Nowadays, billions of connected and smart devices exchange large volumes of data about how we live, work, and play. Therefore, personal information as well as business data already exists in IoT devices and in the cloud.
The good news is that the IoT landscape is slowly adjusting to new demands in cyber security, either from consumers or, for example, regulators. However, we are still far from establishing a completely secure ecosystem. Attackers only need one weak link in the security chain to access a gateway that allows control over information and systems.
Your home may be getting smarter, but it is not getting more secure
In this context, one of the biggest concerns of users of smart technologies is their privacy. Up until today, the greatest danger of unauthorized data access was in information being stolen, erased, or, in the worst case, manipulated. With a network of IoT devices, both the attack surface (the sum of different points in which an attacker can try to enter or extract data) and the opportunities for causing damage are on the rise.
Attackers can manipulate and control software, information, and systems, affecting us in our daily lives. Pacemakers, smart cars, locks; all of them are becoming connected. Attackers only need to find an access point to take control of a system or to access personal data.
The fact remains that the Internet of Things and cyber security are dynamic topics which require users and manufacturers to keep their knowledge updated at all times.
Examples of cyber security vulnerabilities in IoT
Cyber security experts warn that IoT devices pose the largest security risks in our homes and workplaces. Hardcoded passwords, built-in back doors, and more can compromise the safety, privacy, and security of consumers. Some recent examples of cyber security vulnerabilities include:
IP Cameras: Cameras used for, amongst others, home security and baby monitoring had faulty software that let anyone who obtained the camera's IP address look at live recordings – and listen in as well.
Bluetooth Lock: Researchers found that the average Bluetooth lock (2016) uses plain-text passwords that anybody can read. By capturing packets sent between devices using a Bluetooth range-finding setup, the researchers learned that most Bluetooth locks have either no security or very poorly implemented security.
Understanding the new security ecosystem
When IoT manufacturers design a product, their main concerns tend to be the usability, connectivity, and cost of their devices. These aspects are often influenced by security considerations. On the one hand, manufacturers unknowingly provide attackers with a large (and new) attack surface and, on the other hand, they use specific parts with certain limitations due to cost constraints.
All of this makes new devices more vulnerable. An example is a devices that cannot be updated or patched over the air. Therefore, security in IoT devices should be taken to a completely new and more professional level. The Internet of Things comprises a complex ecosystem with a combination of parts and technologies (mobile applications, cloud services, wireless protocols, and hardware), each of which have to be secure on their own, but also as a whole when they work together.
The challenge for the market is to design IoT devices that provide their users with protection mechanisms against external attacks. Some IoT security practices that can be of help to manufacturers are:
Encrypting the ecosystem. Devices and communication need to be encrypted in a secure way — using a separate key for each device. This is the best way to repel attackers.
Updating the devices and the ecosystem. Design a platform that provides the ability to install software updates on devices, including security patches. The lack of updating capabilities in the IoT world is a dangerous situation.
Integrating the ecosystem. In most IoT developments, the manufacturer is faced with the problem of having to assemble different components or parts within the same ecosystem; the physical security of the device, the mobile applications, and the web services in the cloud. The manufacturer has to evaluate the system as a whole to make sure that isolated (non-serious) failures do not cause problems when combined in one ecosystem.
Ensuring cloud security. Finally, an essential component of IoT ecosystem security is cloud robustness. Customers need to know that the personal data their IoT devices send to the cloud is properly secured both during transmission and when it is stored.
Why DEKRA cyber security team
Our team of cyber security engineers helps manufacturers perform a security evaluation according to the most well recognized security standards and practices, such as ISO 15408, Common Criteria, and FIPS 140. This gives manufacturers an independent assessment of the security of their IoT devices and their ecosystems.
One of the largest cyber security labs focused on product security evaluations
Solid and experienced team fully dedicated to security evaluations with more than 10 years of experience in common criteria certification and penetration testing
We are continuously investing in R&D to discover new vulnerabilities and attack methods
Reputable and experienced in product security evaluations
We help companies that design smart (and secure) devices