An Engineering Perspective on IoT Security
Jeremy, as a software engineer at IoTerop, an expert in LwM2M, and as a participant in the Open Mobile Alliance TestFest, what are your thoughts about IoT security?
Security will be a monumental challenge. Connected devices with inadequate security could have critical consequences. Future solutions will need far more robust, comprehensive and integrated considering the highly dynamic nature of the IoT ecosystem (hardware, software, networks, etc.) while remaining open and adaptable as an organization continues to evolve.
In 2014, a University of Michigan team accessed a traffic light network using readily available hardware. Once inside the system, the group quickly gained the ability to change traffic signals, alter logic commands, and disable the signal devices. Smart City systems designed to serve citizens could become weapons in the wrong hands.
IoT solutions require comprehensive security from the sensor to the cloud. In many cases, non-encrypted messages can be easily intercepted, falsified, or misused, leading to security breaches, as illustrated above. It is critical IoT developers consider security features during the design phase of their IoT solution development. This approach provides better guarantees in terms of securing the data exchange.
How is LwM2M security different than the MQTT, for instance?
The OMA Lightweight M2M standard mandates TLS security protocol on TCP/IP networks and DTLS security protocol on datagram networks specially designed to protect messages from intercepted, modified, and falsified the object’s network. These protocols are standards within the IoT world. They ensure device authentication before a new sensor’s admission onto an IoT network and secure communication between all IoT elements. DTLS is relatively adapted to constrained devices and networks.
Different encryption methods can be used, like:
- PSK: Pre-Shared Key
- RPK: Raw Public Key
- 509: Certificate
These mechanisms are classified from the easiest to the hardest in terms of implementation complexity. And from the less to the more CPU intensive.