be the bulk of the
Evaluation System
It is my belief that the evaluation system would be primarily the market itself. Quality
control practices and functionality tests would need to be done but the majority of flaws are
found after the product see normal wear and tear. It is impossible to realize all security
weaknesses until the product is put into the wild. Testing to minimize the problems will retain
customer loyalty but the consumer is the final testbed for any new product. A long as the
problems are minimized and prompt action is taken in mediating those problems, the customer
9
Prepared by John Downs
Security for the Internet of Things
Benefits
The benefits of increased security enhancements are immeasurable, to the company and
the customer. As the market realizes the upgraded security will benefit the consumer in ways
they were not aware then the first to market that will profit immensely. Security can become a
selling point instead of an afterthought. The companies benefit from higher customer satisfaction
and retention increasing profits. These profit increases will quickly offset costs in development
and the minimally longer product development time windows. I feel that there will be benefits
that cannot even be foreseen as satisfied customers lean on trusted companies for new products.
A consumer base that is extremely happy with one product will be incalculably more receptive to
Conclusion
Added security benefits are never a bad idea when it comes to consumer electronics, not
to mention the IoT. Companies that are able to offer products that have been developed with
security on the forefront will be received ever more favorably as the consumer continues to be
better educated. Firms selling products that offer complete solutions with security and
convenience as marketing tools will see infinite profit. Opportunities to expand the product
portfolio will become reality for companies that have made security a priority, consumers will
notice. Costs associated with this practice will be offset by the increase in sales and opportunities
for expansion. In my eyes, it is a winning situation for IoT companies and the consumers that
10
Prepared by John Downs
Security for the Internet of Things
References
anonymous, Insurance Information Institute. (2017, February). Identity Theft and Cybercrime. Retrieved
from www.iii.org: http://www.iii.org/fact-statistic/identity-theft-and-cybercrime
Brandon, J. (2016, June 1). Security concerns rising for Internet of Things devices. Retrieved from
www.csoonline.com: http://www.csoonline.com/article/3077537/internet-of-things/security-
concerns-rising-for-internet-of-things-devices.html
Columbus, L. (2016, November 27). Roundup Of Internet Of Things Forecasts And Market Estimates,
2016 . Retrieved from www.forbes.com:
https://www.forbes.com/sites/louiscolumbus/2016/11/27/roundup-of-internet-of-things-
forecasts-and-market-estimates-2016/#1361ec44292d
Harold Bauer, M. P. (2014, December). The Internet of Things: Sizing up the Opportunity. Retrieved from
www.mckinsey.com: http://www.mckinsey.com/industries/semiconductors/our-insights/the-
internet-of-things-sizing-up-the-opportunity
Klubnikin, A. (2016, October 21). Internet of Things: How Much Does It Cost to Build IoT Solutions?
Retrieved from www.r-stylelab.com: http://r-stylelab.com/company/blog/iot/internet-of-things-
how-much-does-it-cost-to-build-iot-solution
unidentified, Javelin Strategy and Research. (2017, February 1). 2017 Indentity Fraud Study. Retrieved
from www.javelinstrategy.com: https://www.javelinstrategy.com/press-release/identity-fraud-
hits-record-high-154-million-us-victims-2016-16-percent-according-new
11
Prepared by John Downs