The internet of Things is now powering many different business processes. From smart factories (industry 4.0) to interconnected devices right within your home, IoT technologies are slowly becoming the industry standard.
However, the popularity of interconnected devices comes with its own set of risks. IoT devices provide more gaps and potential weak points for cybercrime perpetrators. Without a secure and encrypted environment, hackers can access various IoT devices and affect how they process and share information.
In an attempt to address this challenge, the National Institute of Standards and Technology (NIST) proposed the creation of standardized security practices for IoT devices.
But how will these standards apply to connected data and how can they mitigate potential risks?
Defining the Internet of Things
Before diving into the proposed standards by NIST, you should first understand what the IoT is and how it affects your devices. Simply put, any device that can connect and share information with another device falls under the internet of things.
These devices work via a network of sensors that can detect various stimuli (such as temperature, pressure, or electricity) and transmit this signal to a receiver device.
Smart systems are excellent examples of IoT. If you use your phone to turn on the lights in your home or to increase the volume of your TV, you’re using an IoT device. Similarly, if you’re using wireless Bluetooth headphones to listen to music, you’re also using also an IoT device.
How Bluetooth Works
Bluetooth signals are one of the most common channels through which IoT devices operate. These devices use a Bluetooth connection to transmit signals and to share information in real time. But how does Bluetooth work?
A Bluetooth signal is a low frequency and short distance radio wave. Bluetooth signals can either connect devices directly to the internet, or just to each other. In most cases, Bluetooth signals are considered “lightweight” because they have limited frequencies and power consumption.
Security Risks Related to IoT Devices
As useful as the IoT is, it presents unique data security challenges. In regular devices such as computers, firewalls and data security programs can be installed to protect the computer network.
However, IoT is different. The biggest concern with security in an IoT environment arises due to automation. IoT devices are designed to operate with minimal human interruption. By automatically collecting, processing, and sharing data, we can spend less time operating the actual device and more time interacting with information.
This minimal human supervision presents a vulnerable point for cyber-attacks. For example, there are many medical devices that monitor a patient’s heart rate and transmit data automatically to doctors. If cyber attackers intercept this network, it can lead to a patient’s sensitive health data being compromised. Furthermore, IoT devices don’t enjoy the protection of firewalls, passwords, and other encryption methods.
5 main Security Gaps in the IoT
When determining a risk management approach for IoT devices, it’s important to understand the 5 main security gaps that IoT devices face. Let’s look at each of them individually.
IoT devices don’t use a secure network to send information back and forth. Think of it as public Wi-Fi access, where information can be easily intercepted.
IoT networks are also not encrypted with passwords or other authentication methods. Therefore, sensitive data can be accessed and used by unwanted parties.
Bluetooth signals work via a very simple mechanism. They’re not capable of controlling who can access specific pieces of data. Therefore, you can’t create specific parameters for who can access relevant information.
There is also the risk of data integrity within the network. This means that you can’t control the people who access information being shared between Bluetooth devices.
Many Bluetooth signals connect (via pairing) to a primary device (such as a smart phone, computer, or tablet) via an open network. This open network, if not properly secured, can be a vulnerable spot for malicious people to connect to your primary device without permission.
The role of NIST’s Cryptography project
Over the past 4 years, NIST has been working with various industry players (from car manufacturers to power grid experts) to create a minimal set of standards for protecting interconnected devices.
Currently, NIST has developed a draft of the “NIST Lightweight Cryptography Standardization Process”. This proposal focuses on developing a minimum set of requirements related to authentication encryption. Referred to as authentication encryption with associated data (AEAD), this process focuses on creating coding that prevents massive attacks on IoT devices. The system is being designed to work without affecting low energy, power and speed requirements.