Keeping Your Internet of Things Devices Secure

2018-12-18 | By Maker.io Staff

With Wi-Fi chips being integrated into cheap microcontrollers like the ESP8266, it comes as no surprise that everyday items and tools are being connected to the internet. However, IoT devices (especially commercial products) should prioritize security since user private information could be accessible and therefore vulnerable.

Data Gathering

When the first low-cost Wi-Fi chips were introduced, they found huge popularity in data logging environments like temperature and humidity loggers. The data that these devices gathered was nothing more than environmental readings and there was little concern about security and privacy. Why would anyone care if a hacker had access to someone’s temperature sensor data? How can a hacker use such information to blackmail an individual? Because this data is important only to the user, privacy, and security seem redundant.

However, the IoT (Internet of Things) market continued to expand and devices became increasingly more complex. Devices could now record audio, video, control household devices, and even place orders on popular shopping platforms. Suddenly, hackers have a reason to hijack devices and obtain such sensor readings since they could potentially store private information. Unwanted images of people can be used as leverage, homes could be made dysfunctional, and private conversations can be used to smear individuals.

The Security Implementation Issue

Security on IoT devices is paramount, especially if your device is going to be transmitting private information. But there is a catch! Security algorithms are often resource consuming and require large processing power to calculate, not typically an issue for desktop PCs or smartphones. IoT devices, however, are often based on very small microcontrollers. Even the PIC16 8-bit devices can be used as IoT devices. These devices are already limited on their ROM and RAM sizes.

Implementation 1: Network Level

One possible solution to implementing security is to have all IoT devices connect to a single gateway on a local area network, like a server or PC, handling all the encryption for all users. While this leaves local devices open to attack, it does provide a strong defense against any intruder outside the local area network.

Since most IoT devices connected to a network using Wi-Fi, a simple Wi-Fi monitoring tool could potentially perform a “man-in-the-middle” attack and record all traffic on the network. Nonetheless, on networks, unencrypted data can easily be extracted and stored for malicious use.

Implementation 2: Connection Level

Another possible solution to security on IoT devices is the use of secure connections, like SSL and TLS. While secure connections provide excellent security, they are also complex and have CPU/RAM requirements that are beyond the capabilities of many microcontrollers on the market. Some devices, like the ESP8266, can be made to perform secure connections, but only when they are directly programmed. This can be undesirable if plenty of GPIO and peripherals are required. For example, the ESP8266 only has one analogue read input.

Implementation 3: Message Level

If implementing a secure connection is too difficult, encryption could be performed on messages themselves whereby the server and client negotiate a password to encrypt all message. Of course, implementing strong security algorithms has the same issues as secure connections, so simpler algorithms could be used, like TEA (tiny encryption algorithm) and xTEA.

But such algorithms, being simpler, are also less secure and hackers with the right equipment can break them. Having said that, it is unclear as to how long that would take or how successful they would be. If such a connection could remain secure for an hour; an attacker would struggle to perform the attack if the client and server only transmit time- sensitive information and constantly change their encryption keys.

Conclusion

It is clear that the IoT poses a serious threat to sensitive data and therefore securing devices is essential. If manufacturers use 32-bit microcontrollers with plenty of RAM and ROM, then industrial standard encryption methods should be implemented but if not, then any security algorithm is better than not having one at all.

Have questions or comments? Continue the conversation on TechForum, DigiKey's online community and technical resource.

Visit TechForum

Arduino | 3D Printing | Raspberry Pi