IoT security flaws are being found almost every day , and, overall, Internet of Things security is poorly lacking, from having many more devices to attack to consumers not updating their devices as frequently they should. Recently, researchers from the University of Michigan and Stony Brook University published their research in a paper entitled, “Internet of Things Security Research: A Rehash of Old Ideas or New Intellectual Challenges?”
In this paper, they discuss how building security into the new computing paradigm, which includes devices such as wearables and cars, is challenging, asking the questions: “What are the security problems in IoT that we can solve using existing security principles? And, what are the new problems and challenges in this space that require new security mechanisms?”
This IoT security research delves into the important questions that we need to discuss in order to find and eradicate IoT security flaws, especially since IoT devices are consistently growing in use. There are many similarities between classic information technology security research and IoT security research, but there are also important differences between the way these fields should be researched and applied.
Essentially, this paper looks into how we can apply currently known security techniques to fix IoT security flaws, and when we need a different approach to ensure safety.
How are similarities and differences classified?
The researchers followed the standard computing stack in determining both similarities and differences. This includes hardware, system software, network, and application layer. They explained how the Internet of Things computing stack is structured similarly:
At the lowest layer we have devices that can sense and effect physical change in the environment; at the next layer we have IoT platforms that are software systems that aggregate multiple devices and controlling software to perform useful tasks; next, we have various connectivity/network protocols that enable software and physical devices to communicate with each other; and finally, we have the application layer running custom code to control physical processes.
Of course, they didn’t attempt to include everything in an exhaustive list, but instead to focus on the similarities and differences that are most pertinent to security and its research. Identifying the IoT stack with existing categories and concepts helps to make the research more accessible.
IoT security flaws: Hardware layer
According to the researchers, there has been recent work that shows that hardware-level trojans are certainly a possibility with IoT devices. In fact, it was recently displayed how “fabrication-time attackers can inject analog components that force a flip-flop, which maintains the processor’s privilege bit, to a target value.”
Hardware-level attacks are a particular high point of concern for IoT devices because they are often manufactured overseas or by third parties.
Luckily, though, there is the possibility that these trojans could be easily discovered in post-fabrication testing because of the relative simplicity of many IoT devices.
Also in relation to hardware, there will likely be numerous challenges related to applying notions of hardware security to IoT systems because of “their limited computational and energy constraints,” which can affect higher-layer security primitives.
For example, the researchers explain that certain IoT devices do not have precise real-time clocks. This makes implementing certain network security protocols that assume their presence more difficult.
Essentially, creating hardware for IoT devices is very similar but there are more computational and energy limitations to consider at the hardware layer. These limitations can, according to the researchers, “impact security mechanisms at higher layers in the context of the IoT computing paradigm.”
So, these higher-layer security properties, then, should be created with the specific IoT device’s limitations in mind.
System software layer
Firmware, operating system code, and any privileged system applications or programming frameworks are included as the system software layer, which helps to establish isolation in the device.
Process isolation, as you may know, helps to ensure that faults in one part of the process don't affect another process on the system, and are guaranteed depending on the hardware memory management unit (MMU). Unfortunately, in IoT devices, the MMU often doesn’t exist.
This means that a particular struggle of IoT devices that are resource constrained is ensuring process isolation without an MMU. More IoT security research should be done to better understand how to secure these devices.
Access Control is another aspect in these devices in which the researchers commonly found particular IoT security flaws. According to a security analysis of the SmartThings platform, “access control granularity was not appropriately designed, and it led to exploitable overprivilege.”
This is due to an issue of the tension between usability and security, similar to mobile operating systems. We must recognize that with IoT devices, the objects of access control are the physical devices themselves and secure them accordingly.
Another issue within the system software layer is Information Flow Control (IFC). IFC protects access to sensitive resources even after a code has obtained access to them. Yet, the research found that most IoT devices do not use IFC, potentially leading to less secure resources.
Of course, software updates are another problem that we run into when it comes to IoT devices. Updates can have larger consequences for sensitive places, such as hospitals or factories. The paper cites a particular case where an update had negative consequences — a nuclear reactor was shut down due to a software update.
More than just simply having customers that don’t update their devices as they should, there are other considerations, too, such as the fact that IoT devices can be difficult to physically access or might not even have update channels built into the device.
Therefore, the physical constrictions of IoT devices makes software updates a new, important consideration for security and IoT security research.
Lastly, some IoT devices do not have classic displays, making authentication and passwords difficult to enforce. The typical concerns of passwords, such as a lack of strength, are a similar to traditional IT research, as well as the added usability challenges that come with various IoT devices.
While here we talked primarily about the software layer as it’s most applicable to the majority of administrators, the paper covers each other layer of the computing stack as discussed above, citing the differences and similarities between IoT security research and classic IT security research.
As you can see, the IT world still has a lot of work to do to identify IoT security flaws and secure IoT devices as they continue to develop and grow.
Photo credit: Pexels