2017

Security for the Internet

of Things
JOHN DOWNS
 Security for the Internet of Things

Abstract
Society today has become increasingly focused on technology and the ways it can

provide convenience to our lives. Every facet of the daily routine is becoming interconnected and

woven together for the sake of expediency. Communally we are focused more on how fast

something can be done or how many tasks can be combined to realize the folly in such thinking.

Being fixated on time constraints only, allows important concerns to be ignored. Security is one

such concern that needs to be addressed but often is not, due to the emphasis on convenience.

Identity theft is currently one of the most prevalent cyber-crimes against private

individuals. Over fifteen million people were affected by identity theft in 2016 alone. Identity

theft incidence rate increased by sixteen percent, a record high since Javelin Strategy &

Research began tracking identity fraud in 2003 (unidentified, Javelin Strategy and Research,

2017). These victims had monetary losses of sixteen billion dollars, compared with fifteen

billion dollars a year earlier (anonymous, Insurance Information Institute, 2017). These types of

cyber-crimes are trending exponential increases with no sign of slowing, leaving Internet of

Things (IoT) and Network of Things (NoT) devices ridiculously vulnerable.

The number of IoT devices on the market also happens to be expanding exponentially

intensifying the probability of becoming a target for attackers. Awareness of the vulnerabilities

have been historically overlooked by consumers but not criminals. The rapid expansion of the

IoT market has the potential to become a criminal playground with endless possibilities for theft

and mayhem. It is the possibility of criminal activities that the consumer needs to be but is not

aware of. Consumers do not make buying decisions based on the potential for cyber-crimes

against them, they do not even understand why this would be a consideration. The welfare of

1
Prepared by John Downs
 Security for the Internet of Things

entire families could be at stake simply because a consumer bought a seemingly harmless

appliance that made them vulnerable to a host of illegal acts.

Purpose

The reason for this implementation plan is to identify steps, processes and procedures

That can be put in place to heighten the security posture of products within the IoT. The

recommendations laid forth in this plan are intended to guide manufacturers in adjusting

practices in construction and design of their products. The assertion that procedures with

information security as a core principle are an obligation within any computing environment. It

is seen as an obligation of companies producing IoT devices to have the best interests of their

customers in mind when manufacturing these devices. Information security needs to be

fundamental in making products that appeal to consumers with the importance of their privacy

acknowledged. Counseling and guidance given to IoT users who may not realize the importance

regarding their security and privacy as related to use of IoT products, will enhance an

exponentially growing customer base.

Offering practical advice on the design and implementation of such programs is the

primary purpose of this report. Further suggestions included in this document can be executed in

marketing plans to leverage growing consumer education and concern for the security of their

home environment, information included. This text is not meant only as an endorsement of any

specific product or service, although certain of these will be referenced for ease of

understanding. Recommendations for strengthening the security stance of IoT products and

enhancing consumer confidence will demonstrate concern for the well-being of the customer.

2
Prepared by John Downs
 Security for the Internet of Things

Problem

The number IoT and NoT devices on the market is multiplying at an alarming rate.

Current data suggests that the IoT market will increase to 3.7 billion dollars by 2020, a 32.6

percent increase since 2015 reports of $900 million (Columbus, 2016). This increase is market

share for IoT devices represents an extreme increase in attack surface for consumers and

businesses alike. IHS forecasts that the IoT market will grow from an installed base of 15.4

billion devices in 2015 to 30.7 billion devices in 2020 and 75.4 billion in 2025 (Columbus,

2016). Increasing the number of IoT products at such an astronomical rate has caused the issue

of security for these devices to become imperative. IoT devices gather massive amounts of data

from personal information to buying habits to medical information. As of this date the security

measures in place to insure confidentiality and integrity of this sensitive information are

minimal. The vulnerability issue with IoT devices is that there is a myriad of security flaws. Out-

of-date firmware, shared Wi-Fi credentials that have caused exposed network configurations,

haste to enter market with security as an afterthought and no consistent standards industrywide

are just a few of the issues. Legacy IoT devices pose security issues that are continuously

overlooked because the companies that made them have moved on to new products leaving the

old models to become forgotten weaknesses for consumers. These weaknesses may be forgotten

by the manufacturer and overlooked by the consumer but they are neither to attackers. Creating a

set of security standards for all IoT devices will be extremely difficult. Factors such as legacy

devices, price point and product availability will be hurdles that must be overcome with profits

margins likely to take a hit in the short-term, never an easy sell to shareholders.

The rising potential for attacks is not only because of the growing abundance of devices

comprising the IoT. There are five distinct portions of most IoT devices that present their own

3
Prepared by John Downs
 Security for the Internet of Things

weaknesses. Sensors, Aggregators, eUtility, decision trigger and a communication channel grant

IoT devices the ability to perform their assigned functions. All of these components are

susceptible to attacks in various ways that are compounded by the lack of relevant security

measures built into IoT devices. The recommended solutions offered in this report will address

these components individually to propose a complete security solution.

Proposed Solution: Sensor

Sensors are used in IoT devices to measure physical attributes of the surrounding

environment. Parameters such as pressure, temperature, location, and acceleration are measured

and delivered to the processor through an interface. These parameters are utilized to illicit the

programmed response, whether that response is event-driven, command-driven, or requires a

manual input. Employed sensors have varying degrees of quality, safety and reliability

depending on the application in which they are used. Sensors present many opportunities for

security improvements due to the wide range of attributes they can possess.

The first consideration I take into account when dealing with sensors is communication,

both the type of interface and the state in which the data is transmitted. If the sensor is

communicating directly with another device via Wi-Fi the data should be encrypted. Over the air

communication between IoT devices is often vulnerable because of weak Wi-Fi passwords or

devices that do not require them to be on the network. Personally, I recommend the adoption of a

Blowfish algorithm for IoT communication. Advantages of Blowfish include the fact that is one

of the more flexible encryption methods, is available free in the public domain and has

tremendous speed. Encrypting communications in IoT devices serves to lessen the risk involved

by their use. The use of encryption is directly related to the aggregator, so in turn by deploying

the use of encryption some vulnerability will be designed out of two components of IoT devices.

4
Prepared by John Downs
 Security for the Internet of Things

Proposed Solution: Aggregators

Aggregators are software implementations that convert raw data from sensors into

aggregated data by use of mathematical functions. Two variables are factored into the decisions

that are made by the aggregators, weights and clusters. Clusters are the sensors, physical or

virtual that send information to the aggregator. A weight is the amount of significance the data

sent has in deciding a response. Often there is many points of data sent to the aggregator with

each data set assigned a certain weight or significance in determining the correct programmed

response.

From a security standpoint, I believe that the simplest way to address security would be

in the weights of the system. Depending on the sensors that are sending data, the aggregate

summation could be set to put emphasis on the most reliable sensors. By taking this approach,

the sensors that are more likely to send corrupted or out-of-range data can be diminished in the

capacity to illicit an undesired response from the IoT device. The bulk of the responsibility

would be placed on the complexity of the aggregate summation in determining which sensors are

the most trustworthy in making computations.

Proposed Solutions: Communication Channel

A communication channel is the instrument the device uses to communicate with the

network and other IoT devices. The communication channel can be physical as in a wired USB

connection, wireless or even a verbal type of communication. Communication channels can be

compared to a highway system to handle the input and output of data within the IoT device.

Inputs and outputs may even use the same communication channel for exchanges in both

directions. Reliability and security of the device can be addressed by the type and protocols used

in the communication channels.

5
Prepared by John Downs
 Security for the Internet of Things

It is my opinion that communication should occur in only one direction on a given

channel. I feel that this practice could serve as a nuisance to would be attackers. If for no other

purpose, it would not allow interception of input and output data simultaneously. Limiting the

simultaneous access would make complicate efforts to corrupt the aggregate summation

calculations or altering the sensor input for a desired result. If an attacker were not able to

ascertain exactly how data would need to be altered to provoke a certain reaction, then it would

at the least slow down their attack slightly.

Redundancy is another way to confirm the validity of the data traveling the

communication channels. Without fail, every communication channel should have redundancy

built in and as removed from each other as possible. Under the hope and assumption that an

attack would compromise only one channel pertaining to a certain data set, the aggregator would

have a better chance in recognizing corrupted data. The ability to notice data that is unreliable

would be invaluable in limiting the affect that any one attack would have on the device. By using

redundancy, the reliability of the device is also improved saving time and money due to reduced

repair incidents, not to mention the uptick in customer satisfaction.

The use of communication channels that are physical in nature as much as possible would

help to improve security also. Wi-Fi is vulnerable for a plethora of reasons from the open nature

to the negligent practices of customers setting up their Wi-Fi at home. Limiting the use of that

medium of communication serves to mitigate a weakness that many customers do not even

realize they have. Obviously, manufacturers of IoT devices cannot completely shield consumers

from their own mistakes but this would serve as a nominal attempt.

6
Prepared by John Downs
 Security for the Internet of Things

Proposed Solutions: eUtilities

The basic function of an eUtility is to take the data from the aggregator (Cornelius,

2017). To put it simply the eUtility is essentially the brains of the operation, human input is

considered an eUtility in the IoT. Software or hardware in an IoT device can be utilized for the

eUtility function, on occasion both. The eUtility presents one of the biggest challenges in

fortifying the security aspect of the IoT. Manufacturers of IoT devices must use software for

their devices to operate, this is where the challenges and opportunities lie.

Firms other than the manufacturer of the IoT device are repeatedly tasked with

implementing the software for operation. IoT manufacturers must insure that the companies

chosen are reputable and hold security in high regard. The choice of third party software

developing company is crucial in the security of the device. I feel that two distinct approaches

could be adopted in this endeavor. Choosing a well-established software company such as

Microsoft would lend credibility to the IoT device but comes with caveats. Software provided by

a company such as Microsoft would be proprietary and security patches may be released at a

slower rate than needed by the IoT manufacturer. The alternate approach would be to utilize a

smaller company or possibly develop in-house the software from an open source platform.

Updates for security and performance would be developed at a much faster pace allowing for

critical improvements. Updated that are prompt and efficient could be the most crucial aspect of

effective intimal and ongoing security.

Authentication is another aspect of the eUtility that presents opportunities for security

improvements. All communication pertaining to IoT devices should take place only when the

Device_ID of all parties involved can be verified. This authentication would take place in the

way of encryption so that devices could verify each other. In the case that human interaction is

7
Prepared by John Downs
 Security for the Internet of Things

required, an impromptu type of two factor authentication can be used. Through a mobile

application associated with their device the human interaction could be verified by the user so

that manual inputs are always accurate.

Proposed Solutions: Decision Trigger

A decision trigger, in short, is the final piece of information that initiates the desired

response. I feel that the chief prospect for security improvement lies in the coding of the software

that comprises the decision trigger. Coding the trigger with if, then type language that has very

a deep set of parameters that must be met would strengthen the security. If the list of parameters

that must be met before a response is authorized is lengthy and very specific it makes it that

much more difficult for the attacker.

Cost

Cost is always a determining factor in the design of any product and the IoT is no

exception. Any company that adheres to the recommendations that I have made will incur some

associated costs. For instance, the development of the mobile application that I mentioned two-

factor authentication would cost anywhere from $200,000 to one million dollars to develop. The

adoption of encrypted communication would most likely allot for a similar expense, possibly

more. Partnering with a software company such as Microsoft would be costly with the value

needing to be negotiated on a case-by-case basis. Partnering with a large company would be

costly but the potential of name recognition may be attractive for a relatively lesser known IoT

manufacturer. The rise in hardware costs to bring some of these innovations to reality would be

negligible in comparison software and protocol upgrade costs. Designing a new IoT device from

the ground up with the recommended upgrades may cost as much as $ 4-5 million for a simple

device with costs rising dramatically with complexity (Klubnikin, 2016).

8
Prepared by John Downs
 Security for the Internet of Things

I feel that costs associated with upgrades to the devices will be potentially offset by other

factors. The strength and reliability of processors used in IoT devices has risen exponentially.

This rise in capabilities is in direct contrast to cost, the prices of the chip sets used in these

products have declined by about 25 percent per year (Harold Bauer, 2014).

Requisitioned Equipment or Personnel

The added equipment to implement these recommendations would be minimal. The

manufacturing processes should not be altered very much. The personnel needed for the actual

production differences will be light. The added labor will come in partnerships with software

companies or the decision to develop the software in house. The in-house option will require the

addition of software developers and a seasoned veteran developer to oversee development. The

average software developer earns on average $85,000 per year and the lead developer would earn

on average $116,000 per year. These salary costs and hiring expenses would be the bulk of the

cost in developing the software in-house if an open source platform is used.

Evaluation System

It is my belief that the evaluation system would be primarily the market itself. Quality

control practices and functionality tests would need to be done but the majority of flaws are

found after the product see normal wear and tear. It is impossible to realize all security

weaknesses until the product is put into the wild. Testing to minimize the problems will retain

customer loyalty but the consumer is the final testbed for any new product. A long as the

problems are minimized and prompt action is taken in mediating those problems, the customer

will remain satisfied.

9
Prepared by John Downs
 Security for the Internet of Things

Benefits

The benefits of increased security enhancements are immeasurable, to the company and

the customer. As the market realizes the upgraded security will benefit the consumer in ways

they were not aware then the first to market that will profit immensely. Security can become a

selling point instead of an afterthought. The companies benefit from higher customer satisfaction

and retention increasing profits. These profit increases will quickly offset costs in development

and the minimally longer product development time windows. I feel that there will be benefits

that cannot even be foreseen as satisfied customers lean on trusted companies for new products.

A consumer base that is extremely happy with one product will be incalculably more receptive to

new offerings from that company.

Conclusion

Added security benefits are never a bad idea when it comes to consumer electronics, not

to mention the IoT. Companies that are able to offer products that have been developed with

security on the forefront will be received ever more favorably as the consumer continues to be

better educated. Firms selling products that offer complete solutions with security and

convenience as marketing tools will see infinite profit. Opportunities to expand the product

portfolio will become reality for companies that have made security a priority, consumers will

notice. Costs associated with this practice will be offset by the increase in sales and opportunities

for expansion. In my eyes, it is a winning situation for IoT companies and the consumers that

want more convenience in their lives without the vulnerabilities.

10
Prepared by John Downs
 Security for the Internet of Things

References
anonymous, Insurance Information Institute. (2017, February). Identity Theft and Cybercrime. Retrieved
from www.iii.org: http://www.iii.org/fact-statistic/identity-theft-and-cybercrime

Brandon, J. (2016, June 1). Security concerns rising for Internet of Things devices. Retrieved from
www.csoonline.com: http://www.csoonline.com/article/3077537/internet-of-things/security-
concerns-rising-for-internet-of-things-devices.html

Columbus, L. (2016, November 27). Roundup Of Internet Of Things Forecasts And Market Estimates,
2016 . Retrieved from www.forbes.com:
https://www.forbes.com/sites/louiscolumbus/2016/11/27/roundup-of-internet-of-things-
forecasts-and-market-estimates-2016/#1361ec44292d

Cornelius, A. (2017). What is the Network of Things? Retrieved from www.ssglimited.com:

http://www.ssglimited.com/what-is-the-network-of-things/

Harold Bauer, M. P. (2014, December). The Internet of Things: Sizing up the Opportunity. Retrieved from
www.mckinsey.com: http://www.mckinsey.com/industries/semiconductors/our-insights/the-
internet-of-things-sizing-up-the-opportunity

Klubnikin, A. (2016, October 21). Internet of Things: How Much Does It Cost to Build IoT Solutions?
Retrieved from www.r-stylelab.com: http://r-stylelab.com/company/blog/iot/internet-of-things-
how-much-does-it-cost-to-build-iot-solution

unidentified, Javelin Strategy and Research. (2017, February 1). 2017 Indentity Fraud Study. Retrieved
from www.javelinstrategy.com: https://www.javelinstrategy.com/press-release/identity-fraud-
hits-record-high-154-million-us-victims-2016-16-percent-according-new

11
Prepared by John Downs