Security of IOT

IOT security.

 IoT devices are being deployed into networks at a phenomenal rate, up to 1 million devices
each day. 
 While IoT solutions are enabling new and exciting ways to improve efficiency, flexibility,
and productivity, they also bring a new risk to the network.   Frequently designed without
security, IoT devices have become a new threat vector for bad actors to use when
launching attacks. One of the biggest concern of the IOT was make sure networks, data
and devices are secure.
 IOT devises are small in the scale and there was large number of devises so that regular
security updates and mechanisms are lack in the nature.
 IOT Security Issues
 Unfortunately, many IoT devices are not designed with security in mind. In many cases, these devices
lack the processing power and storage capabilities to support the installation of additional security on the
device itself, which means that companies and users cannot protect the endpoint beyond the existing
security features. Instead, organizations must rely on network security capabilities to prevent attacks, as
well as detect and remediate threats as they arise.
 Even those devices that support the installation of additional security measures may not be compatible
with the company’s existing cybersecurity tool set. Disparate operating systems and a variety of
hardware almost guarantee that the organization will not be able to protect all connected devices using
the same tools, policies and procedures.
 Further, IoT devices, like traditional endpoints, require patching and OS updates. The sheer number of
connected devices makes it difficult for organizations to manage this activity, especially if the devices
are owned by employees.
 Finally, connected devices may not require strong password practices — a point that is compounded by
the fact that many people underestimate the risk posed by non-traditional connected devices.
IOT Security.

 Threat to users.
1) Data Theft.
IOT device contains vast amount of data. Which is unique to its individual users,
including online browsing/purchase records, credit card details and personal health
information. Improper secure device leaves data vulnerable to the theft.
2) Physical Harm.
For commonplace in the medical industry including pacemakers, heart monitors and
defibrillators. Doctors can fine tune these devises remotely. So that there is a heavy chance
that other people mislead the devices.
IOT Security.

 Threat to others.
IOT devises are vulnerable to being hijacked and used in a Botnet. A collection of
malware infected internet connected device.
Discovering unprotected devices is not difficult and can be easily achieved by running widely
available scripts or tools. This is best exemplified by the existence of Shodan, a publically
available search engine made for the discovery of such devices.
Vulnerabilities and security issues.

 Unpatched vulnerabilities.
Connectivity issues or the need for end-users to manually download updates directly from
a C&C center often result in devices running on outdated software, leaving them open to
newly discovered security vulnerabilities.
Vulnerabilities and security issues.

 Weak authentication.
Manufacturers often release IoT devices (e.g., home routers) containing easily
decipherable passwords, which might be left in place by vendors and end-users. When left
open to remote access, these devices become easy prey for attackers running automated scripts
for bulk exploitation.
Vulnerabilities and security issues.

 Vulnerable APIs – As a gateway to a C&C center, APIs are commonly targeted by a

variety of threats, including Man in the Middle (MITM), code injections (e.g., SQLI), and
distributed denial of service (DDoS) assaults.
How to put the S (for security) into
IOT development.
Authenticate all Services.

 IOT systems deal with end user communication and M 2 M communication.

 End user authentication can done with username/password certificate or two factor authentication.
Machine to machine authentication requires a public key infrastructure and certificate that are
deployed to each device within a system.
 In many IOT devices, there is no console.
 Authentication is a model for building trust in the identity of IoT machines and devices to
protect data and control access when information travels via an unsecured network such as the
Internet. 
 Strong IoT authentication is needed so that connected IoT devices and machines can be trusted to
protect against control commands from unauthorized users or devices. 
 Authentication also helps prevent attackers from claiming to be IoT devices in the hope of accessing
data on servers such as recorded conversations, images, and other potentially sensitive information. 
IOT Authentication.

 One-way authentication: in the case where two parties wish to communicate with each

other, only one party will authenticate itself to the other, while the other party will not be
authenticated. 
 Two-way authentication: is also referred to as mutual authentication, in which both
entities authenticate each other. 
 Three-way authentication: is where the central authority authenticates the two parties and
helps them to authenticate each other. 
 Distributed: using a distributed straight authentication method between the parties to the
communication. 
 Centralized: using a centralized server or a trusted third party to distribute and manage the
authentication certificates used. 
Encrypt data with the industry standards.

 IOT devises deal with data. Data must be protected as it transitions from the device, across
the internet and into the clouds.
 Best to utilize industry standards, peer review cryptographic functions.
 Encryption Standards.
1) DES standard
 The Data Encryption Standard (DES) is a symmetric-key block cipher
 DES is an implementation of a Feistel Cipher. It uses 16 round Feistel structure. The block
size is 64-bit. Though, key length is 64-bit, DES has an effective key length of 56 bits,
since 8 of the 64 bits of the key are not used by the encryption algorithm
Encrypt data with the industry standards.

 2) AES is an iterative rather than Feistel cipher. It is based on ‘substitution–permutation

network’. It comprises of a series of linked operations, some of which involve replacing
inputs by specific outputs (substitutions) and others involve shuffling bits around
(permutations).
 Interestingly, AES performs all its computations on bytes rather than bits. Hence, AES
treats the 128 bits of a plaintext block as 16 bytes. These 16 bytes are arranged in four
columns and four rows for processing as a matrix
Implement built in security

 IOT devises continues to expand amount of data they contain also expands. Built in
security is very important because of above factor.
 So that IOT must embrace security and security user stories, understand encryption and
that is utilized.
 Need to track open source software and do the regular updates.
Secure automatic update over the air updates to
patch devices.
 A secure update mechanism is one that receives a cryptographically signed update from the
vendor and checks the signature of update to ensure that it is valid.
Secure automatic update over the air updates to
patch devices.
 Over-the-air firmware updates refers to the practice of remotely updating the code on an embedded
device. The embedded hardware must be built with OTA functionality for this mechanism to work.
 OTA Firmware Benefits
 Bugs and product behavior can be continuously improved even after the device is in the hands of
your consumers.
 Companies can test new features by sending updates to one or multiple devices.
 Companies can save costs by managing the firmware across their fleet of devices from a seamless,
unified interface.
 Developers can deploy frequently and reliably, knowing that products will stay functional as
updates are released.
 OTA firmware augments scalability by adding new features and infrastructure to products after
they are released.
Manage and Update the open source software.

 Open-source software suffers from vulnerabilities at the same rate as custom-written code
 Open source software also suffer with the vulnerabilities.
 Challenge with the open source software is that many developers it in projects and then
experience amnesia when it comes to updating it.
 With larger set of devises we need to access and update the softwares which run in the
devises.
 Types of Attacks in IOT
BotNet.

 A botnet is a network that combines a number of internet devises and which is running one
or more bots.
 Cyber criminals control botnets using command and control servers to steal data, send
spams, phishing and allow attacker to access to the particular system.
 E.a Mirai Botnet.
 IOT devices are connected to the internet and also to the laptops, computers and other
wearable devises. So using these devices easily access to the main devices.
Social Engineering.

 Is the term used for a broad range of malicious activities accomplished through a human
computer action.
 Social engineering attack techniques.
Baiting.
Likes a real world Trojan horse. that uses physical media and relies on the curiosity or greed of
the victim.
Scare ware.
Involves victims being bombarded with false alarms and fictitious threats.
e.a Systems are infected with malwares and try to install software that has no real benefit.
Advance persistent threats.

 Intruder gain access to the network and stays un detected for the long period of time.
Attackers aim to monitor network activity an steal crucial data using advance persistent
threats.
 In IOT have large amount of critical data, transferred within the several devises.
 An advanced persistent threat (APT) is a covert cyber attack on a computer network where
the attacker gains and maintains unauthorized access to the targeted network and remains
undetected for a significant period. During the time between infection and remediation the
hacker will often monitor, intercept, and relay information and sensitive data. The intention
of an APT is to exfiltrate or steal data rather than cause a network outage, denial of
service or infect systems with malware.
Ransomware

 Hacker uses a malware to encrypt data that may be required for business operation.
 Ransomware can be one of the most sophisticated IoT security threats.
 Ransomware uses asymmetric encryption. This is cryptography that uses a pair of keys to
encrypt and decrypt a file. The public-private pair of keys is uniquely generated by the attacker
for the victim, with the private key to decrypt the files stored on the attacker’s server. The
attacker makes the private key available to the victim only after the ransom is paid, though as
seen in recent ransomware campaigns, that is not always the case. Without access to the
private key, it is nearly impossible to decrypt the files that are being held for ransom.
 Many variations of ransomware exist. Often ransomware (and other malware) is distributed
using email spam campaigns or through targeted attacks. Malware needs an attack vector to
establish its presence on an endpoint. After presence is established, malware stays on the
system until its task is accomplished.
Denial of service.

 Deliberately tries to cause a capacity overload in the target system by sending multiple
request.
 Unlike phishing and the brute force attacks attacker who implement the denial of services
don’t aim to steal the critical data.
Man in the Middle Attack.

 Hacker breaches the communication channel between two individual systems in attempt to
intercept message among them. Attackers gain control over their communication and send
illegimate message to participating things.
 Attacks can be used to hack IoT devices such as smart refrigerators and autonomous
vehicles.
IOT security Best practices

 Private users.
 Staying up to date with all patching and OS updates required by the connected device.
 Using strong password practices for all connected devices.
 Enabling multi-factor authentication whenever possible.
 Routinely taking inventory of your connected devices and disable any items that are not
used regularly.
IOT security Best practices

 Developing and implementing an IoT device policy that outlines how employees can register and use
a personal device, as well as how the organization will monitor, inspect and manage those devices to
maintain the organization’s digital security.
 Compiling and maintaining a master list of all IoT devices — both those owned by the organization
and those owned by employees — to better understand the attack surface and the security measures
needed to maintain a safe environment.
 Consider implementing a cloud access security broker (CASB) to serve as a security check point
between cloud network users and cloud-based applications to manage and enforce all data security
policies and practices including authentication, authorization, alerts and encryption.
 Monitoring all network devices and taking immediate action if and when any devices show signs of
compromise.
 Encrypting all data being transmitted to and from connected devices from its original format to an
alternative.
References

 Data Encryption Standard – Tutorialspoint

Thank You.

 Q & A.