There's a Way to Deploy Secure IoT (And It Doesn't Have to Be Scary)

In honor of Halloween, let’s talk about that thing we’re all a little scared of—IoT Security.

Guest Writer
Image of a scary IoT ghost

If you care about data privacy and protection, you’re probably wary of deploying an Internet of Things solution in your workplace. You also probably recognize that connection-rich IoT networks are a playground for hobby hackers and a goldmine for those who deal in compromised information.

While security concerns may make you reluctant to move forward with an IoT deployment, overcoming that reluctance allows bolder enterprises to take the lead in refining their processes and services with the insights and operational advantages that IoT offers. 

Practical Internet of Things Security

When deploying large-scale IoT systems, paying attention to security isn’t just a good idea: it’s an absolute necessity. But, don’t be ruled by nightmares of what could go wrong. You can benefit from IoT without the paralyzing fear of undermining your data security. The key is to focus on finding a complete and future-proof IoT solution that’s built thoughtfully.

To help you do that, let’s take a look at three common methods attackers use to compromise IoT ecosystems—data-theft, distributed denial-of-service attacks, and man-in-the-middle attacks—and what security features you will need to combat them.

1. Data Theft

IoT works by enabling communications between connected devices through transmissions on a network protocol. Like any message, call, or parcel that travels from one point to another, these transmissions have the potential to be intercepted.

Malicious parties who steal transmissions are usually looking to gain access to the transmission’s content or use to use the transmission as a key to the broader IoT system.

Solution: 128-256 Bit Encryption

The first line of security against data theft comes standard on LoRaWAN IoT platforms. LoRa provides native symmetric 128-bit encryption on every transmission throughout the network. This means that whoever picks up a LoRaWAN transmission without authorization is still looking at a locked piece of data. In order to break into it, they’ll need to crack the encryption.

While 128-bit encryption is an excellent foundation, a second encryption-layer on top of the LoRa standard is recommended—ideally, a layer that is 256-bit or better. Cracking 256-bit AES encryption is extremely difficult. A “brute-force” attack—procedurally guessing every key combination—would take the world’s fastest supercomputer millions of years to complete. 256-bit encryption will effectively neutralize the threat of your communications being deciphered and read (provided the keys are secure elsewhere).

To stop data-theft at the storage and database level, you’ll want to check who’s storing your data and what their security measures entail. It’s usually best to use a reputable company with a public track-record to maintain. For example, Amazon Web Services (AWS) offers excellent and comprehensive cloud security. Look for an IoT solution that uses AWS or a similar large cloud service like Google Cloud.

2. DDoS Attacks

A distributed denial of service (DDoS) attack tries to make a machine or network resource temporarily unavailable to its users by flooding the target with network traffic. 

In the world of IoT, in which numerous components form an interdependent transmission-based ecosystem, DDoS attacks can cause exceptional havoc—from false-alarms to broken features to partial or total asset-blindness.

To repel DDoS attackers, you’ll want a “stingy” IoT network that’s ultra-selective about what traffic it accepts. Choose one that’s efficient at telling the difference between authorized and unauthorized traffic.

Solution: Physically Unclonable Functions

Look for a system that employs physically unclonable functions on its sensors. Physically unclonable functions (PUFs) are used to generate ultra-unique keys for every sensor. PUFs rely on the miniscule anomalies that naturally occur in the manufacturing process of semiconductors to generate a unique fingerprint for each sensor or gateway. This unrepeatable fingerprint is a property of the sensor’s SRAM. Because they can’t be realistically cloned or spoofed, using PUF-based keys guarantees supreme confidence that a given device is what it claims to be.

Using this kind of device-specific identification, a tight-knit network can remain self-aware while separating familiar from foreign traffic without much effort, rendering attempted DDoS attacks toothless.

3. Man-in-the-Middle

With all these security measures in place, it turns out that the most effective way for attackers to gain access to your system is to trick you into giving them the keys. 

A man-in-the-middle attack (MitM) relies on spoofing the identities—for instance, the e-mail or social accounts—of two friendly targets. The goal is to make them think they’re each communicating with the other so that one or both of the targets will share compromising information that can then be used by the attacker.

Solution: Triple-Layer IoT Security

The best IoT security will include all of the countermeasures discussed in the sections above. By tripling security with LoRa standard encryption, additional digital certificates, and physically prescribed sensor-keys, the only entry-point for a MitM attack would be if you literally shared the credentials of your administrator account to a malicious party. In such a catastrophic event, there are still countermeasures you can implement to mitigate risk.

Compromised identities happen, but if you’ve chosen a secure IoT product, they won’t affect your IoT network operations. Attackers won’t be able to touch the data contained in your transmissions or databases. Your IoT system will end up being the most digitally secure sector of your entire workplace.

It’s Reasonable to Be Unreasonably Secure

You should be concerned about how your data is protected. But don’t let that fear paralyze you into giving other businesses a competitive head start. Prioritize an IoT solution that implements triple-layer security from day one.

From all of us working to provide effective and unbreachable IoT systems, have a happy and safe Halloween in 2018!

Written by David Chang, Director of IoT Product Management at Longview, a Carnegie Technologies Company.

Guest Writer
Guest Writer
Guest writers are IoT experts and enthusiasts interested in sharing their insights with the IoT industry through IoT For All.
Guest writers are IoT experts and enthusiasts interested in sharing their insights with the IoT industry through IoT For All.