Security in the age of IoT
The original version of this article was published in Network Security Magazines August 2019 edition and has been edited for brevity.
The impending IoT revolution poses a number of privacy concerns. The future network will have more connections between devices than between people, linking up everything ranging from the mundane such as refrigerator sensors, to the critical such as emergency response service. Networks have slowly shifted away from voice and towards data. The explosive growth of IoT will test the limits of both bandwidth and security.
Different devices have varying demands in terms of the volume and complexity of data, as well as importance. When systems are congested, a way of prioritizing the urgency of some data (medical devices for example) over others will be paramount, unless efficient service can be guaranteed consistently. The double-edged sword of data privacy is also of concern. While data has great commercial purpose, a breach can provide criminals with a wealth of logistical and personal information, which may be detrimental to businesses as well as individual users. The potential to mine sensitive data is also amplified in a complex IoT network.
Static sensors, many in remote locations, are an easy target to intercept and carry out denial-of-service attacks, which is even more worrisome when the sensors serve critical operations such as controlling reservoir volumes. IoT also has the unique risk that connected SIMs are roaming and despite improved connectivity, therefore experience a delay between the point of activity and point of reporting.
Lifecycle management is often overlooked, allowing many devices to remain stuck with outdated security software. Even a vulnerable smart toaster poses a fire hazard if correctly hacked. Manufacturers may be tempted to cut corners by equipping devices with inexpensive (and therefore vulnerable) sensor and monitor applications, despite a robust software platform. End-of-life management presents a challenge as SIM cards from devices no longer in use should also be recycled to avoid being put into unsuitable applications at great expense. Finally, changing ownership of devices such as used cars, which carry the owner’s history, present a data protection conundrum.
Because sufficient security was not initially built into networks, these problems have been addressed less efficiently only after the problem is demonstrated. As most networks include both old and new systems, IoT devices will likely be deployed on the older and less secure networks. Signalling firewalls are necessary to protect against the vulnerabilities present in current SS7 networks, and enhanced firewalls will be necessary for IoT communications. A firewall can be considered effective if it is able to inhibit denial of service, IoT SIM fraud and misuse, communication interception, and IoT device tracking.
Collective action among networks, manufacturers, industry associations, security experts, and regulating bodies is critical to allow IoT to thrive without becoming a risk. This requires honesty and diligence on the part of manufacturers. Enterprises work closely with security experts to guarantee a minimum level of embedded network security and ensure protection against malicious attack. Specs should be included in IoT communication platforms that include a handshake for every session. Industry associations must demand a gold standard in IoT security to ensure cellular technology’s future. Finally, governments and regulators must be committed to maintaining control and security of telecom networks should the industry in any way fail to effectively regulate itself, or should they leave networks, operators, and users open to risk. This is accomplished instituting and enforcing minimum security requirements.
The looming prospect of this scale of connected devices is exciting, but we must mitigate the inherent risks or the entire industry may suffer significantly. Success will come about by careful and constant vigilance as well as a concerted effort to employ effective security measures at every stage of development.
Categorised in: Blog