Evaluation Of Security Measures For IoT Smart Homes

Information Security Policy

Information Security Policy (ISP) governs how various assets of information which include data, human and infrastructure are protected. Information Security Policy defines a set of rules by a given organization to all its users of network or internet handling information assets and the users of this infrastructure ought to abide with the rules in order to ensure the security of the digitally stored data within the allowed organization boundaries. With the current widespread of Internet of Things, information security has become quite difficult due to increased internet vulnerability caused by different IoT devices that are not well secured from attackers. Therefore, IoT device manufacturers need to integrate security mechanisms into these devices and also consider defense-in-depth mechanism which provides complimentary security mechanisms in order to ensure a comprehensive and adaptation of IoT devices that are more secure with incorporation of device-specific countermeasures to information attacks.

The purpose of this report therefore is to carry a thorough security evaluation on test-bed system for IoT Smart Homes, determine the security attacks associated with the Smart homes IoT devices given and provide ways and recommendations in which these attacks could be avoided by the manufactures of the IoT devices.  The report also evaluates various key legislation associated with information security and how such legislations affects organization’s information security policy. It also proposes the defense-in-depth solutions to mitigate internet security vulnerabilities faced by organizations and provides a security design for IoT and BYOB in a private network (Gruessner, 2015). Finally, the report highlights on some of the advanced technologies currently in use for enhancing network security that could be implemented by the IoT devices manufacturers.

For quality information security for the IoT, identifying various risks associated with the information infrastructure, assets and data is quite critical as this will enable the IoT (Labrien and Labrien, 2016) device manufacturers be able to categorized relevant information with their devices as discussed below.

Security Policy

A risk management plan for each device should be put in place. This plan will involve identifying a security policy that ought to be put into place in order to ensure that the perceived risks associated with the smart home devices are well managed and controlled (InfoSec Resources, 2018). Therefore it is the responsibility of the IoT manufacturers to ensure that a security policy that is based on the risk management strategy is in place. The security policy in place should be aimed at “Protecting information and information systems from unauthorized access, use, disclosure, disruption, modification, or destruction, in order to provide integrity, confidentiality, and availability.”. Access control and information privacy policies will help in management of risks related to Smart home IoT devices such as the thermostat and music player (Cisco, 2018). Therefore the manufacture should consider having an information security policy that governs how the devices are developed, tested and analyzed for any vulnerabilities.  

Security Model

Security Model  

Having defined the security policy for each IoT device and the information system at large the manufacturer need to develop a security model. This security model outlines how various security policies will be implemented and enforced into information devices. The security model therefore acts as the IoT device security architecture that shows clearly the structure of the security mechanism for a given device as defined.

This include the physical device, the information infrastructure and the data contained in the information system. As it is the case with the Smart Home, the information system for this IoT environment consist of a centralized MQTT server coordinating the transfer of messages sent and received from the thermostat, music player and the dummy temperature sensor. The user of the smart home system interacts with the database server via a web front-end application which allows the user to store local information and device settings. Therefore, the security of this smart home system is very crucial since any asset of this system can be a target of an attack from outsiders. Also considering that the system operate via a network, the manufacturers should ensure that each device is well protected as well as the whole infrastructure in order to reduce the risk of attack.

Identifying the kind of attackers that are likely to interfere with the information system provides a clear understating of the kind of a threat the system is exposed to. Considering how sensitive a smart home system is, the manufacturer of the IoT devices should provide quality systems that keeps off spies, hackers, criminals, terrorists and use of script kiddies from access the smart home information system as this will compromise the privacy of the home owner as well as exposing them to danger. For example, in the case when the attacker gains access to the smart home thermostat, the attacker could modify it thus disabling security locks, spy on the children activities or even provide access to thugs into the house since the attacker can open the doors and monitor the activities remotely without the owner’s consent. Therefore identifying the kind of attackers and threats associated with smart homes will ensure that the manufacturer implements strong security counter measures to mitigate the threats.

This provides the results obtained after carrying out a penetration test for the Smart Home IoT application. There was a number of vulnerabilities identified during the penetration testing activity that could compromise the confidentiality and privacy of the home owner’s information. The vulnerabilities ranged from access control of the MQTT Server that hosted the database server thus exposing the system to interference from the attackers which compromised the whole information security system.  

Identifying Risks Associated with the Information Infrastructure

The web front-end application that gives access to the MQTT server where the database is vulnerable to the SQL injections. The input fields where the credentials are entered are not well validated thus making it possible for the attacker manipulate the system using SQL scripts thus gaining access to the server. Using the SQL script below exposed the user credentials which include the usernames and passwords.

FROM table

WHERE username = ‘x’ AND user IS NULL; –‘;

This is a security vulnerability as it allows attackers such as hackers to gain have unauthorized access to the smart home IoT system thus putting the home owner at risk. This security vulnerability could allow the attacker to access the database, modify the IoT device settings or delete important information as well. If the attacker gains con troll of the devices such as the thermostat, the house is no longer secure since everything that the house owner will be doing will not be confidential nor private as it should be.

Another vulnerability found during penetration testing is the use of weak password. Generally, the smart home owner’s password was ‘12345’ which is the default password provided by the manufacturer and thus making it easy for attackers to crack it by using brute-force methods. This kind of vulnerability expose the whole Smart Home IoT system to threats such as unauthorized access and considering that this provides an administrative access, the information system is therefore rendered unsecure and the integrity of the information contained in this system is not guaranteed.

The Smart Home IoT network is also vulnerable to attack. The infrastructure is not well secured with security devices such as firewalls or against interceptions from the outsiders. The information transmitted across the smart home network is not encrypted and in case of a network interception the attacker can be able to interprets the information easily thus interfering with the privacy of the Smart Home information (Craig, 2015).

Also by gaining access to the system, it was possible to remotely control the thermostat and the music player. This shows that the specific IoT security is not well structured as it allows anyone to start and stop them remotely. The manufacturer should ensure that despite the whole system having a secure authentication, individual devices should have their own access control mechanism to prevent attackers from controlling them.

The smart home network was also not well segregated. This made it easy to penetrate into the system using cross scripting site attacks. The web application, server and the database should be well segregated and the data transferred across the network be well sanitized to keep off attackers from interfering with the smart home system.  

Security Attacks on Smart Homes IoT Devices

The 1986 Electronic Communications Privacy Act enhances information security by regulating the interception of wire, electronic, and oral communications in a network (Staff, 2012). This act protects individual’s information from unlawful search and seizure thus ensuring that organizations uses security mechanisms, policies and procedures that protect the privacy of individual’s information. The privacy of customer information regulation in the US state that “it is the responsibility of the organizations to protect the confidentiality of its customer’s information”. Therefore, the various legislations affects how different organizations define their information security policies. Most of these legislation ensures that organizations do not misuse its customer’s information or provide low quality systems that are less secure, thus exposing its customers to information risks that could negatively affect them.

With this knowledge therefore it is the responsibility of the manufacturer of the IoT devices to ensure that the Smart Home system is secure by putting in place quality security mechanisms that do not allow intruders from gaining access to the information system.

Defense-in-depth methodology provides multiple architecture for security techniques. The principle of this approach is “Many Silver Bullets Are Better than one”, that is, having many counter measures to a certain security risks is better than just having one. Therefore, for a secure smart home system, the manufacturer should not just secure the server and leave the other devices unsecure. The security mechanism should be implemented in multiple layers to mitigate multiple security threats at all levels of the information system infrastructure (RASHID, 2017). A report by DHS recommended that stating “A single countermeasure cannot be depended on to mitigate all security issues.” The report continues: “In order to effectively protect industrial control systems from cyber-attacks, multiple countermeasures are needed that will disseminate risk over an aggregate of security mitigation techniques”.  

Therefore, the manufacturer pf the Smart Home IoT devices should implement physical device or hardware security and software security. The client server architecture in place for the smart home should as well be secured. This can be made by ensuring that the information transmitted across the smart home network is encrypted and that the server where the database is located is also secured. There should be input validation for the web front-end application for the users to protect the system against SQL injections and the application should not allow execution of cross site script. All these solutions should be put in place to ensure that the information system is secure across all its levels.

Penetration Testing and Vulnerabilities

To understand more of IoT solution, the information system is divided into different layers as show in the diagram below.

This layer consist of sensors, embedded systems and actuators. For this case the thermostat and the music player belong to this layer and are interconnected together in a Smart Home via network. These devices can be configured and controlled remotely via the internet and thus their security is very critical in ensuring that the IoT system enhances individual’s information protection (Harrison, 2015). Therefore, there should be proper security methods to ensure the authenticity of the information or data, the transmission media and the network authentication details between the initial installation and configuration of the IoT device and when the device has been fully integrated into the IoT infrastructure.

Multi-Service Edge Layer

This is the IoT layer that supports various connectivity protocols such as the Zigbee, IEEE 802.11, 3G and 4G to accommodate the IoT end devices. This layer supports connectivity both wired and wireless between different endpoints and in most cases the end points protocols do not have security capabilities thus rendering the system vulnerable. Therefore, in this layer there should be security services that protects insecure endpoints  

This layer provides a medium to transmit data via internet between various subnetworks. This layer faces threats such as:

• Man-in-the-middle (MITM) – this is where an attacker successfully make connections between endpoints and intercept the transmission of information in the network and interfering with the flow of the information.
• Impersonation (spoofing) – an unauthorized person with access to the system can transmit malicious traffic to various IoT endpoints on the network.
• Confidentiality Interference- This can be compromised if the attacker gain access to the network and interferes with the information being transmitted.

With this threats, the Security services at this layer should be well defined in order to ensure that the IoT system as a whole is well secured and protected against the above threats.

This layer consist of servers where databases and applications are hosted and all the endpoints communicates with this layer via the internet. This layer is the backbone of the the entire IoT (Smart Home) system and security services are very critical in ensuring that the system is protected against denial of services (DoS), interceptions and hacking. Cryptography mechanisms and strong access control for authentication security services should be used in this layer to enhance the security of the entire IoT system

Authentication Technologies

The Term authentication technology is explained as a process that is concerned with the involvement of many methods that compares all credentials that are given by the user against those currently in the database file of any user who is authorized or even in situations where the data present in the servers are authenticated. Its main reason is determining if the user is permitted to access any file and also keeping control over who is allowed to access the network or system applications in an organization. Authentication technologies provide a good platform in which users who access various part of the organization’s system are known and their activities. With proper network authentication technology it is possible to keep off intruders and ensure that the system is only accessed by authorized persons.

Legislation Affecting Information Security Policy

There are various advance network authentication technologies that are mostly applied and by AAA, these include; Smart Card authentication and biometric authentication technologies. These technologies are discussed in the section below.

Smart Card Authentication Technology

This is the use of a small electronic chip which holds user’s information used to identify and authenticate him/her before gaining access to the network system. Before one logs into the system, one is required to insert the card into a card reader and enter his/her personal identification number (PIN) which is verified and if that person’s details are okay, then one is given access into the system. Smart cards based authentication technology uses cryptography authentication method thus making it more secure since the owner of the card has to be there physically to perform the process before authorization is granted.

Biometric Authentication

This involve the use of biological parts patterns such as fingerprints, iris, voice and retinal. These particular biological parts are unique to each person and the probability of having two or more people with the same patterns is very minimal thus this technology can be used to positively identify a person. From the above named technologies, biometric authentication is one of the most secure way of protecting unauthorized persons from gaining access to the network system as it is hard for anyone to falsify such parts.

Conclusion

To help secure the IoT and reduce barriers to adoption, IoT security design should start with traditional cybersecurity techniques, adapt them to the unique aspects of IoT devices and environments, and finally incorporate additional defense mechanisms to defend against the increasingly broad range and vulnerable nature of IoT devices. Following standard security processes can ensure a thorough review of areas of concern, which can then be followed by leveraging advanced cybersecurity and device-specific techniques, including a layered, defense-in-depth approach to security .By properly designing security into IoT devices, financial damage, reputational damage, and potential risk to human life can be avoided.

References

Administration and Finance. (2018). Information Security Policy. [online] Available at: https://www.mass.gov/anf/research-and-tech/cyber-security/security-for-state-employees/security-policies-and-standards/information-security-policy.html [Accessed 22 Apr. 2018].

Bristol.ac.uk. (2016). [online] Available at: https://www.bristol.ac.uk/media-library/sites/infosec/documents/guide.pdf [Accessed 22 Apr. 2018].

Cengage.com. (2018). [online] Available at: https://www.cengage.com/resource_uploads/downloads/1111138214_259148.pdf [Accessed 22 Apr. 2018].

Cisco. (2018). BYOD Smart Solution Implementation. [online] Available at: https://www.cisco.com/c/en/us/solutions/byod-smart-solution/implementation.html [Accessed 22 Apr. 2018].

Cisco. (2018). Securing the Internet of Things: A Proposed Framework. [online] Available at: https://www.cisco.com/c/en/us/about/security-center/secure-iot-proposed-framework.html [Accessed 22 Apr. 2018].

Craig, C. (2015). Smart home or dumb security risk?. [online] InfoWorld. Available at: https://www.infoworld.com/article/2893600/mobile-technology/smart-home-or-dumb-security-risk.html [Accessed 22 Apr. 2018].

Dickson, B. (2016). Why do we need to take IoT security more seriously?. [online] TechTalks. Available at: https://bdtechtalks.com/2016/04/20/why-do-we-need-to-take-iot-security-more-seriously/ [Accessed 22 Apr. 2018].

Gruessner, V. (2015). How BYOD Implementation Impacts Healthcare Security. [online] mHealthIntelligence. Available at: https://mhealthintelligence.com/news/how-byod-implementation-impacts-healthcare-security [Accessed 22 Apr. 2018].

Harrison, M. (2015). 5 tips for implementing IoT security — Secure360. [online] Secure360.org. Available at: https://secure360.org/2016/10/5-tips-for-implementing-iot-security/ [Accessed 22 Apr. 2018].

InfoSec Resources. (2018). Key Elements of an Information Security Policy. [online] Available at: https://resources.infosecinstitute.com/key-elements-information-security-policy/ [Accessed 22 Apr. 2018].

Labrien, D. and Labrien, D. (2016). Smart Homes: What Are the Security Risks?. [online] TechCo. Available at: https://tech.co/smart-homes-security-risks-2016-05 [Accessed 22 Apr. 2018].

Meola, A. (2016). How IoT & smart home automation will change the way we live. [online] Business Insider. Available at: https://www.businessinsider.com/internet-of-things-smart-home-automation-2016-8?IR=T [Accessed 22 Apr. 2018].

PRICE, M. (2018). How dangerous is the internet of things? The CPSC wants to hear from you. [online] CNET. Available at: https://www.cnet.com/news/us-consumer-product-safety-commission-iot-public-hearing-security/ [Accessed 22 Apr. 2018].

RASHID, F. (2017). How to Secure Your (Easily Hackable) Smart Home. [online] Tom’s Guide. Available at: https://www.tomsguide.com/us/secure-smart-home-how-to,news-19380.html [Accessed 22 Apr. 2018].

Staff, C. (2012). The security laws, regulations and guidelines directory. [online] CSO Online. Available at: https://www.csoonline.com/article/2126072/compliance/compliance-the-security-laws-regulations-and-guidelines-directory.html [Accessed 22 Apr. 2018].

Cstl.com. (2018). [online] Available at: https://www.cstl.com/CST/Penetration-Test/CST-Web-Application-Testing-Report.pdf [Accessed 22 Apr. 2018].

England.nhs.uk. (2016). [online] Available at: https://www.england.nhs.uk/wp-content/uploads/2016/12/information-security-policy-v3-1.pdf [Accessed 22 Apr. 2018].

Events.windriver.com. (2016). [online] Available at: https://events.windriver.com/wrcd01/wrcm/2016/10/IoT-Security-Is-More-Challenging-Than-Cybersecurity-White-Paper-2.pdf [Accessed 22 Apr. 2018].

Information Security Forum. (2018). Critical Information Asset Management and Protection – Information Security Forum. [online] Available at: https://www.securityforum.org/consultancy/critical-informat-and-protection/ [Accessed 22 Apr. 2018].

Sans.org. (2018). [online] Available at: https://www.sans.org/reading-room/whitepapers/testing/writing-penetration-testing-report-33343 [Accessed 22 Apr. 2018].

Worldpay.com. (2018). [online] Available at: https://www.worldpay.com/sites/default/files/WPUK-SaferPayments-Information-Security-Policy.pdf [Accessed 22 Apr. 2018].

Order an Essay Now & Get These Features For Free:

Turnitin Report

Formatting

Title Page

Citation

Outline

Place an Order