Internet Of Things: Five Ways To Overcome Security Challenges

The promise, benefits, and value of the Internet of Things (IoT) have been documented extensively, but a number of widely publicized IoT attacks leaves the impression that the IoT is deeply insecure. What is often not mentioned is that many of these attacks originated due to failures in implementing basic protections.

But even where the vendor has taken reasonable precautions, things can go horribly wrong, as can be seen in a – literally – fly-by attack on smart lighting.

Another challenge is that IoT-enabled devices are deployed “where the action is” – the factory floor, oil platforms, public roads, offices, stores, moving vehicles, or in cities running over wireless networks.

That means that they are often physically accessible by employees, contractors, and even the general public. If we compare that to modern cloud data centers, where only authorized personnel can enter, there is a substantial difference. More people with access means the risk of compromise goes up, so we may need to ensure devices themselves are physically protected against tampering.

But these are not insurmountable obstacles. The question is less one of not knowing what to do to protect IoT environments, rather how to implement and apply security measures to keep the solution safe.

Five recommendations for securing the IoT

1. Manage risk

Modern security practices follow a risk-based approach that considers both the ease of an attack and the impact should one happen – giving a strong indicator of how much security you’ll need. The reality is that an IoT solution that monitors, manages, and optimizes operations in a chemical factory requires much tighter security protocols than one that simply turns off the light in a conference room when sensors detect nobody is present. In the former, a successful attack could lead to a catastrophic industrial accident including injury and loss of life. In the latter, the worst that could happen is that an electricity bill is a little higher.

2. Limit device-to-device communication

There is a misconception that the Internet of Things, by definition, means that many devices are connected to many other devices, increasing the risk that a successful attack leads to catastrophic failure or takeover of a substantial portion of your IoT infrastructure. In many cases, devices have a single purpose and only need to send the data they collect to a single location. By limiting the number of IoT devices that talk to each other, we can better secure each one and limit the damage should any breaches occur.

3. Retain control over your IoT infrastructure

The risk is yours – any failure in security is your responsibility and you will be held accountable for the result – so it is important to maintain control. This starts with device selection: Make sure that devices either have the security features you need or, preferably, are “open” so you can analyze and understand how they work, and then add any features you need to fill security gaps. This includes the ability to update devices in an automated and secure way and to control that process yourself.

4. Use encryption from end to end

It’s critical to encrypt communication between devices and data-ingestion points to make sure nobody can listen in, tamper with sensitive data in transit, or recover enough information to spoof or impersonate the device and feed the system manipulated data. Modern encryption techniques work in much the same way as HTTPS does to protect information online. Encryption also needs to be tied to device identity to ensure the data we think comes from a particular device actually does.

5. Leverage existing expertise

Apply proven security technologies, tools, and best practices used in traditional IT landscapes. In many cases, they can be implemented directly: by using digital certificates or equivalent, by restricting what IoT devices can do and communicate with, and by adding protection and monitoring mechanisms. In other cases, such as micro-controllers and low-power networks, we may need to apply new techniques, but we can draw on existing principles and concepts.

IoT adoption is still in early days. Unfortunately, that means that there aren’t many established standards yet, and while the number of devices brought to market is quickly rising, certification schemes and regulations are lagging. As a result, adopters still need to carefully plan and build in security from the start and properly evaluate any IoT equipment brought in house.

As large technology providers recognize the security challenges with new IoT technologies and software solutions, the situation is rapidly improving. At SAP, we’re also committed to both describing the pitfalls and providing clear guidelines to overcome them.

This article originally appeared on the SAP Community.


Internet of Things – Digitalist Magazine

Upstream Security secures $9 million to advance cloud-based connected car security

Upstream Security has secured $ 9 million in series A funding to advance its cloud-based cybersecurity platform for connected cars and self-driving vehicles, after securing $ 2 million in a seed funding round in June.

According to the company, the fresh amount will be utilised for expanding its R&D programme, strengthening research teams in the engineering and security divisions and opening marketing and sales offices in the US and Europe.

The funding was led by CRV (Charles River Ventures) and included expanded investments from Glilot Capital Partners and Maniv Mobility.

Izhar Armony, general partner at CRV, said: “Connected and semi-autonomous cars are already a reality, so it’s a matter of ‘when’ not ‘if’ these self-driving technologies will be deployed at scale. Upstream’s engineers were the first to solve how to protect connected cars and autonomous vehicles using the cloud, crucial for near-term and future deployment of automotive cybersecurity at the fleet level.

"We believe in Upstream’s groundbreaking approach to secure connected and autonomous vehicles and in the abilities of cybersecurity veterans, Yoav Levy and Yonatan Appel, to build a rapidly growing business in this hot, emerging space.”

Talking about the increasing security threats in the connected car industry, Upstream CEO and cofounder Levy commented: “Security solutions for the car are undergoing rapid advances at an unprecedented rate. We’re using emerging technologies like AI and machine learning to carry out an evolutionary leap in cybersecurity for passenger and commercial vehicles.”

It’s not the only money going into this space of late. Earlier this month, Canada-based connected vehicle startup Mojio secured $ 30 million in Series B funding, which will be utilised by the company to expedite its connected-vehicle solution and for global expansion.

iottechnews.com: Latest from the homepage

NXP and Alibaba Cloud Announce Strategic Partnership for Edge Computing and IoT Security

NXP and Alibaba Cloud Announce Strategic Partnership for Edge Computing and IoT Security

NXP and Alibaba Cloud Announce Strategic Partnership for Edge Computing and IoT Security

NXP Semiconductors today announced a strategic partnership with Alibaba Cloud, the cloud computing and business unit of Alibaba Group.

The two companies are working together to enable development of secure smart devices for edge computing applications and have plans to further develop solutions for the Internet of Things (IoT).

As part of the partnership, AliOS Things, the Alibaba IoT operating system has been integrated onto NXP applications processors, microcontroller chips, and Layerscape multicore processors. Both NXP’s i.MX and Layerscape processors are currently the only embedded systems on the market using the Alibaba Cloud TEE OS platform. The new solution benefits various markets including automotive, smart retail and smart home. And it is currently being applied in applications such as automotive entertainment and infotainment systems, QR code payment scanning applications and smart home speakers.

Li Zheng, NXP global senior vice president and President of Greater China, said:

“As the leader of IoT innovation in China, Alibaba Cloud has launched a range of IoT basic and content services to support the demands of cloud computing, big data, AI [artificial intelligence], cloud integration and security. Alibaba Cloud IoT kit has launched more than 200 categories, with a total of more than 10 million sets of sales.”

“Our partnership with Alibaba Cloud will promote the continuous and steady expansion of NXP’s technological advantages for edge computing and IoT security, and will support the long-term and secure development of China’s IoT ecosystem.”

“We share the same vision as NXP on providing advanced and secure IoT solutions for an ‘everything connected’ world,” said Ku Wei, General Manager of IoT of Alibaba Cloud. “Based on the integration of AliOS Things with NXP’s applications processors and microcontroller chips, our comprehensive solution will better serve the development of China’s local commercial and manufacturing industries.”

With the deep partnership between NXP and Alibaba Cloud Link in the field of IoT security, NXP has become a council member of the ICA IoT Connectivity Alliance. In the future. The two companies plan to jointly develop solutions to support application development in different fields including smart manufacturing and smart city.

The ‘Annual Report of China IoT Development 2015-2016’ predicts that the amount of equipment connected to IoT globally will reach 20-50 billion by 2020, with 80 percent of that equipment in China. NXP’s robust product portfolio covers offering from the edge node to gateway and comprehensive cloud IoT solutions. NXP’s products are widely used in smart homes, smart cities, smart transportation, and secure connectivity.

In China, NXP combines outstanding enterprises in upstream and downstream industries, working together with industry leaders for the safe, connected, sustainable development and motivation for innovation of IoT.

The post NXP and Alibaba Cloud Announce Strategic Partnership for Edge Computing and IoT Security appeared first on IoT Business News.

IoT Business News

Face authentication and the future of security

Apple’s iPhone X has given us a glimpse into the future of personal data security. By 2020 we’ll see billions of smart devices being used as mobile face authentication systems, albeit with varying degrees of security. The stuff of science fiction for years, face recognition will surpass other legacy biometric login solutions,such as fingerprint and iris scans, because of a new generation of AI-driven algorithms, says Kevin Alan Tussy, CEO of FaceTec.

The face recognition space had never received more attention than after the launch of Face ID, but with the internet now home to dozens of spoof videos fooling Face ID with twins, relatives and even olives for eyes, the expensive hardware solution has left many questioning if this is just another missed opportunity to replace passwords.

Face Recognition is a biometric method of identifying an authorised user by comparing the user’s face to the biometric data stored in the original enrolment. Once a positive match is made and the user’s liveness is confirmed the system grants account access.

A step up in security, Face Authentication (Identification + Liveness Detection), offers important and distinct security benefits: no PIN or password memorisation is required, there is no shared secret that can be stolen from a server, and the certainty the correct user is logging in is very high.

Apple’s embrace of Face ID has elevated face recognition into the public consciousness, and when compared to mobile fingerprint recognition, face recognition is far superior in terms of accuracy. According to Apple, their new face scanning technology is 20-times more secure than the fingerprint recognition currently used in the iPhone 8 (Touch ID) and Samsung S8. Using your face to unlock your phone is, of course, a great step forward, but is that all a face biometric can do? Not by a long shot.

While the goal of every new biometric has been to replace passwords, none have succeeded because most rely on special hardware that lacks liveness detection. Liveness detection, the key attribute of Authentication, verifies the correct user is actually present and alive at the time of login.

True 3D face authentication requires: identity verification plus depth sensing plus liveness detection. This means photos or videos cannot spoof the system, nor animated images like those created by CrazyTalk; and even 3D representations of a user like projections on foam heads, custom masks, and wax figures are rebuffed.

With the average price of a smartphone hovering around £150 (€170.58), expensive hardware-based solutions, no matter how good they get, won’t ever see widespread adoption. For a face authentication solution to be universally adopted it must be a 100% software solution that runs on the billions of devices with standard cameras that are already in use, and it must be be more secure than current legacy options (like fingerprint and 2D face).

A software solution like ZoOm from FaceTec can be quickly and easily integrated into nearly any app on just about any existing smart device. ZoOm can be deployed to millions of mobile users literally overnight, and provides […]

The post Face authentication and the future of security appeared first on IoT Now – How to run an IoT enabled business.

Blogs – IoT Now – How to run an IoT enabled business

MANRS, Routing Security, and the Brazilian ISP Community

Last week, I presented MANRS to the IX.BR community. My presentation was part of a bigger theme – the launch of an ambitious program in Brazil to make the Internet safer.

While there are many threats to the Internet that must be mitigated, one common point and a challenge for many of them is that the efficacy of the approaches relies on collaboration between independent and sometimes competing parties. And, therefore, finding ways to incentivize and reward such collaboration is at the core of the solutions.

MANRS tries to do that by increasing the transparency of a network operator’s security posture and its commitment to a more secure and resilient Internet. Subsequently, the operator can leverage its increased security posture, signaling it to potential customers and thus differentiating from their competitors.

MANRS also helps build a community of security-minded operators with a common purpose – an important factor that improves accountability, facilitates better peering relationships, and improves coordination in preventing and mitigating incidents.

So, what does the Brazilian ISP community think about routing security and MANRS?

I ran an interactive poll with four questions to provide a more quantitative answer. More than 100 people participated, which makes the results fairly representative.

A sort summary is that while routing incidents are not perceived as the most painful area, the Brazilian ISP community is willing to embrace the collaborative security approach and work on improving Internet infrastructure.

In the past three months, according to BGPSetream, Brazilian ISPs experienced about 1,000 routing events that likely represent incidents. About a quarter of them were route leaks and hijacks; the rest were outages.

From operational experience, 20% of operators dealt with routing security incidents with impact. For the majority, however, such incidents were either infrequent or had little impact. That says something about the perceived risk.

At the same time, improving routing security is important to the vast majority of operators. Almost half are willing to play an active role in promoting best practices.

Almost one-third of respondents already implement the majority of the MANRS Actions and could join the effort.

When it comes to joining the effort, two-thirds feel they would become active adopters of MANRS, once their network has appropriate controls in place.

We look forward to seeing many Brazilian ISPs officially join MANRS, given these survey results! If you’re interested, please let us know. A MANRS Implementation Guide is also available to help you get your network ready.

You can watch Andrei’s full presentation on YouTube in the video below, or at this link.

The post MANRS, Routing Security, and the Brazilian ISP Community appeared first on Internet Society.

Internet Society