Iranian academic security researchers at the ITRC (Information Technology Research Center) have published several white papers on the Internet of Things (IoT) which are available here: www.iot.itrc.ac.ir/fa/doc/list and the Security Challenges and Problems (security and privacy) in IoT and Proposed Solutions paper is described here.
1. General Problems and IoT open issues [IJCN-265]
- Volume, transfer and processing of data.
- Number of ‘things’.
- TCP challenges.
- Identifying ‘things’.
- QoS (Quality of Service).
2. Security and Privacy
The wireless nature of data transfer in IoT makes security and privacy very important. Risks of attacks to the physical layer of IoT, whereby a hacker could exfil, alter or delete data from connected devices because these devices generally “roam free”. Risk of attack to wireless data (i.e., interception before receipt by receiver). This is considered a major challenge. Low defensive capability: most IoT devices are unable to receive security updates for a multitude of reasons. “Privacy is a serious matter in civilised countries.” For IoT, we need to be sure of: who is collecting our personal data; how this data is collected; how long it takes.
Is IPv6 suitable? What hardware is needed to connect such a large number of devices? Lack of a unified standard is problematic. The TCP problem: UDP is entirely unsuitable, so TCP is the transfer layer protocol needed for IoT systems. This is not without problems: establishing a connection (this problem is often overlooked because of the small amount of data transferred); volume control (again, the small volume of data involved makes this insignificant); data buffering. Buffering processes are costly in battery-less devices such as RFID labels.
4. Immediate identification of ‘things’
How should each ‘thing’ be defined? How should information about each ‘thing’ be obtained? This can be addressed by RFID, EPC or UID. However, these have problems such as privacy, radiation, errors and incompatibility. One solution could be to use machine sight / vision and image processing instead – in this process, each ‘thing’ can extract the specification of another ‘thing’ by seeing it. The problem is that this must happen instantly.
5. Varying QoS
6. Trust and privacy in IoT
The methods of data transfer need to be reliable and trustworthy. To this end, progress must be made in PKI, light key management systems, QoI, non-centralised and self-configured systems (as an upgrade to PKI), and new ways of assessing trust in people, devices and data across all systems must be developed. Assurance methods for all platforms, hardware, software and protocols. Access controls.
7. Security in IoT
IoT very vulnerable to DoS/DDoS attacks. Work needed to identify IoT-specific threats such as approval loops and malware attacks. IoT-connected devices must be monitorable. Security software must be updatable. IoT devices must be able to learn in order that the IoT can become self-managing.
Encoding that enables protected data to be stored, processed and shared without sharing content with other sections is needed: homomorphic encoding is a good candidate for this. Privacy by design and data minimisation must be supported. Self-configuring and fine-grain access controls that mimic the real world. The ‘everywhere’ nature of IoT presents other difficulties: location privacy is important for things connected to people (watches, heart monitors, etc.); data leak prevention; local storage of data as far as possible, using non-centralised calculations and key management. Multiple ‘soft identities’ for one ‘real identity’ could be a way to protect privacy.