IoT Time Preview: Encryption


In this weekly series, we’ll be previewing chapters of “IoT Time: Evolving Trends in the Internet of Things” for you to read in the hopes that you’ll like it enough to read the whole thing.

IoT Evolution, the leading media brand for the Internet of Things (IoT), has published a book outlining more than 150 of the leading trends in the IoT industry, entitled “IoT Time: Evolving Trends in the Internet of Things.” The book, written by IoT Evolution Editorial Director, Ken Briodagh, seeks to explore the factors that have shaped the recent past of the developing industry and use those to predict the trends that will drive the next period of growth. Each of the trends is explicated and illustrated with a case study or product review that supports each position.

In this weekly series, we’ll be previewing chapters for you to read in the hopes that you’ll like enough to read the whole thing. To do just that, for free, click here. Alternatively, there’s a paperback version available on Amazon for $14.99.

Chapter 18: Encryption
Trend: Education is needed
Connected Device Security a Mystery to 61 Percent of Consumers

A recent survey of more than 1,000 consumers has illustrated the spread of the IoT among consumers, but it also points out some serious security concerns. The survey by BullGuard, a provider of mobile and internet security, said that about a quarter of consumers were planning to buy IoT devices in the next 12 months. BullGuard found that 58 percent of consumers are ‘very concerned’ or ‘highly concerned’ about potential hacking and data theft carried out against their connected devices, and 37 percent have already experienced a security incident or privacy problem. According to the survey, 68 percent of respondents are concerned about security risks like viruses, malware and hackers and 65 percent expressed concern over data collected by device manufacturers being inappropriately used or stolen.

The IoT industry has yet to establish common security standards among devices. Smart device manufacturers tend to adopt their own approach to security while updates to ensure device security are often too technical and complex for consumers to carry out, even those who are technically literate. This study revealed that 24 percent of consumers with advanced technical skills are not confident in their ability to keep their connected devices secure.

These vulnerabilities have been acknowledged by intelligence agencies across the world. In recent testimony to the US Senate, James Clapper, US Director of national intelligence, said, “In the future, intelligence services might use the [Internet of Things] for identification, surveillance, monitoring, location tracking…or to gain access to networks or user credentials.”

Paul Lipman, CEO, BullGuard said, “Most of us have been working with internet connected devices such as computers, smartphones and tablets for some time, but the Internet of Things is changing our perception of personal security, for both ourselves and our data. It’s not just those who consider themselves ‘technophobes’ that have these concerns – tech savvy users are saying the same.”

When asked how they would rate their computer skills, the majority of respondents described themselves as ‘intermediate or advanced’. More than 80 percent said they are capable of setting up their own router, yet when asked if they have changed their router password, almost half denied it. A third admitted that they don’t know how, and 60 percent do not know how to configure a router to keep a home network secure.

“Consumers are clearly not equipped to handle the myriad of security risks presented by connected devices,” said Lipman. “With devices such as security cameras, alarm systems and door locks now being connected to the internet, physical security is becoming as much of a consideration for consumers as data security. Keeping these devices secure is absolutely imperative.”

Trend: Devices are too vulnerable
IoT Devices Still Terrible at Security

In a recent study, security firm ForeScout has shown that it takes fewer than three minutes to hack many common Enterprise IoT devices. This in-depth analysis shows the dangers posed by enterprise IoT devices, and seems to reveal that most can act as points of entry into critical enterprise networks. This “IoT Enterprise Risk Report” was based on research by white hat hacker Samy Kamkar.

“IoT is here to stay, but the proliferation and ubiquity of these devices in the enterprise is creating a much larger attack surface -- one which offers easily accessible entry points for hackers,” said Michael DeCesare, president and CEO, ForeScout Technologies. “The solution starts with real-time, continuous visibility and control of devices the instant they connect -- you cannot secure what you cannot see.”

Kamkar's research focused on seven common enterprise IoT devices: IP-connected security systems, smart HVAC and energy meters, video conferencing systems and connected printers, among others. According to his observations from a physical test situation and analysis from peer-reviewed industry research, these devices pose significant risk to the enterprise. That risk comes mostly because the majority of them are not built with embedded security. Of the few devices that did have some security protocols, Kamkar said many were operating with dangerously outdated firmware.

One of the vulnerabilities discovered was via a physical hack Kamkar performed, giving him access to an enterprise-grade, network-based security camera. The camera was entirely unmodified and running the latest firmware from the manufacturer, and was still vulnerable and ultimately allowed for the planting of a backdoor entryway that could be controlled outside the network.

Key findings of the report:
The identified seven IoT devices can be hacked in as little as three minutes, but can take days or weeks to remediate. Should any of these devices become infected, hackers can plant backdoors to create and launch an automated IoT botnet DDoS attack, much like what’s been happening over the last week. Cybercriminals can leverage jamming or spoofing techniques to hack smart enterprise security systems, enabling them to control motion sensors, locks and surveillance equipment. With VoIP phones, exploiting configuration settings to evade authentication can open opportunities for snooping and recording of calls. Via connected HVAC systems and energy meters, hackers can force critical rooms (e.g. server rooms) to overheat critical infrastructure and ultimately cause physical damage.

Thanks to vulnerabilities like the ones revealed here, bad actors are now easily able to use insecure devices to gain access to secure networks, and ultimately other enterprise systems chock full of tasty bank account information, personnel files and proprietary business information.

Trend: Good crypto could be an answer
Cryptography Enables Turnkey Security for Connected Devices

Developers of IIoT and connected embedded systems can now design in an added level of trust while also bringing their products to market faster, thanks to a recently released product from Maxim Integrated products. With the increase in cyber attacks on critical connected infrastructures, security can no longer be an afterthought in system design. In a recent survey conducted by Electronic Design of 2,200 electronic engineers, 60 percent of respondents said security in their products is very important, and 96 percent think that security will either have the same or more importance for their products.

The Maxim MAXQ1061 is designed with an integrated comprehensive cryptographic toolbox that provides full support for a wide spectrum of security needs, ranging from key generation and storage, to digital signature and encryption up to SSL/TLS/DTLS. It can also support secure boot for most host processors. To withstand extreme industrial environments, the MAXQ1061 is tested to operate from -40 degrees to more than 109 degree Celsius and is available in TSSOP-14.

“The MAXQ1061 provides a hardware root of trust; its comprehensive set of cryptographic functions fulfill the key security requirements of the embedded systems of tomorrow,” said Christophe Tremlet, Executive Business Manager, Embedded Security, Maxim Integrated. “With the MAXQ1061, our customers have a trusted device that will not only guarantee the integrity and authenticity of the system, but also secure communications.”

The MAXQ1061 embeds 32KB of user programmable secure EEPROM for storing certificates, public keys, private and secret keys, and arbitrary user data. The EEPROM is managed through a flexible file system, enabling custom security policy enforcement. Its cryptographic algorithms include ECC (up to NIST P-521), ECDSA signature generation and verification, SHA-2 (up to SHA-512) secure hash, AES-128/-256 with support for ECB, CBC, and CCM modes, and MAC digest. The MAXQ1061 also provides a separate hardware AES engine over SPI, supporting AES-GCM and AES-ECB modes, and that can be used to off-load a host processor for fast stream encryption.

“The MAXQ1061 provides ideal hardware security to complement our software solution for the Floodgate Defender Appliance allowing customers to easily secure their legacy equipment economically,” said Ernie Rudolph, EVP, Icon Labs.

Trend: More breaches means more focus on security
Kontron Releases IoT Security Platform

Kontron recently released a new hardware and software security platform for IoT environments that uses multi-layer encryption and real-time analytics to secure points across the network and detect rogue devices. A report commissioned by AT&T recently found that in the past two years, vulnerability scans increased in IoT devices by 458 percent. IBM’s X-Force, a team of ethical hackers, recently hacked into the building automation system (BAS) of a so-called smart building occupied by a business with multiple offices across the U.S. The vulnerabilities that the team exploited would have given them access to all the BAS units of the company and its branch offices. As a result of their testing, the team came up with a fundamental list of security procedures, like avoiding storage of passwords in clear text form, which BAS operators should follow to reduce the possibility of future breaches.

This kind of competitive security research is critical to the establishment of trust in the IoT industry, and has been a part of the IT security landscape for as long as we’ve had computers. More of these hackathons and white hat hacker events are needed, and their successes reported. As more vulnerabilities are fixed and patched, new ones become harder to find and the whole industry earns greater consumer and industrial trust. And therefore, it grows.

In this weekly series, we’ll be previewing chapters for you to read in the hopes that you’ll like enough to read the whole thing. To do just that, for free, click here. Alternatively, there’s a paperback version available on Amazon for $14.99.

Edited by Ken Briodagh

Editorial Director

Related Articles

A Move Toward Pervasive LoRaWAN Network Coverage

By: Arti Loftus    9/15/2021

Earlier this year, ABI Research found that the LoRaWAN protocol is the leading license-exempt low-power wide-area (LPWA) network technology addressing…

Read More

Tartabit Eases IoT Device Makers Azure Marketplace Access

By: Maurice Nagle    9/14/2021

Tartabit LLC announced two new services to its integration arsenal: Marketplace Accelerator (MPA) and the Plug and Play Accelerator (PnPA). Both are a…

Read More

Winners of the 2021 IoT Evolution Community Impact Awards Announced

By: TMCnet News    9/9/2021

TMC, a global, integrated media company helping clients build communities in print, in person and online, in conjunction with its partner Crossfire Me…

Read More

Rocket Lab Lands Multi-Launch Deal

By: Maurice Nagle    9/9/2021

Rocket Lab announced a Multi-Launch deal to deploy the entire satellite constellation for Kineis. The project includes 25 IoT satellites launched via …

Read More

5G Connect Future Program Taking Startup Applications

By: Maurice Nagle    9/1/2021

Earlier this year, the 5G Connected Future Program took flight. Created by the T-Mobile Accelerator, Curiosity Lab at Peachtree Corners and the Georgi…

Read More