This is a million dollar question – it is the question that might be causing many a raised eyebrows. This may be the question is IoT(Internet of things) security which is holding back a lot of progressive minds from taking that next step forward.
Is this not making us more vulnerable and hack-able than ever before?
True……an IoT (Internet of things) unleashed world, will definitely make many of the “things” – earlier untouched by technology, much more vulnerable and available for attacks.
What kind of dangers are lurking in the corner?
Definitely security threats are of all kinds – from no disruption to complete destruction!! It is quite possible that the “Mission Impossible” kind of scenarios will become an eventuality that every common man might face in the coming years.
Simple threats could come from passive eavesdropping, where the eavesdropping device simply listens to data transmitted by the other devices. This data may be used in innovative ways. It may happen that some one may be able listen in to a smart home and figure out if the house is empty or occupied by monitoring the data from the AC/Fans/Lights.
Cases of identities getting cracked, where the IoT (internet of things) device is identified and marked to a particular individual or organization or system – opens up doors to more threatening situations. This becomes a threat because once one knows who a particular device belongs to, it becomes easier to wire a story around it. Thus if one is able to identify a wearable device of a celebrity one can constantly keep following the celebrity. Knowing that a particular device id belongs to an important room, one may be able to know when the door gets opened or not, thus know if there is an occupant inside which becomes dangerous if this belongs to a VIP.
There may be cases where Identity gets stolen. Some one might be able to mimic your identity to open a smart lock to get access. This kind of thefts or proxy presence can lead to many threats since now you have access to the entire trusted devices and the network. This is almost like getting the master key.
Any worthwhile change comes with it’s own challenges…..we can’t make the change without tackling these challenges!
Let us understand how these security challenges are getting handled…
Luckily these are not totally new challenges and therefore the solutions are already available. The devices talking to any other device or gateways typically do so over an encrypted channel using key based encryption. BLE devices use FIPS compliant ECDH algorithms. The keys generated are then used to either generate further keys or encrypt the channel. This process of exchange of keys and encryption of channel happens as part of the pairing process between the internet of things devices. Pairing is a process by which two devices identify each other, authenticate and establish a connection or communication channel between them.
In-order to prevent the device id getting captured and then identified, complex ids are used – these devices use multi-bit ids….like 48 bit ids for BLE devices. To prevent tracking, this id is changed periodically. There is a Identity Resolving Key (IRK) which is shared with trusted devices when pairing and this key is used to generate the Resolvable Private Address (RPA). The hashing using IRK helps the trusted devices to determine if the new address belongs to the given device or not. The devices can change it from once per second to maximum of couple of hours. Thus a constantly changing id which only the trusted devices recognize, wards off these kind of threats.
Man In The Middle attacks
The kind of attacks of the likes of Man In The Middle, is surely possible with Internet of things devices too. The main shield against these attacks is already part of the earlier solution of hiding the id and keeping the channel encrypted. This mechanism has an inbuilt authentication process which helps ensure that the two parties involved in the conversation are trusted and what is being conversed is understood only by the two of them. This will essentially prevent anybody else from conning the identity and getting the foot in the door.
These are the basic preventive measures in place. Nevertheless the threat is as relevant as any virus attack that current IT systems face. The huge number of devices touted to be interconnected in coming future is going to increase the opportunities for threat as well as failures. This is what is actually worrying about Internet of things and not the eco-system or the solution per se. Thus it is not IoT but it’s cumulative scale that is scary.