Question

How would you combat security and privacy challenges of the Internet of Things (as an intelligent system)?

Body should include:

Introduction

Discussion

Methodology

Experiment

Conclusion

A good report must answer the standard questions about any research project. The following format is suggested and including the information I asked above:

Abstract: WHAT did you do, WHY was it important, WHAT were your high level results?

Problem Statement: WHAT is the problem you attempted to solve?

Prior Work: HOW have others approached your problem?

Research Approach: WHAT was your approach to solving your problem? WHAT did you build? WHAT was your experimental methodology in terms of instrumentation, data collection, analysis, etc.? Include figures to describe your architecture and to assist in the presentation of your algorithms and analyses.

Results: WHAT were your results? HOW did you evaluate your work and WHAT were your figures of merit? Include graphs, charts, or other ways to visually describe your results.

Lessons Learned and Future Work: If you knew then what you know now, WHAT would you do differently? WHAT questions are left for future research?

Summary and Conclusions: Summarize your project and place your results in an overall context.

Download necessary software/ or tools for your experiment

Submit software/or tools used with proper installation documentation (Must show how to install and how it works)

Answer 1

Solution:

IoT(Internet of Things):-

• Internet of Things (IoT) is an ecosystem of connected physical objects that are accessible through the internet. The ‘thing’ in IoT could be a person with a heart monitor or an automobile with built-in-sensors, i.e. objects that have been assigned an IP address and have the ability to collect and transfer data over a network without manual assistance or intervention. The embedded technology in the objects helps them to interact with internal states or the external environment, which in turn affects the decisions taken.
• Internet of Things can connect devices embedded in various systems to the internet. When devices/objects can represent themselves digitally, they can be controlled from anywhere. The connectivity then helps us capture more data from more places, ensuring more ways of increasing efficiency and improving safety and IoT security

• IoT is a transformational force that can help companies improve performance through IoT analytics and IoT Security to deliver better results. Businesses in the utilities, oil & gas, insurance, manufacturing, transportation, infrastructure and retail sectors can reap the benefits of IoT by making more informed decisions, aided by the torrent of interactional and transactional data at their disposal.

IoT (Threats and Vulnerabilities):-

1. Insecure Web Interface

a) The first point concerns security related issues with the web interfaces built into IoT devices that allows a user to interact with the device, but at the same time could allow an attacker to gain unauthorised access to the device. Specific security vulnerabilities that could lead to this issue include:

i. Account Enumeration
ii. Weak Default Credentials
iii. Credentials Exposed in Network Traffic
iv. Cross-site Scripting (XSS)
v. SQL-Injection
vi. Session Management
vii. Weak Account Lockout Settings.

b) Suggested below are some countermeasures to protect against the threats mentioned above:

i. Default passwords and ideally default usernames to be changed during initial setup
ii. Ensuring password recovery mechanisms are robust and do not supply an attacker with information indicating a valid account
iii. Ensuring web interface is not susceptible to XSS, SQLi or CSRF
iv. Ensuring credentials are not exposed in internal or external network traffic
v. Ensuring weak passwords are not allowed
vi. Ensuring account lockout after 3 -5 failed login attempts

2. Insufficient Authentication/Authorisation

a) This area deals with ineffective mechanisms being in place to authenticate to the IoT user interface and/or poor authorisation mechanisms whereby a user can gain higher levels of access then allowed. Specific security vulnerabilities that could lead to this issue include:

i. Lack of Password Complexity
ii. Poorly Protected Credentials
iii. Lack of Two Factor Authentication
iv. Insecure Password Recovery
v. Privilege Escalation
vi. Lack of Role Based Access Control.

b) Suggested below are some countermeasures to protect against the threats mentioned above:

i. Ensuring that the strong passwords are required
ii. Ensuring granular access control is in place when necessary
iii. Ensuring credentials are properly protected
iv. Implement two factor authentication where possible
v. Ensuring that password recovery mechanisms are secure
vi. Ensuring re-authentication is required for sensitive features
vii. Ensuring options are available for configuring password controls.

3. Insecure Network Services

a) This point relates to vulnerabilities in the network services that are used to access the IoT device that might allow an intruder to gain unauthorised access to the device or associated data. Specific security vulnerabilities that could lead to this issue include:

i. Vulnerable Services
ii. Buffer Overflow
iii. Open Ports via UPnP
iv. Exploitable UDP Services
v. Denial-of-Service
vi. DoS via Network Device Fuzzing.

b) Suggested below are some countermeasures to protect against the threats mentioned above:

i. Ensuring only necessary ports are exposed and available
ii. Ensuring services are not vulnerable to buffer overflow and fuzzing attacks
iii. Ensuring services are not vulnerable to DoS attacks which can affect the device itself or other devices and/or users on the local network or other networks
iv. Ensuring network ports or services are not exposed to the internet via UPnP for example.

4. Lack of Transport Encryption

a) This deals with data being exchanged with the IoT device in an unencrypted format. This could easily lead to an intruder sniffing the data and either capturing this data for later use or compromising the device itself. Specific security vulnerabilities that could lead to this issue include:

i. Unencrypted Services via the Internet
ii. Unencrypted Services via the Local Network
iii. Poorly Implemented SSL/TLS
iv. Misconfigured SSL/TLS.

b) Suggested below are some countermeasures to protect against the threats mentioned above:

i. Ensuring data is encrypted using protocols such as SSL and TLS while transiting networks
ii. Ensuring other industry standard encryption techniques are utilised to protect data during transport if SSL or TLS are not available
iii. Ensuring only accepted encryption standards are used and avoid using proprietary encryption protocols.

IoT Security Tips:-

I hope this helps if you find any problem. Please comment below. Don't forget to give a thumbs up if you liked it. :)

1. Don’t connect your devices unless you need to - The first step is to consider what functionality you need from the device. Just because your TV or fridge can connect to the internet, doesn’t mean you definitely want to hook it up. Take a good look at the features it offers and learn exactly what internet connectivity brings before you connect.

2. Create a separate network - Many Wi-Fi routers support guest networking so that visitors can connect to your network without gaining access to shared files or networked devices. This kind of separation also works well for IoT devices that have questionable security

3. Pick good passwords and a different password for every device - It’s very important to pick strong passwords, but you must also make sure that you pick a different password for every device. If a hacker manages to get one of your passwords, they will typically try it with other services and devices. Reusing passwords is not a good idea. Use a password manager to keep track of all your passwords.

4. Turn off Universal Plug and Play (UPnP) - Sadly, UPnP can make routers, printers, cameras and other devices vulnerable to attack. It’s designed to make it easier to network devices without configuration by helping them automatically discover each other. The problem is that hackers can also potentially discover them from beyond your local network because of vulnerabilities in the UPnP protocol. Is best to turn UPnP off completely.

5. Make sure you have the latest firmware - If you want to make sure you have the latest security patches and reduce the chances of a successful attack, then you need to keep your firmware fully updated. Vulnerabilities and exploits will be fixed as they emerge, so your IoT devices and your router need to be regularly updated. Automate this wherever possible or set a schedule to check for updates every three months or so.

6. Be wary of cloud services - A lot of IoT devices rely on cloud services, but the requirement for an internet connection in order for something to function can be a real problem. Not only will it not work when the network is down, but it may also be syncing sensitive data or offering another potential route into your home. Make sure you read up on the provider’s privacy policy and look for reassurances about encryption and data protection.