Io TSecurity 2021
Io TSecurity 2021
Io TSecurity 2021
2 www.element14.com/community
Top Trends in IoT Security for 2021
element14 is a Community of over 750,000 makers, professional engineers, electronics enthusiasts, and
everyone in between. Since our beginnings in 2009, we have provided a place to discuss electronics, get
help with your designs and projects, show off your skills by building a new prototype, and much more.
We also offer online learning courses such as our Essentials series, video tutorials from element14
presents, and electronics competitions with our Design Challenges.
Billions of IoT-enabled devices are already active across the globe, and that number is predicted to grow
steadily. But the security of these devices is sometimes lacking, allowing malicious actors to steal data
and hijack systems. This eBook will feature recent IoT security trends.
www.element14.com/community 3
The Top Trends in IoT Security for 2021
CHAPTER 1 Introduction
The Internet of Things (IoT) is a cluster of numerous interconnected objects, services, devices, and humans
that communicate and share information to accomplish actions in diverse applications. IoT solutions offer
meaningful insights and data to individuals and businesses. The IoT has several implementation domains like
transportation, distribution, agriculture, energy production, and healthcare. The benefits, however, are tempered
by their vulnerability to cyber-attacks. Recent research has revealed that 90 percent of consumers are concerned
about IoT device security; thus, IoT developers must ensure the confidentiality and integrity of IoT solutions and
data while diminishing cybersecurity risks. This eBook discusses IoT security-related issues and highlights future
trends in IoT security.
4 www.element14.com/community
messages inside the network. local device. There is often no a major chunk of hospital bills. IoT
Hackers may target sensor- password or PIN protection and enables healthcare professionals
attached IoT nodes to disrupt plant zero biometric security. User to access a patient’s medical
production, for example. authentication is not required history, vitals, and lab results.
to access data recorded on a The technology enables either
Availability: Hackers use a “Denial wearable, and sensitive data can be on-site access or remotely via
of Service” attack, in which a easily accessed. Wearable devices smartphones or tablets. Risks are
device’s network is flooded with wirelessly connect to tablets or endemic when it comes to data
random requests from connected smartphones, using protocols gathering from devices specially
nodes to overflow a server or a like Bluetooth, Wi-Fi, and NFC, engineered for IoT use. Device
cloud application and, ultimately, thus creating another entry point. storage is particularly vulnerable
crash it. These wireless communications are during network transmission and
vulnerable to a continuous brute- also inside the cloud.
Industrial IoT devices are vulnerable
force attack.
to cyber threats like Man-in- Sleep tracking devices measure
the-middle, distributed denial of Automotive vehicles continue heart rates and movements, and
service (DDoS), device hijacking, to advance and discard older users benefit from quality sleep.
and permanent denial of service technologies for newer, safer, These products, however, come
(PDoS). The intention behind and more efficient ones. Robust with security issues like privacy and
such attacks is to destroy IIoT cybersecurity underpins such new security vulnerabilities. Downloaded
infrastructure. Attacks on industrial connected services – overriding third-party apps contaminate sleep
control systems (ICSs), including nearly all cybersecurity challenges tracking software and code them
programmable logic controllers that once blighted connected into malware, enabling hackers to
(PLCs), supervisory control and transport. Standard strategies access the device remotely. Since
data acquisition (SCADA) systems, employed to infiltrate automotive most IoT sleep-tracking devices
distributed control systems (DCSs), IoT solutions involve vulnerabilities communicate over public networks,
and human-machine interfaces in peer authentication, endpoint the adversary can execute various
(HMIs) disrupt productivity and integrity hiatus, practical attacks, such as Botnets and Denial
hamper service delivery across cryptographic tampering, the of Service (DoS), to intercept that
multiple industries. The adoption absence of partition between non- communication channel. A data
of complex and powerful IP-based critical and critical applications, breach may also happen, as bad
devices (for example, sophisticated software application flaws, and actors may remotely access the
microprocessors) comes with business logic fragility. cloud-stored data. This is done
increased risk. by compromising the data via
IoT has rapidly found traction in malicious software.
Many wearables preserve healthcare. Medical diagnoses are
unencrypted data on their
www.element14.com/community 5
THE TOP TRENDS IN IOT SECURITY FOR 2021
Secure Hash Algorithm (SHA): The SHA accepts Elliptic Curve Password Authenticated Key
data input and generates the message digest or hash. Exchange by Juggling (ECJPAKE): A password-
SHA-0 and SHA-1 utilize 16-Bit hashing, and SHA- authenticated key agreement protocol without
2 involves two functions set with respective 256-bit Public Key Infrastructure (PKI) authentication. An
and 512-bit technologies. This algorithm accepts any authenticated and private channel is established on
size data and resolves it to a specific, predefined size top of an insecure network, exclusively based on a
string. The resulting string is termed a “Hash,” and the shared password.
hash function application process to random inputs is
termed “hashing.” Cyclic Redundancy Check (CRC): Frequently used to
detect and correct errors in storage devices and digital
Elliptic Curve Digital Signature Algorithm (ECDSA): communication networks. Short data bytes pad blocks
This is used for message authentication. A private of data based on the polynomial division balance of
key is used to sign a simple message, and any their content. The CRC bytes on the receiver side are
receiver who has the sender’s public key can trace the recalculated from received data and then compared
message to its sender. with received CRC. The received data are discarded or
corrected if there is a non-match.
6 www.element14.com/community
THE TOP TRENDS IN IOT SECURITY FOR 2021
Easily accessible edge (node) to function in a safe environment. IC and comes with a private key
devices must be physically They integrate nonvolatile memory and the corresponding certificate
protected to bar communication into the IC to manage and transport accommodating the Public Key,
port access or firmware the keys securely. customer’s product fields, a unique
interference. Anyone with physical identifier, and usage. The static
access to hardware during Products like A71CH and A1006 keys are unique for every A1006.
manufacture, installation, or even are examples of Security ICs. NXP’s The ECDSA key, based on the
deployment may threaten security. A71CH Trust Anchor utilizes a “plug SHA-224 digest and NIST P-224
UARTs and other device-debugging and trust” approach vis-a-vis its curve hash with the client’s chosen
interfaces are easily compromised microcontrollers, to locally save certificate authority, digitally signs
and must be secured against the secret keys for asymmetric the certificates.
unlawful access. A few recent cryptography solutions. The A1006
controllers and processors offer is a tamper-proof authenticator
exclusive encryption/decryption
engines. Some IoT devices utilize
processors with operating systems
support, making OS-level security
crucial. ICs are vulnerable to key
capture, malware injection, and
counterfeiting during distribution
and production.
Connected End nodes with no IP connection in a personal area network (PAN) cannot directly transmit data to
the cloud or web servers. As a result, these nodes require gateways that route the traffic to connect the PAN to
the Internet. However, this ceases to be an issue if Ethernet or Wi-Fi are used to connect the devices. Since the
gateway uses a UDP or TCP/IP to connect these servers, the communication must be protected. The following
protocols find use in gateway-server secured communication:
HTTP/HTTPS
The Hypertext Transfer Protocol (HTTP) refers to an application layer protocol active on client-server models.
Since standard HTTP traffic utilizes plain text, anyone with the right tools or physical access can acquire the
packet’s information. HTTPS, a more secure version of HTTP, was developed to eliminate such issues. The
advanced versions use SSL (Secure Sockets Layer) or TLS (Transport Layer Security) to encrypt all traffic. The
www.element14.com/community 7
THE TOP TRENDS IN IOT SECURITY FOR 2021
client uses an X.509 certificate issued by the server, and this certificate usually contains the public encryption
key. Only the private key, which is never disclosed by the server, can decrypt the data. HTTP is vulnerable to
distributed denial-of-service (DDoS) bombardment. The attacker uses POST or HTTP GET calls from internet
connected or interconnected devices to swarm the server with traffic. The attacker can also execute a man-
in-the-middle (MITM) attack forcing the server to SSLV3 and effectuate the POODLE (Padding Oracle On
Downgraded Legacy Encryption) attack. This vulnerability is found in the Cipher Block Chaining Mode.
MQTT
COAP
Constrained Application Protocol (COAP) is a lightweight RESTful protocol, particularly for M2M communication
for IoT applications. COAP security uses Datagram Transport Layer Security (DTLS), and by default, uses 3072-
bit RSA equivalent keys.
IoT end nodes utilize wireless technologies. Since air protocol specification for managing communication
is the data transmission medium, any individual inside among LoRa nodes and gateways. The gateways
the Wi-Fi hotspot/modem/Access Point range may try use IP connectivity to connect to cloud services, and
to eavesdrop, making these nodes highly vulnerable. nodes send data to different gateways.
Wi-Fi, a wireless Local Area Networking technology, • A distinct 128-bit Network Session Key split between
operates on a 2.4GHz or 5.8GHz ISM band based the network server and end-device
on 802.11 standards. It has evolved with multiple
security protocols to offer secure and seamless user • A distinct 128-bit Application Session Key (AppSKey)
connectivity. Security options include WEP (Wired divided end-to-end at the application level
Equivalent Privacy), EAP (Extensible Authentication
All keys and authentication use the AES algorithm.
Protocol), and WPA (Wi-Fi Protected Access).
Network and application-level encryption enable
LORA/LORAWAN full private data transmission. Even the network
operator cannot access it. Keys are activated during
LoRa refers to a long-range, low-power wireless commissioning or production through modified Over
communication technology utilizing the LPWAN ISM the Air (OTAA) or Activated by Personalization (ABP).
band. It is well suited for battery-powered IoT end OTAA is more secure than ABP, as the keys are
nodes. LoraWAN refers to a media access control layer negotiated during the joining process.
8 www.element14.com/community
THE TOP TRENDS IN IOT SECURITY FOR 2021
An EUI-64 based DevEUI global unique identifier and
128-bit AppKey accompany a LoRaWAN device and
are used during device authentication. Two AES-128
session keys, AppSKey and NwkSKey, are generated
from the AppKey, and they encrypt traffic between
servers and nodes. AppSKey encrypts and decrypts
the application payloads, and NwkSKey verifies packet
integrity and authenticity.
• Level 1 – Zero Security (No encryption and no VPN and SSL encryption is used to communicate
authentication) between the Sigfox base station and the Sigfox
cloud. A message originating from the Sigfox end
• Level 2 - Unauthenticated with encryption nodes carries a distinct signature produced from a
locally stored key. This unique signature underlines
• Level 3 - Authenticated partnering (pairing) with the message’s authenticity. This message also has an
encryption individual packet number, which saves that network
from message replay. When it transmits from the
• Level 4 - Authenticated LE Secure Connections
end node, the message is transmitted thrice in three
partnering (pairing) with encryption
distinct frequencies to ensure message delivery to
the Sigfox cloud. Such an arrangement also forbids
Security Mode 2: This mode uses data signing to
jamming, as the transmission is of random frequency.
enforce security and has two levels:
Thread
• Level 1 - Unauthenticated pairing or partnering with
data signing
Designed for smart home use, Thread is an IPV6-based
6LoWPAN communication technology. ECJPAKE is
• Level 2 - Authenticated pairing or partnering with
a primary security measure in the NIST P-256 elliptic
data signing
curve Thread Network. The Diffie-Hellmann elliptic
SIGFOX curve algorithm finds use as a key agreement and
Schnorr signatures as NIZK (Non-Interactive Zero-
The LPWAN, ultra-narrowband Sigfox uses 868 and Knowledge) proof mechanism to authenticate the
902 MHz ISM frequencies. A distinct symmetrical two peers. The NIZK also establishes a shared secret
authentication key is dispatched with all Sigfox Ready between them based on a passphrase.
devices. Messages from or to the device hold a
cryptographic token computed from the authentication ZIGBEE
key, verifying the message’s origin and data integrity.
ZigBee applies the IEEE 802.15.4 described security
The authentication key is stored locally in the end
model, inclusive of access control to network devices
device and is unique for every Sigfox-ready instrument.
(authentication), message integrity checks (MICs),
www.element14.com/community 9
THE TOP TRENDS IN IOT SECURITY FOR 2021
encryption (symmetric-key Network Key: Used at the network Diffie-Hellman (ECDH) algorithm
cryptography), and confirmation level and known to all the nodes in for key exchange. It utilizes an AES
of the safety of transmitted the network. algorithm to produce all the keys.
frames. ZigBee’s symmetric key
cryptography utilizes three distinct Z-Wave Near Field Communication (NFC)
types of keys for peer-to-peer
Z-Wave is a low-power RF NFC technology works at the
communication:
communication technology targeted 13.56MHz frequency and supports
Master Key: Pre-installed by towards Smart Home products or up to 420kbps data transfer
manufacturers on the device. Home Automation for low latency speed and a low communication
and small data packets. It supports range (<10cm). It is integrated
Link Key: Restricted to nodes and mesh networking. into devices and used for
utilized to encrypt all point-to- pairing and authentication for
point communication data at the The Z-Wave Alliance launched contactless payment processes.
application level and confined to the S2 Security framework as a NFC manufacturers may use any
the nodes. This key is separate for substitute for their primary S0 encryption algorithm to manage
each communication node pair and with an enhancement in the key security attacks.
minimizes master key distribution exchange mechanism. The S2
risk in the network. framework utilizes an Elliptic Curve
10 www.element14.com/community
THE TOP TRENDS IN IOT SECURITY FOR 2021
2020 was, by any measure, identify risks and mitigate them. and secure approach calls for
a disruptive year. The sheer effective, robust authentication and
unpredictability of the COVID-19 3. Distributed Cloud authorization. This is achieved by
pandemic forced organizations to centralizing policy orchestration
The Distributed Cloud
pivot, change, and adapt. Here are and distributing policy enforcement.
accommodates privacy laws that
some of the leading IoT security
dictate data housing in specific 6. Time Tested Cloud PKI
trends happening today.
geographical areas. It offers
1. Keeping Computing Private public cloud options to several Public key infrastructure (PKI), a
physical addresses. The public security tool, is used by numerous
Classified computing requires cloud company maintains services organizations. It is complex, and
a trusted ecosystem where and, when required, physically secure facilities are needed to
organizations can fearlessly implements them. The company administer it. PKI also needs
share data in undocumented can evolve to satisfy growing user dedicated, trained personnel
environments. Private, secure needs. Distributed cloud assists for smooth operation. However,
computing frequently involves three low-latency contexts and reduces the introduction of IoT, DevOps,
technologies that shield data during data costs. and Cloud and their subsequent
its use. Confidential computing popularity has changed PKI’s role in
creates a careful data processing 4. Location-independent the industry.
environment. Privacy-aware Functions
machine learning (ML) enables 7. Endpoint Management
Location-agnostic operations
decentralized data analytics
enable proper administration Organizations need proper
and processing. Cryptographic
of distributed infrastructure endpoint management solutions,
techniques like homomorphic
spread across multiple business as cybercriminals may use them to
encryption help third parties
services. They are designed to enter corporate networks without
synthesize encrypted data, and
help employees and support permission. A good solution
the encrypted result is returned
customers. Organizations enjoy imports multiple benefits, such
to the owner of that data. The
seamless remote access through as remote workforce protection,
data is securely enclosed through
passwordless, multifactor management of endpoint
encryption, and only the data owner
authentication. Security perimeters environments, and automated
can access it.
are achieved through secure access compliance and provisioning.
2. CSPM: The Way to Effortless service edge (SASE), zero-trust
security, and identity. 8. Responsible AI
Compliance
www.element14.com/community 11
It promises (and delivers) accountable, ethical, and transparent usage of AI technologies
compatible with user expectations, societal laws, and organizational values. Responsible AI
fosters innovation in organizations to realize AI’s transformative potential.
Want to learn more about IoT security and other related topics? Visit our IoT page here.
© 2021 by Newark Corporation, Chicago, IL 60606. All rights reserved. No portion of this publication, whether in whole or in part, can be reproduced without the express written consent of
Newark Corporation. Newark® is a registered trademark of Farnell Corp. All other registered and/or unregistered trademarks displayed in this publication constitute the intellectual property
of their respective holders. WF-2509563