Experts at Statista.com estimate that there will be 50 billion IoT devices connected to the network by 2023. Security in the rapid scaling of the Internet of Things will be one of the critical challenges engineers will be facing in the coming years. How is this addressed in the OWASP Foundation’s recent Internet of Things Project TOP10 study?
To get started, let’s answer this question: What does the OWASP Foundation do, and who are its experts? According to the website OWASP.org:
OWASP is a non-profit organization dedicated to improving software security. Through community-driven open-source software projects, hundreds of local chapters worldwide, tens of thousands of members, and leading educational and training conferences, the OWASP Foundation is a resource for developers and technologists to secure networks.
The use of encryption protocols was one of the critical issues in a recent study on the cyber security of the Internet of Things.
Cryptographic protocols in IoT devices
Taking care of how data is stored on devices and in the cloud is the basis for ensuring cyber security in an IoT system. Here, the priority is to use protocols that perform encryption at the presentation layer.
It is worth noting that some configurations can be particularly vulnerable to cyberattacks depending on whether they use Open SSL or SSH servers. A sensitive piece of information is unfortunately accessible to unauthorized individuals. As a precaution, during the selection process, it is advisable to focus on interdependencies with low susceptibility to hacking.
The security of IoT systems can also be enhanced by ensuring that cryptographic systems only handle data encryption operations, for instance, TPM (trusted platform modules) or HSM (hardware security modules). A solution like this provides an extra layer of protection.
Even the most complex cryptographic mechanism will not be effective if the process of ensuring data confidentiality is implemented incorrectly. Configuring systems correctly and excluding the possibility of renegotiating connections by devaluing them to schemes with known vulnerabilities should be the priority (Downgrade Cryptographic Attack).
In accordance with Gordon Moore’s law (one of the founders of Intel, the first to implement the theory of exponential transistor growth), any encryption method is only effective if it keeps pace with the exponential growth of the computing power of the network.
In light of Moore’s Law, cryptographic schemes that do not keep pace are widely considered unsafe and are withdrawn from the market.
Problems in encryption schemes
The security flaws detected in the first SSL schemes, such as the SSlv2 DROWN attack or the SSLv3 – Poodle attack, were primarily due to vulnerabilities in the architecture of these solutions. The errors resulted in the development of TLS schemes based on the SSL protocol.
A worst-case scenario would be to allow renegotiation to function as communication leaving out any form of communication.
What is renegotiation? Let’s say you want to make an appointment with a doctor. If you do not get through to the reception desk, there is a significant risk that you will not be seen on your chosen day. Getting admitted is far more likely if the receptionist answers the phone.
It is the same with encryption protocols on IoT devices. A ‘connection negotiation’ takes place at one of the layers before they connect, ensuring the protocols are set up appropriately. Renegotiation will begin if the client receives a request from the server with a type of encryption it does not support. A different kind of encryption will be offered.
In this case, however, there is a risk since the client may suggest using unsafe encryption types or none at all. You can mitigate this risk by remaining very assertive with the client on the server side.
Encryption of protocols in IoT is a trend for the coming years!
Failure to apply encryption protocols for communication in IoT systems poses a considerable risk. It is advisable to avoid using protocols such as Telnet, FTP, HTTP, or SMTP when building an IoT system. Consider using VPN technology, which will significantly enhance network security and privacy.
If you are seeking a proven technology partner to create secure IoT solutions, set up a free consultation! Solwit’s team has successfully completed many projects that required the highest level of system security and will be happy to give you suggestions.