Pop Nukoonrat, Dreamstime.com
Cyber Resilience Dreamstime Pop Nukoonrat
Cyber Resilience Dreamstime Pop Nukoonrat
Cyber Resilience Dreamstime Pop Nukoonrat
Cyber Resilience Dreamstime Pop Nukoonrat
Cyber Resilience Dreamstime Pop Nukoonrat

Cyber Resilience for IoT: Securing Access to Embedded Devices

April 21, 2021
Because the internet essentially connects every device to every other device online, they all turn into network nodes and thus become vulnerable.

This article is part of the Communication and Systems Design Series: Fortifying Cyber Resilience in the IoT

What you'll learn:

  • Different ways hackers access IoT devices.
  • How to gird against these types of hacks.

Introducing cyber resilience to embedded IoT devices requires considering security at multiple layers and levels, for both hardware and software, from OS to application. Hackers can exploit vulnerabilities and attack a system in many ways. The first step, though, is for hackers to access the system. Consequently, the first layer of defense is to prevent such access from occurring.

The following are common ways that hackers can access embedded IoT devices:

Direct physical access

An attacker may have direct physical access to the system. This means the attacker is able to physically touch the device. A person who can touch a device has the potential to take it apart, replace the content of its internal memory, sniff its interfaces with an analyzer, type in commands, look over someone’s shoulder to compromise a passcode, and any other number of exploits.

Direct physical access can be prevented—or at least monitored and limited—in applications such as equipment in a smart factory, where access to the factory floor is managed by a keycard system. For many embedded IoT systems, however, physical access is impossible to prevent because of where the device must be deployed.

Consider smart devices in a home. A key factor in the market success of smart-home devices is ease of use, particularly ease of provisioning. For example, users might only need to press a button on the side of the device to gain access to the device. Thus, anyone inside the home can connect to the device, potentially with full admin capabilities. Many similar devices are used in the workplace. Gaining access to these devices potentially provides access to the IT network at large.

Physical proximity

With the ubiquitous presence of wireless technology, attackers don’t necessarily require direct physical access to attack a device. It may be enough that they can be within radio range. Thus, an attacker standing outside on the sidewalk could gain access to a smart home or smart building device.

Note that anyone can access a wireless device if they’re within range. That’s why security must be implemented across multiple layers of hardware and software.

Connected to the internet

Numerous vulnerabilities are potentially exploitable simply if a device is connected to the internet. The attacker doesn’t even need to have access privileges to launch a successful attack. For some scenarios, the attacker only has to be able to discover the device and send it messages or be able to intercept messages to and from the device.

Many connected devices can see messages that are intended for other devices. Imagine if a hacker replaced a hacked router in the workplace. Every message passing through this router could now be accessed.

Because it’s not possible to guarantee that a hacker can’t access a message as it’s being transferred across the internet, the message itself needs to be secure. Furthermore, a hacker could capture communications and duplicate them to try and force repeat behaviors from the system. This is possible even if the message can’t be read by the hacker. Therefore, messages must be secured from transaction to transaction and have security measures to prevent replay attacks.

As can be seen, there are many ways to exploit access. What’s important to realize is that access to a system isn’t completely preventable. By its nature, the internet connects every device to every other device online. As soon as a device becomes a network node, regardless of the form of access, it’s vulnerable. The best security, in fact, assumes that hackers do have access.

If we assume hackers can access IoT networks and the devices on them, our strategy must shift from preventing access to protecting it as best as possible. In terms of access, the security to put in place is for a device to require credentials and authentication before it accepts commands, data, code, or any other critical communications from an external source.

Next time, we’ll explore authentication to manage access and how it’s implemented in embedded IoT devices.

Read more from the Communication and Systems Design Series: Fortifying Cyber Resilience in the IoT

Sponsored Recommendations

Understanding Thermal Challenges in EV Charging Applications

March 28, 2024
As EVs emerge as the dominant mode of transportation, factors such as battery range and quicker charging rates will play pivotal roles in the global economy.

Board-Mount DC/DC Converters in Medical Applications

March 27, 2024
AC/DC or board-mount DC/DC converters provide power for medical devices. This article explains why isolation might be needed and which safety standards apply.

Use Rugged Multiband Antennas to Solve the Mobile Connectivity Challenge

March 27, 2024
Selecting and using antennas for mobile applications requires attention to electrical, mechanical, and environmental characteristics: TE modules can help.

Out-of-the-box Cellular and Wi-Fi connectivity with AWS IoT ExpressLink

March 27, 2024
This demo shows how to enroll LTE-M and Wi-Fi evaluation boards with AWS IoT Core, set up a Connected Health Solution as well as AWS AT commands and AWS IoT ExpressLink security...

Comments

To join the conversation, and become an exclusive member of Electronic Design, create an account today!