Internet of Things SecurityApplication Security

Begin Learning Cyber Security for FREE Now!

FREE REGISTRATION
Already a Member Login Here

Home Forums Application Security Internet of Things Security

Tagged: 

This topic contains 17 replies, has 7 voices, and was last updated by  Jothi Prakash Anandan 2 years, 8 months ago.

Viewing 18 posts - 1 through 18 (of 18 total)
  • Author
    Posts
  • #56890

    Dragon
    Participant

    How do you secure the internet of things?
    What changes need to be made to make the internet of things secure?
    Should there be a new platform distinct from IoT called IoST to distinguish that an Internet of Things device was designed with Confidentiality, Integrity, Availability and Non-Repudiation in mind?
    Do secure IoT devices exist?
    Let’s be more specific: are there any FIPS 140-2 validated Internet of Things devices and if so which ones, what are the limitations?

    #57001

    M G
    Participant

    exactly

    #57067

    Dragon
    Participant

    Anyone else have any ideas?

    #57102

    cz3kit
    Participant

    Bruce Schneier describes the problem with all these devices and why they are usually not secure: Security Risks of Embedded Systems
    You will notice that it is super hard to change something in that area.

    #57434

    Dragon
    Participant

    @cz3kit: Thanks for the link. If they can’t change it, why not start from the ground up with something new?

    #57531

    Dragon
    Participant

    How secure are these?
    http://www.redpinesignals.com/News_&_Events/PressReleases/Redpine_Signals_Announces_Availability_of_FIPS_140-2_Certified_Wi-Fi_Modules_for_Government_and_Healthcare_Markets.php

    I was specifically looking for FIPS 140-2 Certified Embedded Devices and “Internet of Things”.

    #57544

    Chin_Diesel
    Moderator

    I can’t wait to work for a company that has to request a new digital certificate for their office refrigerator.

    #57577

    Dragon
    Participant

    But certificates can be done for free with Mozilla’s “Let’s Encrypt” collaborative project (and hopefully updated automatically ;).
    https://letsencrypt.org/

    If IoT devices are inherently hackable, then they are potentially brickable as well.

    #57578

    Dragon
    Participant

    https://upload.wikimedia.org/wikipedia/commons/9/9b/Internet_of_Things.svg
    RFID
    Healthcare devices (Pace makers, sensors, artificial organs)
    Food Safety
    Tracking devices
    Teleoperation, Telepresence

    Consider that all or most of these devices can be hacked, spoofed, give false information or hijacked.
    Would you be concerned if food safety sensors were compromised at a supermarket or if artificial hearts were being sabotaged (and you had a bad heart)?

    #57594

    Chin_Diesel
    Moderator

    You’re forgetting that cars can also be hacked. https://blog.kaspersky.com/remote-car-hack/9395/
    But yeah, doing things securely becomes a huge deal when you factor in the potential for malicious intent (or even monitoring by the government and other unscrupulous individuals).

    #57628

    Dragon
    Participant

    @creno13
    The attack vectors seem to be on the wireless and bluetooth.
    The problem as I see it, is the software is produced but not patched for these cars.
    A car can be on the road for 5 years or more. That is plenty of time with an unpatched system to find a way to hack it as they all have the default configuration. In a couple years there will be so many unpatched smart-cars on the road.
    With the drive by wire capabilities of some cars they were even able to automatically drive the cars as a convoy. One has to consider that an attacker might not take control of just one car, but a fleet.

    #57860

    cz3kit
    Participant

    @dragon: You asked why not start from the ground up? Well, I am asking myself the same question, but then, how you want to start from the ground up? This is a very difficult task no one wants to do. It is time consuming and expensive.

    #57871

    Chin_Diesel
    Moderator

    Starting from the ground up is a tough sell, especially since it would still need to be able to connect and integrate with your network and devices, and a newly designed system would need to undergo thorough testing to make sure its not exploitable. It just seems like the advantage is geared towards the attackers, and the consequences of a compromised system are a lot higher than your average information system.

    #57935

    Dragon
    Participant

    @cz3kit: My intuition tells me that the simplest solution is to create a 1G or 2G or WiFi updateable car computer, where the software gets regular updates. Perhaps, it could be marketed and standardized into a couple of platforms. Many cars run on an HTML/JavaScript setup or Android.

    @creno13: I agree. It is much harder to create new hardware than to create new software. I think a lot of the problem could be resolved with software based solutions, and maybe an open digital key system for keyless entry. I wouldn’t trust a remote entry device that the dealer sold me to stay secure for the life of the vehicle. I would prefer to have an open-source standard.

    #85754

    ginasilvertree
    Participant
    #85941

    romualds
    Participant

    A huge limitation of IoT devices is processing power : most devices are far less powerful than our common information systems, with networks with narrower bandwidth and unstable connection : who can pretend that cars are able to perform strong encryption with acceptable response times? All the more so as generally required hardware is not available on the device and migration is a nightmare. Without mentioning the fact that security is neither in the culture of manufacturers not their priority. This being said, there is no theoretical reason why IoT should be less secure than traditional IT. But the reality and economics of IoT are very different from the ones of IT.

    #85956

    ginasilvertree
    Participant

    Agreed and well-said. We believe the economics will change somewhat over time, as companies must face the realities of being hacked. They will find the money to protect their devices, which will foster a cultural change.

    #87031

    Great thread

Viewing 18 posts - 1 through 18 (of 18 total)

You must be logged in to reply to this topic.

Our Revolution

We believe Cyber Security training should be free, for everyone, FOREVER. Everyone, everywhere, deserves the OPPORTUNITY to learn, begin and grow a career in this fascinating field. Therefore, Cybrary is a free community where people, companies and training come together to give everyone the ability to collaborate in an open source way that is revolutionizing the cyber security educational experience.

Support Cybrary

Donate Here to Get This Month's Donor Badge

 

We recommend always using caution when following any link

Are you sure you want to continue?

Continue
Cancel