Issue link: https://resources.mouser.com/i/1516547
19 IoT Device Security: Built-In, Not Bolt-On The 10 Security Factors Every Device Designer Should Consider The Rising Tide of Security Threats Limited only by designers' imaginations, the Internet of Things (IoT) is changing how people live. From medical devices and fitness trackers to tank sensors, smart thermostats, intelligent streetlights, water monitors, and more, the IoT is in more places than ever. However, by relying on wireless networks, those hundreds of millions of IoT devices present a greater "attack surface," making them tempting frontline targets for competitors, hackers, disgruntled employees, and other bad actors. Unfortunately, the tools and techniques we've applied to PC/ smartphone platforms often don't work well in the IoT, for several reasons: RESOURCE LIMITATIONS Small-footprint IoT devices typically have far less battery power, processing speed and memory. They lack the power and sophis- tication required to support traditional security measures. DATA COMPLACENCY Many companies view the data in their IoT networks as mundane and having little intrinsic value outside the organization. But many breaches are motivated by other factors, such as competitive advantage, social status, or revenge. The data isn't the goal – the hack is. AVAILABILITY OF TOOLS The tools and expertise to analyze and modify embedded/ IoT devices are widely available – even to hobbyists. NO PHYSICAL ACCESS REQUIRED One of the advantages of the IoT is that devices can be remotely configured/upgraded without the need for dispatching a truck. However, thanks to wireless connections, hackers don't need physical access to devices such as USB or other I/O ports. INTERFACE DIFFERENCES Embedded devices have no GUIs, and error messages can be as basic as a coded series of beeps or flashing lights. This is particularly true for security status and control functions allowing for security alarms to be overlooked. HARDWIRED PORTS These provide unfortunate opportunities for compromise. IoT solutions can't simply implement a strong password over a TLS connection – the most common approach for PC/Internet applications. IoT solutions need a different approach, and the effort required to identify and mitigate unique security risks in embedded systems is often underestimated, if not overlooked entirely. Thanks to wireless connections, hackers don't need physical access to devices such as USB outlets or network ports. But the risks of this rising tide of security threats are significant. Beyond reputational damage, competitive threats, eroding customer confidence, and safety challenges, regulators are paying increasing attention as well. For instance, security breaches that violate HIPAA regulations can lead to fines of $50,000 per violation. Credit card processors that fail to comply with the PCI DSS standard may be fined up to $100,000 per violation. Distributed Denial of Service (DDoS) attacks are becoming more and more prevalent. These attacks may not necessarily be targeted at the average IoT edge device but a hijacking of a connected IoT edge device may be used to create a 'BotNet', a group of hijacked devices working together to work in unison to attack a central point on the IoT network or an external server/computer outside of the local network. Even if these attacks are not targeted at the local IoT network, they still pose multiple problems by preventing regular IoT work to take place or even simply draining the battery on a mobile IoT edge device creating maintenance cost for the administrators leaving them wondering why the battery didn't last longer. Four Types Of Security Threats That Disrupt IoT Devices Confidentiality of Service Data Integrity Availability 1 2 3 4 Security is a Balance Between Economic Cost and Benefit Given enough time, money and expertise any system can be hacked, so it is important to design a system to deter an attacker by making it uneconomic (i.e. the cost or effort of an attack far outweighs any benefit to an attacker). Types of attacks can be classified in terms of investment, the type of attacker and equipment used. These range from: EXPENSIVE INVASIVE ATTACKS (such as reverse engineering, or sophisticated micro-probing a chip) To lower cost: PASSIVE SOFTWARE ATTACKS (exploiting unintentional security vulnerabilities in the code) COMMUNICATION ATTACKS (e.g. exploiting weaknesses in the internet protocols, crypto or key handling) Security is always a balance between economic cost and benefit, dependent upon the value of assets on the one hand and the cost of security features on the other.