A myriad of customized and heterogeneous IoT solutions has appeared recently, together the attack surface increased in a scaring way.
According to the IoT developers survey 2017 (Eclipse IoT Working Group’s 2017) https://ianskerrett.wordpress.com/2017/04/19/iot-developer-trends-2017-edition/), security is the top concern for IoT developers. The vulnerabilities researched affect all the three components of the CIA triad, confidentiality, integrity, and availability in some way.
Most of the IoT devices are characterized by limited amount of resources such as CPU, memory, storage, and power supply (sometimes limited by the use of batteries). These limitations are the main obstacle to apply the known security solutions to those devices. For instance, they cannot rely on heavy encryption algorithms. Also, they may be exposed to physical analysis such as power analysis attacks.The second concern regarding the implementation of IoT devices is how to authenticate and authorize those equipment. With so many different types of available systems and uncountable manufactures and integrators, it is not possible to rely in simple passwords or to not use an AAA system. Neglecting this point will put the system in risk of being compromised by rogue IoT devices.
Among other actions and depending on the other security layers, rogue IoT devices may send incorrect information to the network, analyze the network topology, and inject worms in the entire network.Another security challenge is how to keep the firmware and software of the IoT devices up to date. With a distributed and heterogeneous network this is a critical vulnerability in IoT networks and may be exploited by an attacker with knowledge of existent flaws. Besides that, the existence of legacy devices may not permit a complete update. This point will be specially a big concern in the near future. With the explosion of IoT startups, manufactures, and customized solutions, in some years, when few of them are still alive, we will have millions of unsupported devices operating around the world.Regarding secure communication. some devices are not capable to encrypt the messages before sent them.
It becomes a great vulnerability when this device needs to send information over the Internet and it may compromise data confidentiality. This problem is especially critical when the data source is in an unprotected location and the attacker may install a sniffer to collect the data generated even if some intermediary solution is used to encrypt the data before it is sent to the Internet .Vulnerabilities also may be created during the development of IoT applications.
Developers usually create backdoors to bypass security during the tests and they may forget some of them open before release the application. Also, because time constraints, the application may not be tested and be debugged enough before launched and may be vulnerable to attacks such as buffer overflow. In this aspect, the run for acquiring market share inflicts a great pressure over the development teams. Furthermore, the increasing complexity caused by the integration of diverse systems demand more tests to prevent new attack perspectives.As much as we rely on IoT devices to run businesses, to secure our homes, and even monitor our health, more the importance of the availability of IoT systems increases.
The two main points of failures of these systems are the connection to the Internet and the power source. Besides that, typical low price devices have a low mean time between failure (MTBF) index and may also compromise the availability of the service.In this section we presented only the known vulnerabilities and some possible breaches in IoT systems. In the next sections, it will be presented some real attacks and what can be done to mitigate the vulnerabilities showed in this section.