Why is it challenging to ensure the security of IoT Ecosystems?
Nowadays, Internet of Things (IoT) solutions are part of almost every aspect of our daily life, thus such devices are continuously involved in the monitoring and storage of private and sensitive information, related to users’ health condition, residency, habits and so forth.
However, during the last years, we have witnessed a dramatic increase regarding the security incidents involving these types of devices. These events induce an enormous financial impact on the economy of organizations and enterprises, while they have severe privacy and security implications to the end-users. One of the most representative incidents was that of the Mirai botnet attack, when mis-configured or security-neglected IoT devices were enslaved into a massive DDoS attack. It is expected that in the near future nearly six IoT devices will be connected to each human on average, as it is foreseen that the total number of IoTs will raise to 50 billion by 2020. So, there is an ongoing concern that the security incidents involving IoT devices will continue to grow in numbers and severity.
Therefore, the following questions come to mind; why is it so challenging to develop security solutions for IoT ecosystems and why it is not feasible to apply existing security mechanisms, well established in other fields of ICT, to the domain of IoT. Since so far, there is no specific IoT focused security solution, but rather efforts to reactively mitigate security incidents after their spread out.
One of the main reasons behind that is the restricted resources available on IoT devices. Such devices are designed to implement specific purposes under strict budget restrictions. Thus, they are employed with limited CPU and memory capabilities, while they have power restrictions and limited battery life, which prevents intensive computations, such as monitoring or logging, for long periods of time. In addition, the controlling gateways suffer from the same limitations of resource restrictions. In practice, it is also not feasible to utilize the same security mechanisms, as it is common case that the existing libraries and software solutions cannot be loaded and run into the gateways. Security mechanisms have to be re-engineered, in order to be equally effective in a more constrained environment.
On the other hand, within an IoT ecosystem coexists a plethora of heterogeneous wireless protocols, such as Wi-Fi, Bluetooth, ZigBee, Z-Wave, and others. Each one has its own characteristics, various packet fields, diverse addressing schemes and could suffer from different types of threats. Consequently, a tailored solution to each one of the specific wireless interfaces should be implemented, in order to consider the distinct properties and functionalities of each protocol and consequently address any interface specific security incident.
Finally, IoT devices firmware is typically out of date. Manufacturers usually do not update the firmware of their devices, even if a security vulnerability is disclosed. The business model of IoT ecosystem is based on the assumption that devices manufacturing and maintenance shall be done on the minimum possible budget and thus production of updated versions of firmware is not common practice. Even in the cases that manufactures do release updated versions of firmware, the users find difficult to apply such updates to their devices. Practically, IoT devices are released to market, deployed in installations and are then destined to become vulnerable sooner or later. In order to protect such systems, an external mechanism that will monitor network traffic is required, which is not always feasible.
Due to all the aforementioned reasons, security of IoT systems require a lot of effort in order to build specific IoT tailored solutions. Applying traditional security mechanisms will not produce any fruitful results. Cyber security community has recently become aware of the security challenges in IoT domain and a lot of effort has been targeted towards producing the appropriate mechanisms and systems that will enable IoT systems to function, without imposing security and privacy threats for the end-users. Given the foreseen increase of the number of installed IoT devices in the coming years, this effort shall be successful.