With the flood of smart devices on the market, the Internet of Things (IoT) has become a center of security concerns. In the first half of 2021, there were more than 1.5 billion IoT security breaches. Anything from a smart coffeemaker in your house to the smart chemical sensors in your manufacturing buildings could be at risk of a cyberattack. That’s because these IoT devices need to connect to the internet or to other devices that contain sensitive data, which makes them vulnerable.
The security and privacy concerns for IoT center around resource-constrained IoT devices, devices with limited processing power and storage capabilities. Energy consumption is one of the top limiting factors in IoT device adoption, so resource-constrained devices seek to reduce energy consumption. Since IoT devices have low processing ability, they can’t always protect against attacks. As a result, resource-constrained IoT devices have fallen victim to devastating DoS (Denial-of-Service) attacks.
A DoS attack occurs when a hacker or bot sends an overwhelming number of fake service requests to a network. The network inevitably can’t handle all the traffic and has to turn away genuine requests or shut down entirely until the source of the fake requests can be eliminated or blocked. Many DoS attacks target resource-constrained devices, since they don’t have many resources to respond to requests in the first place and quickly become overwhelmed.
If you use resource-constrained IoT devices, you need to find creative ways to secure them against DoS attacks and other vulnerabilities without increasing costs or significantly increasing power consumption.
Understanding IoT Security
IoT security works primarily by regulating communication between unsecured end devices and more important devices in the network. An IoT network is generally a low-power wireless personal area network (LoWPAN) and can only transfer data over a short distance. These networks generally include at least one router and various end devices.
Routers allow devices to connect to the network, keep out unauthorized devices, regulate traffic, and send encrypted packets of data back and forth between devices. End devices are all the devices that connect to a router, and they’re often resource-constrained and therefore unsecured.
An unsecured IoT device might be, for example, a temperature sensor that operates in an IoT network for monitoring weather conditions in a particular area. You’d need lots of these sensors to be able to get enough data to predict the weather for the next week.
With so many sensors, the energy drain would be enormous if each had the processing capabilities needed to secure and encrypt data properly. One of the ways you can solve this problem is by securing the data during transit and in the receiving devices instead of in the resource-constrained device itself.
Securing IoT Data
Here are a few best practices for IoT security that you can implement even with resource-constrained IoT devices.
Method 1: End-to-End Encrypted P2P Communication
Every time a device connects to the cloud to transfer data to another device or to a cloud storage database, it opens itself to potential attacks and vulnerabilities. The key is to encrypt the data from the time it leaves the device to the time it reaches its destination. This is called end-to-end encryption.
Think of it this way: let’s say a company needs to send an extremely valuable or potentially dangerous shipment and wants to prevent that shipment from getting into the wrong hands. They might decide to ship the most valuable items in an armored truck. End-to-end encryption is like shipping a package in an armored truck, protecting the package during transit.
Nabto provides secure, end-to-end encrypted peer-to-peer (P2P) communication, which bypasses cloud storage, allowing a sending device to communicate directly to the receiving device or system, and making it much harder for a third party to intercept the communication.
Method 2: No Single Point of Failure
A single point of failure means if one part of a system goes down, the whole network goes down. For example, since routers control and monitor network traffic, you have a serious problem if a router breaks down, unless you have what’s called a self-healing network. This means you have more than one router, plus other devices that can take over if a router fails. So the network is never left completely unprotected because there’s no single point of failure.
Another aspect of avoiding a single point of failure is with data centers. At Nabto, we have a global network of data centers spanning four geographical locations. We automatically register devices with the data centers that can provide the lowest possible latency. These data centers are distributed over various geographical locations, with servers in two separate locations within each datacenter. This means you don’t need to rely on a single, centralized data center, and as a result there’s no single point of failure.
Method 3: Only Accessing Necessary Data
One best practice for preventing accidental leaks is to make sure employees only have access to the data they need. One way to do that is through partitioning. Certain protocols, like the Thread protocol, allow you to “partition off” certain areas of the network. Partitioning is like building a wall between different groups of devices within the same area.
For example, your IT team might have control of certain IoT devices while your marketing team would only control the IoT devices that are necessary for their work. Neither team would have access to the others’ IoT devices or data because there’s a digital “wall” between them, even if they’re in the same building. Partitioning makes it less likely that there will be an accidental leak.
Method 4: Letting Hardware Compensate
Resource constrained devices don’t necessarily have the computing power to deal efficiently with high-grade public key encryption algorithms. In short, encrypting communication with the best types of encryption takes way too long, and the result is that communication between devices suffers a lot of latency. If your devices take 10-30 seconds to connect and communicate with other devices, that hurts the end-user experience.
New developments in hardware have helped to make up for the deficiency in resource-constrained compute power. A microcontroller unit (MCU) can have hardware acceleration features, meaning that cryptographic algorithms can be offloaded somewhat to the hardware of a device instead of relying entirely on the software. So high-grade public key algorithms can still function, even in a resource-constrained device.
Method 5: Securing Sensitive Devices
Most resource-constrained IoT devices don’t deal with particularly sensitive information. However, they often connect directly or indirectly to devices that do. For example, an air quality sensor in a manufacturing building might just gather data about chemicals in the air, but it might need to transfer that data to a system that monitors production rates, inventory levels, or whatever else you want your IoT system to monitor.
Since you won’t always have the ability to fully secure resource-constrained devices, you’ll need to put extra thought into securing them and the systems they communicate with. You want to make sure that resource-constrained IoT devices don’t end up being a backdoor into critical systems.
Since there might be hundreds of IoT devices in a single network, there are potentially hundreds of entry points for anyone with malicious intent. A single breach costs companies an average of $3.86 million. That’s why it’s essential to secure communication even with devices that may not directly deal with sensitive data.
Read Our Other Resources
We’ve also published a range of IoT device resources for our community, including:
- Overcome your IoT Security and Privacy challenges with this guide: https://www.nabto.com/how-overcome-iot-security-privacy-challenges/
- Read how Nabto keeps your IoT devices secure: https://www.nabto.com/security-in-nabto-p2p-iot-solutions/
- Sure up your IoT security with these best practices: https://www.nabto.com/5-best-practices-cloud-iot-security/