This website uses cookies so that we can provide you with the best user experience possible. Cookie information is stored in your browser and performs functions such as recognising you when you return to our website and helping our team to understand which sections of the website you find most interesting and useful.
IoT devices and Cloud-to-Chip architecture to guard your smart fridge
Over the last 2 years, the number of IoT device attacks has been doubling each year. In 2021 it reached more than a billion attacks and this number is not going down in the near future. Due to lockdowns, the global energy crisis and development of Web 3.0 IoT device usage are continuing to grow while the security keeps suffering.
Advertisers have built a perfect vision for our future – smart fridge, smart washing machine, smart heating and ventilation control, smart lights, and everything else – smart. In simple terms every time you hear some technology is “smart”, it most likely means it’s an IoT device, but it’s easier to call it smart than to explain what is IoT to the general public. With the lack of explanation, there is also a lack of general understanding of the vulnerability of said devices. With chip-to-cloud architecture it should change for the better: people will continue to be ignorant, but thanks to thousands of architects and engineers a bit safer.
Some numbers
Most of the vulnerable devices are routers (taking almost half of the attacks) followed by access points and network extenders (with all 3 categories taking roughly 80% of total attacks). The good thing is that cameras and smart home devices took around 6% of total attacks, but what good does it give for hackers to control your heating or see you working if it can get to your banking data or other sensitive information? Proportions will change in the future as the number of consumer devices keeps increasing together with the number of cheap devices on Aliexpress and eBay.
Vulnerabilities of IoT devices
As the technology is still immature and the trend of IoT use-cases is going up. It’s very complicated to ensure good quality security:
- IoT devices lack of computational capacity to provide sufficient security
- Lack of insufficient access control
- Users often don’t change factory settings (allowing hackers to use default passwords to access the system)
- Misconfiguration
- Lack of testing (both device tests and tests after devices have been installed)
- Lack of patches and software upgrades
- Bad maintenance on the client side (no monitoring, no upgrades, no devices lifecycle management, etc.)
- Bad encryption
- Easy access to devices including hacks via radio waves.
Long story short – cheap devices are cheap for a reason and with expensive devices, you get a better chance of being safe, but it’s not a guarantee. As much as we would like to have high-level security consumers and businesses will continue to buy cheap and badly tested devices to save on costs. Cost optimization from the vendor’s side often comes with compromises on various aspects. By any means “cheap devices” don’t mean bad by default. There may be some innovative company with new technology or some economic means, how devices can be supplied cheaper. But if 4 of 5 devices cost X and 5th costs 3 times cheaper and are lacking information about its great innovations, consumers should very carefully evaluate this device.
Vulnerabilities of cloud solutions
Not only the devices might be the issue – you have to have solid security on the cloud or in your personal data center to process the data from IoT devices. Apart from the general cloud and software security, it’s important to work with the data that goes between IoT devices and your storage. You need to make sure the data that is being sent is verified (especially in Edge computing cases) and can’t breach your security. Every IoT device is an access point and needs to be secured.
Firmware and malware
If attackers can infiltrate an IoT device or whole system they can change the functionality, gather sensitive data, and carry out other activities (both impacting IoT device users/owners and external users (e.g., launching DDoS attacks from an army of IoT devices).
Maybe a bit on the conspiracy side, but each device needs to be tested very carefully and all communications whitelisted down to data size and type. Nothing is stopping a group of attackers (or any other ill-intended group) to buy a set of IoT devices, installing their malware or spyware, and selling them to you even cheaper. Nothing would make your unfair competition happier than to mess with your factory line sensors or evil buckwheat company to spy on our habits and try to sell you their products using your personal information.
How to fix this?
The best approach for such cases would be the “shift left approach”. Approach where things that are done in later stages of the process are done earlier. In this case, the security is embedded in the device itself. Features should include:
- Embedded cryptography engine
- Less predictable random number generator
- Sufficient memory.
As it may be very hard to impact IoT device providers with the above and more requirements (unless you are ordering custom-built solutions – those who pay to order the music) you may need to take the security layer to the software side.
- Software security guidelines and audits
- Whitelist minimum acceptable inputs and data patterns
- Full IoT device lifecycle management
- Monitoring
- Logging
- Access control
- Verified device use with detailed interface and feature documentation
- Connectivity to highly secure BI and data manipulation tools.
What if I am ordering the music?
Then you are in luck! If any part of the process is exposed, the solution must be Chip-to-Cloud. Considering that “everything is in the cloud” your best bet is to use Chip-to-Cloud architecture by default. It enables low-energy IoT device networks where each IoT device can communicate with the cloud over secure channels and encrypted messages directly.
Each device should have unique cryptographic characteristics to impersonate the device and get access to the enterprise network. Limiting the possible data to predefined set security can be increased even more. By choosing more advanced Edge computing devices you can limit the traffic to a minimum. Edge computing enables you to send instructions limiting the transfer of sensitive data that are simply being calculated on the cloud (the same guidelines apply for both API security and IoT device data transfer).
Instead of trying to implement umbrella security (for example centralized firewall), Chip-to-Cloud architecture would shift more to centralized-decentralized architecture:
- Each decentralized node (IoT device) has its own firewall, security tools, encryption algorithms, etc.
- A centralized IoT management system receives real-time data from every node, and allows full device lifecycle management and user management. You can control each device, sets of devices, and data from one point (depending on security levels that may include even firmware updates)
Conclusion
Coming out of the pandemic we see that Chip-to-Cloud architecture projects are getting funded more and more and a large shift to Web 3.0 is happening right now. Projects like Helium are getting increased attention and they will not go away. IoT can support the data and access to the data for consumers for Internet of behaviors or consumer products as well as for organizations to fuel their systems and processes from CRM, CPQ, and SCM to factory machines and other device monitoring and interactions.
Even with Chip-to-Cloud technology, there will not be 100% security, but it sure feels good to push the IT risks 1 box back in the risk assessment matrix. By implementing security protocols, audits and carefully verifying both bought (or rented) technology and partners you can decrease the risks. Security is not a simple journey and often it requires a heavy change in enterprise culture (so we never hear something along lines of: “Hey, let’s worry about the security later, we need to ship the product so we get our bonuses!”). It also requires investments in proper technology. Web 3.0 should be an enabler for new technology, innovations, and new ways of working. Created value, security, and usability should drive the technology and business just like the shift from Web 1.0 to Web 2.0 did. Without that shift, you would never see giants like Facebook or Amazon and we can only hope that Web 3.0 will bring big value.