The Internet of Things (IoT) exemplifies the trend of formerly autonomous devices becoming increasingly connected (directly or indirectly) to the Internet. IoT refers to multiple “things” that are able to communicate with one another to do more than if they were operating on their own. Devices that incorporate a microprocessor and data communication capabilities are IoT devices.
The “Thing” indicates hardware and software that, in the past, performed its function:
The “Internet” refers to the ability for devices to communicate with one another. In many IoT systems, communication between things isn’t necessarily conducted over the Internet. Things may use Internet protocols to communicate with each other. Or, they may use proprietary protocols. However, in most systems, a connection to the Internet is present at some point. Common examples using the Internet involves devices communicating to one of the following:
This is true even if the IoT devices themselves don’t use a connection, but when the user’s mobile device does.
IoT allows devices to be controlled in ways that were not previously possible. In the past, physical proximity was a requirement when interacting with devices. Engineers connected mechanical or electrical devices to perform or respond to a localized physical event. The proximal mechanical connection limited the ways to control the device. Today, microprocessors with advanced communications capabilities are inexpensive and easy to design into products.
Physical and proximal access that constrained past interactions are now performed with a command sent wirelessly or via wire. This freedom allows things to be controlled in ways not previously imagined. It also allows for the creation of IoT ecosystems. For example, cars, homes, and factories now contain rich collections of IoT devices. They sense and control one another using data rather than rigid mechanical systems.
Data communications provide tremendous flexibility in device use. They eliminate the need for a physical presence or physical connections.
What really makes IoT so important is that we as a society now rely on these connected devices to perform critical functions. Self-driving cars are a good example of something that is safety-critical to many. This includes the occupants of the car itself, nearby cars, pedestrians, and structures. The potential benefit is yet to be fully understood. That also goes for the potential risk of something going wrong.
The freedom and flexibility of IoT devices also provides new opportunities for attackers to abuse devices. Attackers once had to be physically present, controlling one device at a time. An Internet connection now allows many devices to be simultaneously attacked.
A system under attack may not even have a direct Internet connection. A connected device may be taken over by an attacker and used as a conduit to control a disconnected system. In 2015, researchers demonstrated how an Internet connection allows drivers to lock and unlock their car. The research showed how a would-be attacker could also have gained control of the vehicle’s systems—including the brakes. More recently, researchers have demonstrated the ability to re-program an electronic control unit (ECU) and control other critical auto systems (e.g., steering and acceleration).
In the new IoT world, ensuring that systems are performing the correct and intended functions can be essential to human safety.
Concerns that users of IoT ecosystems need to be aware of include:
Let’s also consider the IoT device manufactures. It’s their responsibility to make security a priority. Attacks on IoT devices aren’t necessarily limited to the primary functionality of the device. After all, security issues can lead to costs in areas other than the product’s primary function.
In comparison to Web, mobile, desktop, and business application security, IoT security provides unique challenges including:
More and more industries are building IoT devices. However, many are not familiar with the necessary measures needed to make software secure. At Synopsys, we adapt security fundamentals to the unique features of the IoT ecosystem. The target result is a sustained organizational initiative around IoT security that provides continuous and comprehensive security risk identification and mitigation.
The Agile Security Manifesto