Io TSecurity 2021

Download as pdf or txt
Download as pdf or txt
You are on page 1of 12

May 2021

The Top Trends in


IoT Security for 2021
Table of Contents

01. Introduction Page 4

02. IoT Structures and Security-Related Threats Page 4

03. Algorithms Used in IoT Security Page 5

04. Error Correction and Cryptography Page 6

05. Security at the Edge Level Page 7

06. Gateway Security Page 7

07. Communication Security Page 8

08. Cloud Level Security Page 10

09. IoT Security Trends for 2021 Page 11

2 www.element14.com/community
Top Trends in IoT Security for 2021

element14 is a Community of over 750,000 makers, professional engineers, electronics enthusiasts, and
everyone in between. Since our beginnings in 2009, we have provided a place to discuss electronics, get
help with your designs and projects, show off your skills by building a new prototype, and much more.
We also offer online learning courses such as our Essentials series, video tutorials from element14
presents, and electronics competitions with our Design Challenges.

Billions of IoT-enabled devices are already active across the globe, and that number is predicted to grow
steadily. But the security of these devices is sometimes lacking, allowing malicious actors to steal data
and hijack systems. This eBook will feature recent IoT security trends.

element14 Community Team

www.element14.com/community 3
The Top Trends in IoT Security for 2021
CHAPTER 1 Introduction

The Internet of Things (IoT) is a cluster of numerous interconnected objects, services, devices, and humans
that communicate and share information to accomplish actions in diverse applications. IoT solutions offer
meaningful insights and data to individuals and businesses. The IoT has several implementation domains like
transportation, distribution, agriculture, energy production, and healthcare. The benefits, however, are tempered
by their vulnerability to cyber-attacks. Recent research has revealed that 90 percent of consumers are concerned
about IoT device security; thus, IoT developers must ensure the confidentiality and integrity of IoT solutions and
data while diminishing cybersecurity risks. This eBook discusses IoT security-related issues and highlights future
trends in IoT security.

IoT Structures and


CHAPTER 2
Security-Related Threats
The following IoT security threat categories must be Theft of Service: It occurs when security weaknesses
factored in during any IoT system development: in implemented protocols fall prey to hackers, who
then illicitly gain unauthorized access.
Confidentiality Breach: It occurs when a third
party can access sensitive information without the Data Integrity: It occurs when an unsanctioned
subscriber’s consent. user acquires deployed devices or drops unwanted

4 www.element14.com/community
messages inside the network. local device. There is often no a major chunk of hospital bills. IoT
Hackers may target sensor- password or PIN protection and enables healthcare professionals
attached IoT nodes to disrupt plant zero biometric security. User to access a patient’s medical
production, for example. authentication is not required history, vitals, and lab results.
to access data recorded on a The technology enables either
Availability: Hackers use a “Denial wearable, and sensitive data can be on-site access or remotely via
of Service” attack, in which a easily accessed. Wearable devices smartphones or tablets. Risks are
device’s network is flooded with wirelessly connect to tablets or endemic when it comes to data
random requests from connected smartphones, using protocols gathering from devices specially
nodes to overflow a server or a like Bluetooth, Wi-Fi, and NFC, engineered for IoT use. Device
cloud application and, ultimately, thus creating another entry point. storage is particularly vulnerable
crash it. These wireless communications are during network transmission and
vulnerable to a continuous brute- also inside the cloud.
Industrial IoT devices are vulnerable
force attack.
to cyber threats like Man-in- Sleep tracking devices measure
the-middle, distributed denial of Automotive vehicles continue heart rates and movements, and
service (DDoS), device hijacking, to advance and discard older users benefit from quality sleep.
and permanent denial of service technologies for newer, safer, These products, however, come
(PDoS). The intention behind and more efficient ones. Robust with security issues like privacy and
such attacks is to destroy IIoT cybersecurity underpins such new security vulnerabilities. Downloaded
infrastructure. Attacks on industrial connected services – overriding third-party apps contaminate sleep
control systems (ICSs), including nearly all cybersecurity challenges tracking software and code them
programmable logic controllers that once blighted connected into malware, enabling hackers to
(PLCs), supervisory control and transport. Standard strategies access the device remotely. Since
data acquisition (SCADA) systems, employed to infiltrate automotive most IoT sleep-tracking devices
distributed control systems (DCSs), IoT solutions involve vulnerabilities communicate over public networks,
and human-machine interfaces in peer authentication, endpoint the adversary can execute various
(HMIs) disrupt productivity and integrity hiatus, practical attacks, such as Botnets and Denial
hamper service delivery across cryptographic tampering, the of Service (DoS), to intercept that
multiple industries. The adoption absence of partition between non- communication channel. A data
of complex and powerful IP-based critical and critical applications, breach may also happen, as bad
devices (for example, sophisticated software application flaws, and actors may remotely access the
microprocessors) comes with business logic fragility. cloud-stored data. This is done
increased risk. by compromising the data via
IoT has rapidly found traction in malicious software.
Many wearables preserve healthcare. Medical diagnoses are
unencrypted data on their

CHAPTER 3 Algorithms Used in IoT Security


A few standard algorithms for IoT Security message, which is again decrypted by the private key.
implementation include:
Advanced Encryption Standard (AES): A substitution-
RSA: An asymmetric encryption algorithm calculated permutation network (SPN) dependent symmetric key
using two randomly chosen prime numbers requiring block cipher algorithm. Uses three fixed 128-bit block
public and private keys. The public key encrypts the ciphers cryptographic key sizes (128, 192, 256-bits).

www.element14.com/community 5
THE TOP TRENDS IN IOT SECURITY FOR 2021
Secure Hash Algorithm (SHA): The SHA accepts Elliptic Curve Password Authenticated Key
data input and generates the message digest or hash. Exchange by Juggling (ECJPAKE): A password-
SHA-0 and SHA-1 utilize 16-Bit hashing, and SHA- authenticated key agreement protocol without
2 involves two functions set with respective 256-bit Public Key Infrastructure (PKI) authentication. An
and 512-bit technologies. This algorithm accepts any authenticated and private channel is established on
size data and resolves it to a specific, predefined size top of an insecure network, exclusively based on a
string. The resulting string is termed a “Hash,” and the shared password.
hash function application process to random inputs is
termed “hashing.” Cyclic Redundancy Check (CRC): Frequently used to
detect and correct errors in storage devices and digital
Elliptic Curve Digital Signature Algorithm (ECDSA): communication networks. Short data bytes pad blocks
This is used for message authentication. A private of data based on the polynomial division balance of
key is used to sign a simple message, and any their content. The CRC bytes on the receiver side are
receiver who has the sender’s public key can trace the recalculated from received data and then compared
message to its sender. with received CRC. The received data are discarded or
corrected if there is a non-match.

CHAPTER 4 Error Correction and Cryptography

Error Detection and Correction Symmetric cryptography: in this Asymmetric or public-key


methods preserve data integrity, setup, the same key is shared cryptography: in this setup, a
especially during transfers. Parity between the sender and the pair of public and private keys are
bit check, Polar Codes, CRC check, receiver. Key sharing poses a used. Both keys are mathematically
and Hashing are a few popular security risk when shared between related, yet different. The sender
techniques used. Data security the communicating factions. The uses the receiver’s public key to
focuses on encryption to encipher Hellman key exchange technique is encrypt the data. Only the receiver’s
or decipher data. Cryptography a secure method to exchange keys private key, which is never shared,
can be symmetric or asymmetric, over a potentially insecure channel can decrypt the encrypted data.
depending on the case. before communication. Public key cryptography is
frequently used for authenticity.

6 www.element14.com/community
THE TOP TRENDS IN IOT SECURITY FOR 2021

CHAPTER 5 Security at the Edge

Easily accessible edge (node) to function in a safe environment. IC and comes with a private key
devices must be physically They integrate nonvolatile memory and the corresponding certificate
protected to bar communication into the IC to manage and transport accommodating the Public Key,
port access or firmware the keys securely. customer’s product fields, a unique
interference. Anyone with physical identifier, and usage. The static
access to hardware during Products like A71CH and A1006 keys are unique for every A1006.
manufacture, installation, or even are examples of Security ICs. NXP’s The ECDSA key, based on the
deployment may threaten security. A71CH Trust Anchor utilizes a “plug SHA-224 digest and NIST P-224
UARTs and other device-debugging and trust” approach vis-a-vis its curve hash with the client’s chosen
interfaces are easily compromised microcontrollers, to locally save certificate authority, digitally signs
and must be secured against the secret keys for asymmetric the certificates.
unlawful access. A few recent cryptography solutions. The A1006
controllers and processors offer is a tamper-proof authenticator
exclusive encryption/decryption
engines. Some IoT devices utilize
processors with operating systems
support, making OS-level security
crucial. ICs are vulnerable to key
capture, malware injection, and
counterfeiting during distribution
and production.

Security ICs create a barrier that


separates vital processes from the
IoT application software, in order
Figure 1: A71CH block diagram (Image Source: NXP Semiconductors)

CHAPTER 6 Gateway Security

Connected End nodes with no IP connection in a personal area network (PAN) cannot directly transmit data to
the cloud or web servers. As a result, these nodes require gateways that route the traffic to connect the PAN to
the Internet. However, this ceases to be an issue if Ethernet or Wi-Fi are used to connect the devices. Since the
gateway uses a UDP or TCP/IP to connect these servers, the communication must be protected. The following
protocols find use in gateway-server secured communication:

HTTP/HTTPS

The Hypertext Transfer Protocol (HTTP) refers to an application layer protocol active on client-server models.
Since standard HTTP traffic utilizes plain text, anyone with the right tools or physical access can acquire the
packet’s information. HTTPS, a more secure version of HTTP, was developed to eliminate such issues. The
advanced versions use SSL (Secure Sockets Layer) or TLS (Transport Layer Security) to encrypt all traffic. The

www.element14.com/community 7
THE TOP TRENDS IN IOT SECURITY FOR 2021
client uses an X.509 certificate issued by the server, and this certificate usually contains the public encryption
key. Only the private key, which is never disclosed by the server, can decrypt the data. HTTP is vulnerable to
distributed denial-of-service (DDoS) bombardment. The attacker uses POST or HTTP GET calls from internet
connected or interconnected devices to swarm the server with traffic. The attacker can also execute a man-
in-the-middle (MITM) attack forcing the server to SSLV3 and effectuate the POODLE (Padding Oracle On
Downgraded Legacy Encryption) attack. This vulnerability is found in the Cipher Block Chaining Mode.

MQTT

Message Queuing Telemetry Transport (MQTT) refers to an ISO-standard publish-subscribe messaging


protocol. It tasks on top of TCP/IP, and its operation requires a broker to be implemented on the cloud server.
MQTT depends on SSL or payload encryption and TLS. The TLS is reviewed if users or network nodes are
authenticated by password and username authentication. If constrained resources discourage TLS, then the user
may use MQTT to encrypt the transmitted payload. Authentication credentials may also be encrypted by the use
of hashing or any other encryption method.

COAP

Constrained Application Protocol (COAP) is a lightweight RESTful protocol, particularly for M2M communication
for IoT applications. COAP security uses Datagram Transport Layer Security (DTLS), and by default, uses 3072-
bit RSA equivalent keys.

CHAPTER 7 Communication Security

IoT end nodes utilize wireless technologies. Since air protocol specification for managing communication
is the data transmission medium, any individual inside among LoRa nodes and gateways. The gateways
the Wi-Fi hotspot/modem/Access Point range may try use IP connectivity to connect to cloud services, and
to eavesdrop, making these nodes highly vulnerable. nodes send data to different gateways.

Wi-Fi LoRa utilizes two-layer encryption:

Wi-Fi, a wireless Local Area Networking technology, • A distinct 128-bit Network Session Key split between
operates on a 2.4GHz or 5.8GHz ISM band based the network server and end-device
on 802.11 standards. It has evolved with multiple
security protocols to offer secure and seamless user • A distinct 128-bit Application Session Key (AppSKey)
connectivity. Security options include WEP (Wired divided end-to-end at the application level
Equivalent Privacy), EAP (Extensible Authentication
All keys and authentication use the AES algorithm.
Protocol), and WPA (Wi-Fi Protected Access).
Network and application-level encryption enable
LORA/LORAWAN full private data transmission. Even the network
operator cannot access it. Keys are activated during
LoRa refers to a long-range, low-power wireless commissioning or production through modified Over
communication technology utilizing the LPWAN ISM the Air (OTAA) or Activated by Personalization (ABP).
band. It is well suited for battery-powered IoT end OTAA is more secure than ABP, as the keys are
nodes. LoraWAN refers to a media access control layer negotiated during the joining process.

8 www.element14.com/community
THE TOP TRENDS IN IOT SECURITY FOR 2021
An EUI-64 based DevEUI global unique identifier and
128-bit AppKey accompany a LoRaWAN device and
are used during device authentication. Two AES-128
session keys, AppSKey and NwkSKey, are generated
from the AppKey, and they encrypt traffic between
servers and nodes. AppSKey encrypts and decrypts
the application payloads, and NwkSKey verifies packet
integrity and authenticity.

Bluetooth Low Energy (BLE)

Bluetooth Low Energy (BLE) targets battery-operated


devices and is recognized as a Personal Area Network
(PAN) technology. It shares the 2.400–2.4835 GHz ISM
frequency band with classical Bluetooth.

Security Mode 1: This mode uses encryption to


administer security and has four levels:

• Level 1 – Zero Security (No encryption and no VPN and SSL encryption is used to communicate
authentication) between the Sigfox base station and the Sigfox
cloud. A message originating from the Sigfox end
• Level 2 - Unauthenticated with encryption nodes carries a distinct signature produced from a
locally stored key. This unique signature underlines
• Level 3 - Authenticated partnering (pairing) with the message’s authenticity. This message also has an
encryption individual packet number, which saves that network
from message replay. When it transmits from the
• Level 4 - Authenticated LE Secure Connections
end node, the message is transmitted thrice in three
partnering (pairing) with encryption
distinct frequencies to ensure message delivery to
the Sigfox cloud. Such an arrangement also forbids
Security Mode 2: This mode uses data signing to
jamming, as the transmission is of random frequency.
enforce security and has two levels:

Thread
• Level 1 - Unauthenticated pairing or partnering with
data signing
Designed for smart home use, Thread is an IPV6-based
6LoWPAN communication technology. ECJPAKE is
• Level 2 - Authenticated pairing or partnering with
a primary security measure in the NIST P-256 elliptic
data signing
curve Thread Network. The Diffie-Hellmann elliptic
SIGFOX curve algorithm finds use as a key agreement and
Schnorr signatures as NIZK (Non-Interactive Zero-
The LPWAN, ultra-narrowband Sigfox uses 868 and Knowledge) proof mechanism to authenticate the
902 MHz ISM frequencies. A distinct symmetrical two peers. The NIZK also establishes a shared secret
authentication key is dispatched with all Sigfox Ready between them based on a passphrase.
devices. Messages from or to the device hold a
cryptographic token computed from the authentication ZIGBEE
key, verifying the message’s origin and data integrity.
ZigBee applies the IEEE 802.15.4 described security
The authentication key is stored locally in the end
model, inclusive of access control to network devices
device and is unique for every Sigfox-ready instrument.
(authentication), message integrity checks (MICs),

www.element14.com/community 9
THE TOP TRENDS IN IOT SECURITY FOR 2021
encryption (symmetric-key Network Key: Used at the network Diffie-Hellman (ECDH) algorithm
cryptography), and confirmation level and known to all the nodes in for key exchange. It utilizes an AES
of the safety of transmitted the network. algorithm to produce all the keys.
frames. ZigBee’s symmetric key
cryptography utilizes three distinct Z-Wave Near Field Communication (NFC)
types of keys for peer-to-peer
Z-Wave is a low-power RF NFC technology works at the
communication:
communication technology targeted 13.56MHz frequency and supports
Master Key: Pre-installed by towards Smart Home products or up to 420kbps data transfer
manufacturers on the device. Home Automation for low latency speed and a low communication
and small data packets. It supports range (<10cm). It is integrated
Link Key: Restricted to nodes and mesh networking. into devices and used for
utilized to encrypt all point-to- pairing and authentication for
point communication data at the The Z-Wave Alliance launched contactless payment processes.
application level and confined to the S2 Security framework as a NFC manufacturers may use any
the nodes. This key is separate for substitute for their primary S0 encryption algorithm to manage
each communication node pair and with an enhancement in the key security attacks.
minimizes master key distribution exchange mechanism. The S2
risk in the network. framework utilizes an Elliptic Curve

CHAPTER 8 Cloud Level Security

IoT devices tether to web services operating on cloud


networks or assigned servers. It is of paramount
importance to maintain the safety of private data kept
in applications, databases, and servers when designing
IoT applications.

Many service providers set up secured servers as


a Software-As-A-Service (SAAS) or Platform-As-
A-Service (PAAS). SaaS offers the software on a
license basis to end-users, whereas PaaS is a total
development and deployment environment located in
the cloud.

Since servers are frequently installed in physically


inaccessible data centers, system admins use SSH
(Secure Shell) to link to remote servers. SSH keys
established on public-key cryptography ensure secure
communication. SSL or TLS are employed with
exposed web services. All server traffic gets encrypted,
thus circumventing man-in-the-middle attacks.

VPNs secure the connection among machines and


show the connections as a private local network, thus
adding an extra security layer.

10 www.element14.com/community
THE TOP TRENDS IN IOT SECURITY FOR 2021

CHAPTER 9 IoT Security Trends for 2021

2020 was, by any measure, identify risks and mitigate them. and secure approach calls for
a disruptive year. The sheer effective, robust authentication and
unpredictability of the COVID-19 3. Distributed Cloud authorization. This is achieved by
pandemic forced organizations to centralizing policy orchestration
The Distributed Cloud
pivot, change, and adapt. Here are and distributing policy enforcement.
accommodates privacy laws that
some of the leading IoT security
dictate data housing in specific 6. Time Tested Cloud PKI
trends happening today.
geographical areas. It offers
1. Keeping Computing Private public cloud options to several Public key infrastructure (PKI), a
physical addresses. The public security tool, is used by numerous
Classified computing requires cloud company maintains services organizations. It is complex, and
a trusted ecosystem where and, when required, physically secure facilities are needed to
organizations can fearlessly implements them. The company administer it. PKI also needs
share data in undocumented can evolve to satisfy growing user dedicated, trained personnel
environments. Private, secure needs. Distributed cloud assists for smooth operation. However,
computing frequently involves three low-latency contexts and reduces the introduction of IoT, DevOps,
technologies that shield data during data costs. and Cloud and their subsequent
its use. Confidential computing popularity has changed PKI’s role in
creates a careful data processing 4. Location-independent the industry.
environment. Privacy-aware Functions
machine learning (ML) enables 7. Endpoint Management
Location-agnostic operations
decentralized data analytics
enable proper administration Organizations need proper
and processing. Cryptographic
of distributed infrastructure endpoint management solutions,
techniques like homomorphic
spread across multiple business as cybercriminals may use them to
encryption help third parties
services. They are designed to enter corporate networks without
synthesize encrypted data, and
help employees and support permission. A good solution
the encrypted result is returned
customers. Organizations enjoy imports multiple benefits, such
to the owner of that data. The
seamless remote access through as remote workforce protection,
data is securely enclosed through
passwordless, multifactor management of endpoint
encryption, and only the data owner
authentication. Security perimeters environments, and automated
can access it.
are achieved through secure access compliance and provisioning.
2. CSPM: The Way to Effortless service edge (SASE), zero-trust
security, and identity. 8. Responsible AI
Compliance

5. Zero Trust Cybersecurity Artificial Intelligence (AI) is a


Organizations use Cloud Security
potentially disruptive, powerful
Posture Management (CSPM)
Contrary to popular perception, technology. Its apparently limitless
for automatic GDPR, HIPAA, and
zero trust cybersecurity is not an applications raise multiple concerns
CCPA compliance. This versatile
assortment of technologies but like workforce displacement,
tool automates a broad range
rather an evolving security culture. privacy loss, potential biases
of cloud security management
An individual’s identity dictates during decision-making, and the
issues, including different cloud
that person’s customized security absence of control over robots and
infrastructures. Companies
perimeter. This is applicable for automated systems. Responsible AI
frequently use CSPM tools to
specific devices, as well. A granular eliminates such concerns.

www.element14.com/community 11
It promises (and delivers) accountable, ethical, and transparent usage of AI technologies
compatible with user expectations, societal laws, and organizational values. Responsible AI
fosters innovation in organizations to realize AI’s transformative potential.

Want to learn more about IoT security and other related topics? Visit our IoT page here.

300 S. Riverside Plaza, Suite 2200 Facebook.com/e14Community


Chicago, IL 60606 Twitter.com/e14Community
www.element14.com/community

© 2021 by Newark Corporation, Chicago, IL 60606. All rights reserved. No portion of this publication, whether in whole or in part, can be reproduced without the express written consent of
Newark Corporation. Newark® is a registered trademark of Farnell Corp. All other registered and/or unregistered trademarks displayed in this publication constitute the intellectual property
of their respective holders. WF-2509563

You might also like