I recently had a chance to talk with some experts from a consulting company. Among other things, we discussed IoT security and what offerings we at Kaspersky Lab have developed for it. During our discussion I got the distinct impression that their understanding of the term IoT was limited to sensors and actuators, or edge devices. Actually, most people who know the term IoT tend to think the same. In actual fact, the concept of an IoT is much wider than just smart cameras, connected kettles and refrigerators, or sensors. So what exactly is the IoT?
Of course, the internet of things includes sensors and all those smart devices connected to the internet. But all those devices are first of all connected to a gateway or a router that is in turn connected to cloud services via a provider’s infrastructure. The gateway may be installed at a home, in an office, at an industrial plant, or be part of a mobile operator’s infrastructure. But a gateway always exists.
The task of a gateway is not only to get data from IoT devices but also to perform preliminary processing of the data and then send it on to a cloud, where it undergoes final processing, is stored and feedback is sent to edge devices. IoT users also have access to the cloud infrastructure via their smartphones, tablets, desktops and laptops. What we end up with is a complex system composed of unknown smart devices as well as ordinary telecommunications equipment, cloud systems and known smartphones and notebooks. So, when we’re talking about IoT protection we need to be clear what part of the infrastructure we mean.
When talking about IoT security it’s necessary to remember and understand that all the elements of a complex IoT infrastructure should be secured. Otherwise, if one of the elements is vulnerable, the whole system can be compromised. The results of research into Android applications for vehicle communications offer a good example of how a vendor failed to understand the need for a complex approach to the IoT. Without going into the details listed in the article linked above, we can state that a badly written application can result in an intruder stealing a car. It may not be immediately obvious, but today’s cars are also part of the internet of things.
IoT solutions are much more complex than we used to – and want to – think. Each element of these solutions, as well as those solutions in their entirety, should take cybersecurity requirements into account when being designed and developed. Some of the most popular IoT infrastructure attack vectors are shown below. As you can see, there are numerous attack vectors that need to be taken into account when developing a solution and planning protection and countermeasures.
This is the approach we adhere to at Kaspersky Lab, offering our customers products and technologies capable of protecting an entire IoT solution.
It’s difficult in one blog post to cover all the technologies we use to create a secure IoT solution. That’s why I’ve decided to divide this up into several posts. The next part will cover secure gateways.