IoT Security Issues

Alasdair Gilchrist has spent 25 years as a company director in the fields of IT, Data Communications, Mobile Telecoms and latterly Cloud/Sdn/Nfv technologies, as a professional technician, support manager, network and security architect. He has project-managed both agile Sdlc software development as well as technical network architecture design. He has experience in the deployment and integration of systems in enterprise, cloud, fixed/mobile telecoms, and service provider networks. He is knowledgeable in a wide range of technologies and has written a number of books in related fields.

Introduction | 1

Part I: Making Sense of the Hype

Chapter 1 – The Consumer Internet of Things | 5

A Wave of Technology, or a Wave of Hype | 5

IoT Skeptics and the Role of Security Issues | 6

The Internet of No-thing | 7

Where are these IoT devices? | 8

Why the ambiguity in IoT uptake? | 9

The Media and Marketing Hype | 9

Lack of Killer Applications | 11

There be Monsters | 11

Buying Secure IoT Devices? | 12

Making Things That Just Work | 16

Is this a consumer Internet of things? | 16

Skepticism, but the future looks bright | 17

Consumer Trust – or Lack of It | 19

Losing Control? | 19

Toys for the Rich | 21

IoT isn’t DIY | 22

Is Security a Major Inhibitor? | 23

Part II: Security

Chapter 2 – It’s Not Just About the Future | 27

Looking back to move forward | 27

Security by Design | 29

Data Mobile Networks | 30

A Confluence of New Technologies | 32

Basic Security Practices | 34

Chapter 3 – Flawed, Insecure Devices | 35

Why are so many insecure devices on the market? | 35

A Manufacturer’s Perspective | 35

The Device Production Cycle | 36

Software development in an agile market | 37



Clash of Cultures | 37

Developers and the Security Puzzle | 38

Reputational loss | 40

Chapter 4 – Securing the Unidentified | 43

The Scale of the Problem | 44

What Type of Devices to Secure? | 44

Unplanned Change | 44

The Consumer’s View on Security | 45

Chapter 5 – Consumer Convenience Trumps Security | 49

Plug n’ Pray | 49

Easy install – no truck rolls | 51

Convenient but insecure | 51

Many home networks are insecure? | 53

Customer Ignorance | 53

Chapter 6 – Startups Driving the IoT | 55

Installing IoT Devices | 56

Security knowledge is lacking | 56

Chapter 7 – Cyber-Security and the Customer Experience | 57

Pushing Security onto the Consumer | 58

Industry regulations and standards – where are they? | 58

The home ecosystem | 59

Security negativity | 60

Security Anomalies | 61

What device can be trusted | 61

Chapter 8 – Security Requirements for the IoT | 65

Why security issues arise | 65

Security and product confidence | 66

Me-too manufacturing | 66

Cutting development costs | 67

Security is not an extra | 67

Loss of product trust | 68

Designing appropriate security | 69

Chapter 9 – Re-engineering the IoT | 71

Comparing Apples and Oranges | 73

The Bluetooth lock saga | 74

Device vulnerabilities and flaws | 75



Flawed firmware | 76

Code re-use | 76

The issue with open source | 77

Chapter 10 – IoT Production, Security and Strength | 79

Manufacturing IoT Devices | 80

ODM design | 81

The tale of the Wi-Fi Kettle | 83

Push Vs. pull marketing | 83

Chapter 11 – Wearable’s – A New Developer’s Headache | 85

IoT by stealth | 87

The consumer IoT conundrum | 90

Designing in Vulnerabilities | 91

Passwords are the problem | 93

Why are cookies important? | 94

Chapter 12 – New Surface Threats | 97

Hacking IoT Firmware | 97

Part III: Architecting the Secure IoT

Chapter 13 – Designing the Secure IoT | 107

IoT from an Architect’s View-Point | 109

Modeling the IoT | 109

IoT communication patterns | 111

First IoT design principles | 113

Chapter 14 – Secure IoT Architecture Patterns | 117

Event and data processing | 118

Chapter 15 – Threat Models | 121

What are threat models? | 121

Designing a threat model | 122

6 steps to threat modeling | 122

Advanced IoT threats | 124

Devices | 124

Networks | 125

Infrastructure | 127

Interfaces | 127



Part IV: Defending the IoT

Chapter 16 – Threats, Vulnerabilities and Risks | 131

IoT threats & counter-measures | 131

Chapter 17 – IoT Security Framework | 135

Introduction to the IoT security framework | 135

Chapter 18 – Secure IoT Design | 141

IoT Network Design | 145

IoT protocols | 148

The IoT Stack | 149

Link layer | 150

Adaption layer | 152

IPv6 & IPsec | 154

Routing | 154

Messaging | 157

Chapter 19 – Utilizing IPv6 Security Features | 159

Securing the IoT | 162

Confidentiality | 162

Integrity | 162

Availability | 163

Link layer | 164

Network layer | 164

Transport layer | 165

Network security | 165

Part V: Trust

Chapter 20 – The IoT of Trust | 169

Trust between partners – there isn’t that much about | 170

IBM Vs. Microsoft | 171

Apple vs. Samsung | 171

Uber Vs Crowdsources drivers | 172

Manufacturer and customer trust model | 172

Dubious toys | 173

Kids play | 174

Chapter 21 – It’s All About the Data | 175

Appropriating data | 176

The Data Appropriators | 177



Where is the fair barter? | 178

Trust by design | 179

Chapter 22 – Trusting the Device | 185

Hacking voicemail | 188

Unethical phone hacking | 189

Chapter 23 – Who Can We Trust? | 191

Free is an Earner | 193

Pissing into the Tent | 193

IoT Trust is Essential | 194

The Osram debacle | 194

LIFX’s another Hack? | 195

Balancing Security and Trust | 196

So, Who Can We Trust? | 196

Open Trust Alliance | 197

Part VI: Privacy

Chapter 24 – Personal Private Information (PIP) | 201

Why is the Privacy of our Personal Information Important? | 201

Collecting Private Data | 204

Data is the New Oil, or Is It? | 204

Attacks on data privacy at Internet scale | 205

Young and Carefree | 206

Can we Control our Privacy? | 207

Ad-blockers – They’re Not What They Seem | 207

Google and the dubious ad blockers | 208

Privacy Laws Around the Globe | 208

United States of America | 209

Germany | 210

Russia | 211

China | 211

India | 212

Brazil | 212

Australia | 213

Japan | 213

UK (Under review) | 213

Different Laws in Countries – What Possibly Could Go Wrong | 214

Facebook’s EU Opt-out Scandal | 214



Chapter 25 – The U.S. and EU Data Privacy Shield | 217

When privacy laws collide | 219

Losing a Safe Harbor | 219

After the closure of the Safe Harbor | 220

Model and Standard Contractual Clauses | 220

The new EU – US Privacy Shield | 220

New shield or old failings | 221

Contradictions on privacy | 222

Leveraging the value of data | 224

Part VII: Surveillance, Subterfuge and Sabotage

Chapter 26 – The Panopticon | 229

The good, the bad and the ugly | 229

Home surveillance | 229

Law enforcement – going dark | 231

Dragnet Exploits | 233

The 5-Eyes (FVEY) | 235

PRISM | 237

Mastering the Internet | 241

Project TEMPORA | 241

XKEYSTORE | 243

Windstop | 244

MUSCULAR | 244

INCENSER | 246

Encryption in the IoT | 249

The Snooper’s charter | 251

Nothing to hide nothing to fear | 254

Its only metadata | 255

Index | 257