You are here

01.03.2018
| News
| Cyber Security
| internet of things, Smart Home, testing, cyber security, safety

IoT security recommendations you need to know

On the way to mobile network 5G
  • Nowadays, billions of connected and smart devices exchange large volumes of data about how we live, work, and play. Therefore, personal information as well as business data already exists in IoT devices and in the cloud.

    The good news is that the IoT landscape is slowly adjusting to new demands in cyber security, either from consumers or, for example, regulators. However, we are still far from establishing a completely secure ecosystem. Attackers only need one weak link in the security chain to access a gateway that allows control over information and systems.

    Your home may be getting smarter, but it is not getting more secure

    In this context, one of the biggest concerns of users of smart technologies is their privacy. Up until today, the greatest danger of unauthorized data access was in information being stolen, erased, or, in the worst case, manipulated. With a network of IoT devices, both the attack surface (the sum of different points in which an attacker can try to enter or extract data) and the opportunities for causing damage are on the rise.

    Attackers can manipulate and control software, information, and systems, affecting us in our daily lives.  Pacemakers, smart cars, locks; all of them are becoming connected. Attackers only need to find an access point to take control of a system or to access personal data.

    The fact remains that the Internet of Things and cyber security are dynamic topics which require users and manufacturers to keep their knowledge updated at all times.

    Examples of cyber security vulnerabilities in IoT

    Cyber security experts warn that IoT devices pose the largest security risks in our homes and workplaces. Hardcoded passwords, built-in back doors, and more can compromise the safety, privacy, and security of consumers. Some recent examples of cyber security vulnerabilities include:

    IP Cameras: Cameras used for, amongst others, home security and baby monitoring had faulty software that let anyone who obtained the camera's IP address look at live recordings – and listen in as well.

    Bluetooth Lock: Researchers found that the average Bluetooth lock (2016) uses plain-text passwords that anybody can read. By capturing packets sent between devices using a Bluetooth range-finding setup, the researchers learned that most Bluetooth locks have either no security or very poorly implemented security.

    Understanding the new security ecosystem

    When IoT manufacturers design a product, their main concerns tend to be the usability, connectivity, and cost of their devices. These aspects are often influenced by security considerations. On the one hand, manufacturers unknowingly provide attackers with a large (and new) attack surface and, on the other hand, they use specific parts with certain limitations due to cost constraints.

    All of this makes new devices more vulnerable. An example is a devices that cannot be updated or patched over the air.  Therefore, security in IoT devices should be taken to a completely new and more professional level. The Internet of Things comprises a complex ecosystem with a combination of parts and technologies (mobile applications, cloud services, wireless protocols, and hardware), each of which have to be secure on their own, but also as a whole when they work together.

    The challenge for the market is to design IoT devices that provide their users with protection mechanisms against external attacks. Some IoT security practices that can be of help to manufacturers are:

    1. Encrypting the ecosystem. Devices and communication need to be encrypted in a secure way — using a separate key for each device. This is the best way to repel attackers.

    2. Updating the devices and the ecosystem. Design a platform that provides the ability to install software updates on devices, including security patches. The lack of updating capabilities in the IoT world is a dangerous situation.

    3. Integrating the ecosystem. In most IoT developments, the manufacturer is faced with the problem of having to assemble different components or parts within the same ecosystem; the physical security of the device, the mobile applications, and the web services in the cloud. The manufacturer has to evaluate the system as a whole to make sure that isolated (non-serious) failures do not cause problems when combined in one ecosystem.

    4. Ensuring cloud security. Finally, an essential component of IoT ecosystem security is cloud robustness. Customers need to know that the personal data their IoT devices send to the cloud is properly secured both during transmission and when it is stored.

    Why DEKRA cyber security team 

    Our team of cyber security engineers helps manufacturers perform a security evaluation according to the most well recognized security standards and practices, such as ISO 15408, Common Criteria, and FIPS 140. This gives manufacturers an independent assessment of the security of their IoT devices and their ecosystems.

    • One of the largest cyber security labs focused on product security evaluations

    • Solid and experienced team fully dedicated to security evaluations with more than 10 years of experience in common criteria certification and penetration testing

    • We are continuously investing in R&D to discover new vulnerabilities and attack methods

    • Reputable and experienced in product security evaluations

    • We help companies that design smart (and secure) devices

  • Meet our experts

  • Related service

    EMC & Radio

    Related services

    Functional

    Functional Safety
    Related services

    Guidance & Training

    Guidance & Training
    Related services

    Material & Reliability

    Material Testing
    Related service

    Quality & Performance

    Quality and Performance
    Related services

    Wireless

    wireless
    Related service

    Certification & Marks

    Certification
  • Toke Reijs
    Contact person

    Toke Reijs

    Retail market segment, Global
    Contact person

    Rubén Lirio

    Cyber Security Product Manager
    Tim van den Berg
    Contact person

    Tim van den Berg

    Professional Electronics, Global/Europe

Related News