Part 1

IoT security vulnerabilities | 

IOT device must be security must protect systems, network, and data from a broad spectrum of IoT security attacks, which target four types of vulnerabilities.

  • Communication attacks, which put the data transmitted between IoT devices and servers at risk.
  • Lifecycle attacks, which put the integrity of the IoT device as it changes hands from user to maintenance.
  • Attacks on the device software.
  • Physical attacks, which target the chip in the device directly.

 IoT security Attacks

Physical Attack: Physical attack technologies are often split into two main categories – non-invasive and invasive.

  1. Non-invasive attack: The non-invasive attack is a side-channel attack, hackers may measure fluctuations in the current consumed or the electromagnetics radiated by the device. Distinguishable power and electromagnetic signatures of instructions often allow code to be reconstructed and so can be combined with other techniques to support an attack.
  2. Invasive attack: Invasive attacks can include the removal of the chip package. After the chip is opened, it is possible to perform probing or modification attacks by etching drilling or laser cutting at least part of the passivation layer. In the past, invasive attacks generally meant significant investment – they required days, or weeks, in a specialized laboratory with highly qualified specialists.

Communication attacks: IoT is about connectivity which means the device will be sending messages back to a server. An attacker can use multiple means to intercept, spoof or disrupt those messages. Embedded devices need to deploy best-practice cryptographic defenses to match the increasing value of the assets they communicate.

Lifecycle attacks: A device changes hands many times as it goes from the factory to the user and to end of life. We need to somehow protect the integrity of the device as it goes through this cycle. The lifecycle also describes maintenance cycles: is the object repairable, who is repairing it, and what is the process to handle confidential data when it’s being repaired?

Software attacks: These are the most common attacks where someone finds a way of using existing code to get access to restricted resources. It could be due to a software bug or to unexpected call sequences that are open to whole classes of exploits such as Return-Orientated-Programming.

How to protect the IOT system and IOT devices.

IoT security methods vary depending on your specific IoT application and your place in the IoT ecosystem.Common IoT security measures include:

  • Incorporating security at the design phase:  IoT developers should include security at the start of any consumer-, enterprise- or industrial-based device development. Enabling security by default is critical, as well as providing the most recent operating systems and using secure hardware.
  • API security. Application performance indicator (API) security is essential to protect the integrity of data being sent from IoT devices to back-end systems and ensure only authorized devices, developers and apps communicate with APIs.
  • Identity management. Providing each device with a unique identifier is critical to understanding what the device is, how it behaves, the other devices it interacts with and the proper security measures that should be taken for that device.
  • Hardware security. Endpoint hardening includes making devices tamper-proof or tamper-evident. This is especially important when devices will be used in harsh environments or where they will not be monitored physically.
  • Network security. Protecting an IoT network includes ensuring port security, disabling port forwarding and never opening ports when not needed; using antimalware, firewalls and intrusion detection system/intrusion prevention system; blocking unauthorized IP addresses; and ensuring systems are patched and up to date.

For any Cyber Security information contact help@theweborion.com