THE Internet of Things (IoT) is a reality. Gartner forecasts 25 billion IoT devices by 2021, and other industry sources and analysts predict even larger numbers.
Although projections of unprecedented growth are ubiquitous among industry pundits, the efforts to secure this tsunami of connected devices are in their infancy. The IoT is still relatively new, so it lacks regulations that mandate security.
The potential for misuse, however, is massive and could lead to major embarrassment (and worse) for businesses and consumers.
Connected devices have already been utilised to launch massive Distributed Denial of Service attacks on websites, in-home security cameras have been hacked and used to spy on people, and sensitive consumer data has been compromised. Timely testing and securing of IoT is the need of the hour.
Four IoT security challenges
IoT systems (including the Industrial IoT and connected machinery) are quite complex from a security perspective, and they pose several contrasting challenges.
Scale
Unlike traditional web apps, IoT software is deployed on thousands and even millions of devices and are always on, so vulnerabilities are magnified over a much wider attack surface.
Lifespan
A lot of IoT devices are embedded within equipment that lasts a long time, even decades (automobiles, subsea devices, HVAC systems, and so on).
It’s often hard to deploy patches on or upgrade the software contained in these devices as frequently.
The likelihood of vulnerabilities persisting in these devices for months to even decades is extremely high.
Open source operating systems
The large majority of IoT devices run on open source operating systems and on off-the-shelf hardware and networks. The inherent vulnerabilities baked into open source software makes them even more susceptible to attacks.
The 5G network effect
5G is expected to usher in the IoT era to an even greater extent.
With its high bandwidth and speed, it will connect everything and remain always on.
This increases the likelihood of an attack, and a public network is always more susceptible to an attack.
Facets of an IoT deployment
Consider IoT systems within the context of medical devices, automotive equipment, and consumer electronics.
From a security testing perspective, these mixed-technology deployments have a multitude of potential attack surfaces and technologies that must be protected.
The cloud. The IoT and cloud computing are a match made in heaven. The capacity needed to handle the sheer volume of data as well as the processing required for large-scale IoT adoption can only be driven by cloud computing. Smart devices will be connected by default to either edge data centres or centrally located data centres, which will process and store the data they generate. The cloud could also be utilised for IoT device security controls.
Embedded devices. Each “thing” within IoT is essentially an embedded computing device that sends and receives information over a network. Embedded devices run software and have a smaller memory footprint, along with an operating system and a processor. Just like the network they are connected to these things are all susceptible to attack, especially as they might run old, general purpose, open source software that isn’t often updated for patches.
Web applications. Often, IoT devices connect to a web app, and some IoT devices even have an embedded web server. That’s why web app security testing principles apply to IoT security.
Custom applications. The IoT is vast and spans apps that power smart cities, automobiles, agriculture, healthcare, and more. Given the wide variety of devices, standards, and technologies applied to IoT, there’s a lot of incompatibility in the ecosystem. Custom apps are therefore widespread in IoT.
The network. Most smart devices are always connected by default. They’re connected to the gateways and the back end via a variety of network protocols. And just like the cloud, embedded devices, and web/customised IoT apps, the network itself is highly prone to attack.
Mobile devices. With the increasing adoption of 5G, the IoT will have the mobile network speed, device density support, and data transfer speeds to support the billions of mobile IoT devices, as well as the mobile apps to control these devices. The network, mobile, and the cloud are the three pillars of IoT.
Thick client testing. IoT data processing is increasingly moving to the edge to facilitate faster decisioning. Decentralised thick client computing at the edge is common, particularly in devices that may need to operate without connectivity from time to time.
Fuzz testing. If an IoT device becomes unresponsive or acts abnormally due to inconsistent input, it may affect real-world operation. Fuzz testing simulates what a hacker would do by creating a wide range of corrupt input that will cause the app to fail.
Ian Hall is manager of client success, APAC, at Synopsys Software Integrity Group. Comments: letters@thesundaily.com
