Internet of Things and Security

An increasing number of “things” are being connected today, and we are heading towards a world where everything that benefits from being connected will be connected. The Internet of Things (IoT) has big promises in what new services and applications it can offer to us. New innovations will happen over time when things get connected and we realize all the benefits we can get out of them. 

At the same time, we also need to see technical advances in order to reach the full potential of IoT. Connecting things means that we want things to communicate. However, for this to happen, the things need mechanisms to exchange data and they should understand each other – they should have some kind of common language. The technical term used is semantic interoperability. Semantic interoperability is getting increased attention today, and there are efforts ongoing to enable it. As an example, a workshop was recently arranged by the Internet Architecture Board (IAB) to discuss semantic interoperability (https://www.iab.org/activities/workshops/iotsi/). 

The things are of very different nature and hence also have different characteristics, such a computational capabilities and power restrictions. All these different characteristics need to be taken into account when designing the mechanisms for building communication networks of the future. 

Not surprisingly then many standardization organizations are working with improving the technology needed for IoT. For example, the Internet Engineering Task Force (IETF) has specified the basic mechanisms that are used for the Internet, and works on improving these mechanisms and on specifying new mechanisms to meet the future communication demands. For IoT, the Hypertext Transfer Protocol (HTTP) can be used for communication. The latest version of HTTP can be found in https://tools.ietf.org/html/rfc7540. For things with more restricted resources, another lightweight alternative has been specified, the Constrained Application Protocol (CoAP), which can be found in https://tools.ietf.org/html/rfc7552. 

In 3GPP, there are radio technologies being developed. A couple of main characteristics for these new radio technologies are to improve coverage and energy efficiency. The technologies are called EC-GM, NB-IoT and LTE-M (http://www.3gpp.org/news-events/3gpp-news/1762-iot_geran). 

To enable the full potential of IoT, it goes without saying that also security and privacy need to be handled in a good manner. Identity management is one important aspect in IoT. Every thing needs an identity so that it can be identified, and it can be made sure that communication is happening with the correct device. 

There are many good mechanisms available to protect the communication in particular in terms of integrity and confidentiality, and help in the identity management. For the HTTP and CoAP protocols, TLS and DTLS can be used to protect the communication. New protocols for application layer security such as OSCOAP (https://tools.ietf.org/html/draft-selander-ace-object-security) and EDHOC (https://tools.ietf.org/html/draft-selander-ace-cose-ecdhe) are being developed, to support end-to-end security as well as the application of CoAP in new IoT settings. These protocols are based on the CBOR encoded message syntax (https://tools.ietf.org/html/draft-ietf-cose-msg), which is expected to become an important standard format for compact secure messages. 

There is also a need for access control, to make sure that the things are only performing actions requested by authorized entities. For example, any given thing in a house should only be accessed by devices or systems appointed by the owner of that particular house, not the owner of the neighboring houses or any other device. A light-weight authorization framework suitable for IoT is being built out of the widely deployed Web authorization framework OAuth 2.0 (https://tools.ietf.org/html/draft-ietf-ace-oauth-authz). Acknowledging the wide variety of IoT deployments, this framework allows the definition of profiles adapted to different communication (HTTP, CoAP, Bluetooth, etc.) and security paradigms, for example (TLS, DTLS, OSCOAP, etc.) 

3GPP has defined its own security mechanisms that can be used to protect the communication for the 3GPP radio accesses. Technical details of these mechanisms can be found from Technical Specifications 43.020, 33.102 and 33.401. These specifications can be found from the list of specifications that the 3GPP security group (SA3) has worked on (http://www.3gpp.org/DynaReport/TSG-WG–S3.htm). 

Another important aspect to consider is how to setup the security when a thing is connected to a network. As we are foreseeing a lot of things being connected, it would be desirable that the setup would be automatic as much as possible. If human intervention is needed for setting up the device, it would be desirable to make the setup as easy as possible. There is work ongoing also in this area, for example work on how to connect TV screens to a server that will provide the content that the TV screen should display (http://dl.acm.org/citation.cfm?id=2632049).  

In addition to providing the security mechanisms for the communication, it is also important to work with the security of the device itself. Many of the devices that are getting connected might not originally have been designed with intent of connecting them. It is consequently important to ensure that connecting the device will not increase the risk of malicious use of the device. The IoT manufacturers might also lack the experience and expertise in the area of data communication. Looking for example at the area of connecting lights, there have been some security issues reported during the latest years, some of them are listed below: 

The security community needs to help the IoT community by raising the awareness of the need of proper security and by helping in providing the security mechanisms that will be one cornerstone in the success of the Internet of Things with billions of connected devices.