This is a million-dollar question – it is the question that might be causing many raised eyebrows. This may be the question is IoT security which is holding back a lot of progressive minds from taking that next step forward.
Is this not making us more vulnerable and hack-able than ever before?
True……an IoT unleashed world, will definitely make many of the “things” – earlier untouched by technology, much more vulnerable and available for attacks.
What kind of dangers is lurking in the corner?
Definitely security threats are of all kinds – from no disruption to complete destruction!! It is quite possible that the “Mission Impossible” kind of scenario will become an eventuality that every common man might face in the coming years.
Simple threats could come from passive eavesdropping, where the eavesdropping device simply listens to data transmitted by the other devices. This data may be used in innovative ways. It may happen that someone may be able to listen in to smart home and figure out if the house is empty or occupied by monitoring the data from the AC/Fans/Lights.
Cases of identities getting cracked, where the IoT (internet of things) device is identified and marked to a particular individual or organization or system – opens up doors to more threatening situations. This becomes a threat because once one knows who a particular device belongs to, it becomes easier to wire a story around it. Thus if one is able to identify a wearable device of a celebrity one can constantly keep following the celebrity. Knowing that a particular device id belongs to an important room, one may be able to know when the door gets opened or not, thus knowing if there is an occupant inside which becomes dangerous if this belongs to a VIP.
There may be cases where Identity gets stolen. Someone might be able to mimic your identity to open a smart lock to get access. This kind of theft or proxy presence can lead to many threats since now you have access to the entire trusted devices and the network. This is almost like getting the master key.
Any worthwhile change comes with its own challenges…..we can’t make the change without tackling these challenges!
Let us understand how these security challenges are getting handled…
Luckily these are not totally new challenges and therefore the solutions are already available. The devices talking to any other device or gateways typically do so over an encrypted channel using key-based encryption. BLE devices use FIPS-compliant ECDH algorithms. The keys generated are then used to either generate further keys or encrypt the channel. This process of exchange of keys and encryption of channels happens as part of the pairing process between the internet of things devices. Pairing is a process by which two devices identify each other, authenticate and establish a connection or communication channel between them.
In order to prevent the device id getting captured and then identified, complex ids are used – these devices use multi-bit ids….like 48-bit ids for BLE devices. To prevent tracking, this id is changed periodically. There is an Identity Resolving Key (IRK) that is shared with trusted devices when pairing and this key is used to generate the Resolvable Private Address (RPA). The hashing using IRK helps the trusted devices to determine if the new address belongs to the given device or not. The devices can change it from once per second to a maximum of a couple of hours. Thus a constantly changing id which only the trusted devices recognize, wards off this kind of threat.
Man In The Middle attacks
The kind of attacks of the likes of Man In The Middle is surely possible with Internet of things devices too. The main shield against these attacks is already part of the earlier solution of hiding the id and keeping the channel encrypted. This mechanism has an inbuilt authentication process that helps ensure that the two parties involved in the conversation are trusted and what is being conversed is understood only by the two of them. This will essentially prevent anybody else from conning the identity and getting the foot in the door.
These are the basic preventive measures in place. Nevertheless, the threat is as relevant as any virus attack that current IT systems face. The huge number of devices touted to be interconnected in the coming future is going to increase the opportunities for threats as well as failures. This is what is actually worrying about the Internet of things and not the ecosystem or the solution per se. Thus it is not IoT but its cumulative scale that is scary.