This issue was re-actualized enormously in 2022, so it will be relevant in 2023 as well. Who could have missed the crisis in Ukraine? A war that completely changed our perceptions of what to expect from other nations? IoT security has been and continues to be a significant issue.
Traditional cybersecurity often focuses heavily on software, cloud services and networks. IoT security expands the scope. It is a world of new scenarios. Many devices are created by start-ups, with data being sent to god knows where. Devices with firmware that sometimes do not perform or meet the expected level of protection of data being sent. So let us look at the risks, well, some of them.
Why is IoT security hard to grasp?
Traditionally, a security solution in the form of a VPN service is an excellent first step for any network connection. VPN is usually enough when you send data between two known instances. In the IoT context, this translates to end-to-end encryption. But how many people are aware of what encryption the wireless temperature sensor has? Or even knows who hosts the server where data is stored? Where is the data sent? To a cloud platform, most likely. Is that the only data end-point? Is data transmitted to another system as well or shared with others? Even a basic temperature value from a wireless sensor can indicate when people are at home and work. Together with other data points, it can tell much about your habits.
What hinders IoT-security?
IoT is an incredibly growing market. However, IoT security is held back by multiple factors and trade-offs. Here are a few:
a) battery life
If by IoT we mean sensors, sensors that are expected to be sold in large volumes at the lowest possible price and preferably last at least 20 years on a battery, then we have reached a design dead-end. Too long a battery life automatically means that, more often than you think, you compromise on security. It means we can’t have end-to-end encrypted transmission, for example, because that reduces battery life.
b) low-price firmware
A product that is priced low often has firmware with qualities that match the price. And even if the software in the device is OK, it is hampered by processing power and storage space.
c) shaky world
A team may have developed the firmware or hardware spread over large parts of the world. Geographical distance usually is OK, but wars and conflicts worldwide have isolated teams. I have had several close contacts who realize that their developers in Russia, or even manufacturers, are now isolated and can not deliver to Europe.
d) fast to market
Another factor is that development time costs, so it has to happen fast. This means that launching a solution quickly is more important than having a balanced and tested ecosystem.
e) security sells less
Great design and ease of use sell more than security. It’s the recipe to generate profit and impact quickly. Safety is still as attractive as a Volvo 240 with beige plush upholstery. But that should be where we start looking.
f) firmware updates
You expect ten years of battery life, but you do not have a plan for how to update the firmware to the latest version for that period. A better trade-off is a few years less battery life and the possibility to update the firmware over the air. Explore your device’s or wireless technology’s limitations and ensure the firmware can be updated.
The best technologies
It can be challenging to form a picture of security and all the elements of an IoT ecosystem. But here are some tips.
Create a separate or guest network if you have devices connecting to a wireless WiFi network. It would help if you had this on a so-called DMZ in your network, i.e. a network outside your regular network. On this network, you will gather all your IoT devices, but they can only reach each other and nothing else on your network. I have special IoT networks for my surveillance cameras, among other things, these go through an access point that I turn off when I’m at home, so they can’t send data on then.
If you use mobile networks, don´t just trust the encryption in 4G. Even though 5G is better, you should also use end-to-end encryption. Your device should have an encrypted transmission of its data package to the receiving device. If your device does not support this, you should choose your own APN from your operator. Then your traffic is not out on the internet. But you will have to connect to the operator’s network with a VPN tunnel to see the link as private.
LoRaWAN is popular but has less security than cellular networks. 4G/5G devices have a SIM card, a secure element that LoRaWAN devices lack. The SIM card makes the extraction of cryptographic data much more difficult. There are many LoRaWAN devices on the market and an extensive ecosystem, but the devices are cheap. As a result, the most critical weakness of LoRaWAN is the end devices.
In many cases, for cost reasons, they have no secure element, not a secure component in the devices that stores cryptographic information like the encryption keys in a secure way. An attacker could extract the secret keys or flash the device with compromised firmware. I do not recommend against LoRaWAN; it has decent security, but be aware of the limitations (and understand that firmware updates with LoRaWAN are next to impossible).
Connecting to the corporate network
Suppose you don’t have complete control over the IoT devices in your ecosystem and doubt that you can maintain security. In that case, you should limit their ability to connect to your corporate network or initiate corporate network connections. Restrict access and use firewalls and access control rules.
Install all patches as they become available. Check the manufacturer’s website regularly (OK, the wrong word, because once every five years is also regular), at least once a month, and download and install the available updates. Find out why if there are no patches or the software is not updated.
Choose a unique, complex and lengthy password for your devices with an admin interface. Theoldmanwalkedonabridge is a better password than ABC123. Change your password and use strong, long passwords. Change often.
Known security risks
Google your device. Keep an eye on forums; if devices are hit by breaches or security threats, it’s important to stay up to date.
Simple, essential things may seem. Suppose you are going to do one of the things above. Choosing a device with end-to-end encryption would be my first choice. To ensure data integrity, you should be very careful and only trust end-to-end encryption with powerful security certificates.