Internet of Things (IoT)
It is a system of interrelated computing devices, objects, animals or people that have a unique identifier (UID) and the ability to transfer data over a network without the need for person-to-person or person-to-computer interaction.
History of IoT
The term of IoT was coined by Kevin Ashton in 1999 during his work at Procter & Gamble. Ashton who was working in supply chain optimization, wanted to attract senior management’s attention to a new exciting technology called RFID, but the internet was the hottest new trend in this year and because it somehow made sense, he called his presentation “Intenet of Things”.
Even though Kevin grabbed the interest of some P&G executives, the term IoT did not get widespread attention for the next ten years.
IoT takes off
The concept of IoT started to gain some popularity in the summer of 2010. Information leaked that Google´s StreetView service had not only made 360 degree pictures but had also stored tons of data of people´s wifi networks. People were debating whether this was the start of a new Google strategy to not only index the internet but also index the physical world.
In 2011, Gartner, the market research company that invented the famous “hype-cycle for emerging technologies” included a new emerging phenomenon on their list: “The Internet of Things”.
The next year the theme of Europe’s biggest intenet conference LeWeb was “Internet of Things”. At the same time popular tech-focused magazines like Forbes, Fast Company, and Wired starting using IoT as their vocabulary to describe the phenomenon.
In October of 2013, IDC published a report stating that the IoT would be a $8.9 trillion market in 2020.
The term IoT reached mass market awareness when in January 2014 Google announced to by Nest for $3.2bn. At the same time the Consumer Electronics Show (CES) in Las Vegas was held under the theme of IoT.
The above graph shows impressively how the term “Internet of Things” has outgrown all other related concept in popularity.
How does IoT works?
A typical IoT system works by collecting and exchanging data in real time. An IoT system has three components:
Smart devices
This is a device that has been given computing capabilities. It collects data from its environment, user inputs or usage patterns and communicates data over the internet to and from its IoT application.
IoT application
An IoT application is a collection of services and software that integrates data received from various IoT devices. It uses machine learning or artificial intelligence (AI) technology to analyze this data and make informed decitions. These decitions are communicated back to IoT device and this last then respond intelligently to inputs.
A graphical user interface
The IoT device or fleet of devices can be managed through a graphical user interface (GUI). Common example include a mobile applications or website that can be used to register and control smart devices.
What are examples of IoT devices?
Let´s look at some examples of IoT systems use today:
Connected cars
There are many ways vehicles, such as cars, can be connected to the internet. It can be through smart dashcams, infotainment systems, or even the vehicle’s connected gateway. They collect data from the accelator, brakes, speedometer, odometer, wheels, and fuel tanks to monitor both driver performance and vehicle health. Connected cars have a range od uses:
- Monitoring rental car fleets to increase fuel efficiency and reduce cost.
- Helping parents track the driving behavior of their children.
- Notifying friends and family automatically in case of a car crash.
- Predicting and preventing vehicle maintenance needs.
Connected homes
Smart home devices are mainly focuses on improving the efficiency and safety of the house, as well as improving home networking. Devices like smart outlets monitor electricity usage and smart thermostats provide better temperature control. Hydroponic system can use IoT sensor to manage the garden while IoT smoke detectors can detect tobacco smoke. Home security system like door locks, security cameras, and prevent threats, and send alerts to homeowners.
Connected devices for the home can be used for:
- Automatically turning off devices not being used.
- Rental property management and maintenance.
- Finding misplaced items like keys or wallets.
- Automating daily task like vacuuming, making coffee, etc.
Smart cities
IoT applications have made urban planning and infrastructure maintenance more efficient. Governments are using IoT applications to tackle problems in infrastructure, health, and the environment. IoT applications can be used for:
- Measuring air quality and radiation levels.
- Reducing energy bills with smart lighting system.
- Detecting maintenance needs for critical infrastructures such as streets, bridges, and pipelines.
- Increasing profits through efficient parking management.
Smart buildings
Buildings such as college campuses and commercial buildings use IoT applications to drive greater operational efficiencies. IoT devices can be use in smart buildings for:
- Reducing energy consumption.
- Lowering maintenance cost.
- Utilizing work spaces more efficiently.
The Most Important Security Problems with IoT Devices.
The security of IoT devices has been a cause for concern for some time and has had the inevitable consequence of allowing both small- and large-scale attacks. Most of these attacks originate from simple security problems, for example, the retention of default passwords on a telnet service. The Dutch Radio Communications Agency wants to impose security requirements on IoT devices and their manufacturers, and asked our facility, Eurofins Cyber Security in the Netherlands for advice.
Incorrect access control
Services offered by an IoT devices should only be accessible by the owner and the people in their immediate environment whom they trust. However, this is often insufficiently enforced by the security system of a device.
IoT devices may trust the local network to such level that no further authentication or authorisation is required. Any other device that is connected to the same network is also trusted. This is especially a problem when the device is connected to the Internet: everyone in the world can now potentially access the functionality offered by the device.
Overly large attack surface
Each connection that can be made to a system provides a new set of opportunities for an attacker to discover and exploit vulnerabilities. The more services a device offers over the Internet, the more services can be attacked. This is known as the attack surface. Reducing the attack surface is one of the first steps in the process of securing a system.
A device may have open ports with services running that are not strictly required for operation. An attack against such an unnecessary service could easily be prevented by not exposing the service. Services such as Telnet, SSH or a debug interface may play an important role during development but are rarely necessary in production.
Outdated software
As vulnerabilities in software are discovered and resolved, it is important to distribute the updated version to protect against the vulnerability. This means that IoT devices must ship with up-to-date software without any known vulnerabilities, and that they must have update functionality to patch any vulnerabilities that become known after the deployment of the device.
For example, the malware Linux.Darlloz was first discovered late 2013 and worked by exploiting a bug reported and fixed more than a year earlier.
Lack of encryption
Even when data is encrypted, weaknesses may be present if the encryption is not complete or configured incorrectly. For example, a device may fail to verify the authenticity of the other party. Even though the connection is encrypted, it can be intercepted
Application vulnerabilities
Like all software bugs, security vulnerabilities are impossible to avoid completely when developing software. However, there are methods to avoid well-known vulnerabilities or reduce the possibility of vulnerabilities. This includes best practices to avoid application vulnerabilities, such as consistently performing input validation.
Lack of Trusted Execution Environment
Most IoT devices are effectively general-purpose computers that can run specific software. This makes it possible for attackers to install their own software that has functionality that is not part of the normal functioning of the device. For example, an attacker may install software that performs a DDoS attack. By limiting the functionality of the device and the software it can run, the possibilities to abuse the device are limited. For example, the device can be restricted to connect only to the vendor’s cloud service. This restriction would make it ineffective in a DDoS attack since it can no longer connect to arbitrary target hosts
Insufficient privacy protection
Consumer devices typically store sensitive information. Devices that are deployed on a wireless network store the password of that network. Cameras can provide a video and audio recording of the home in which they are deployed. If this information were accessed by attackers, it would amount to a severe privacy violation.
IoT devices and related services should handle sensitive information correctly, securely, and only after consent of the end-user of the device. This applies to both storage and distribution of sensitive information.
In case of privacy protection, the vendor plays an important role. Other than an external attacker, the vendor or an affiliated party may be responsible for a privacy breach. The vendor or service provider of an IoT device could, without explicit consent, gather information on consumer behaviour for purposes like market research. Several cases are known where IoT devices, for instance smart televisions, may be listening in on conversations within a household.
Intrusion ignorance
When a device is compromised, it often keeps functioning normally from the viewpoint of the user. Any additional bandwidth or power usage is usually not detected. Most devices do not have logging or alerting functionality to notify the user of any security problems. If they have, these can be overwritten or disabled when the device is hacked. The result is that users rarely discover that their device is under attack or has been compromised, preventing them from taking mitigating measures.
Insufficient physical security
If attackers have physical access to a device, they can open the device and attack the hardware. For example, by reading the contents of the memory components directly, any protecting software can be bypassed. Furthermore, the device may have debugging contacts, accessible after opening up the device, that provide an attacker with additional possibilities.
Physical attacks have an impact on a single device and require physical interaction. Since it not possible to perform these attacks en-masse from the Internet, we do not recognize this as one of the biggest security problems, but it is nevertheless included.
A physical attack can be impactful if it uncovers a device key that is shared amongst all devices of the same model, and thus compromises a wide range of devices. However, in that case we consider sharing the key amongst all devices to be the more important problem, not physical security.