As many as 50 billion devices will be connected to the Internet of Things by 2023, predicts Statista. One of the priorities highlighted by the OWASP Foundation in a study (OWASP Internet of Things Project TOP10[1] .) is ensuring cyber security in a market with an estimated worth between $4 trillion and $11 trillion.
What is the OWASP Foundation?
The OWASP Foundation produces guides and provides guidance to enhance the security of systems.
This article will focus on how IoT cybersecurity is ensured through encryption protocols.
Encryption protocols in IoT devices
IoT system cyber security begins with ensuring that data stored on devices and in the cloud uses protocols that perform encryption operations at the presentation layer.
In particular configurations, versions of interdependencies – such as Open SSL or SSH servers – may be vulnerable to attack, leading to the possibility of third parties accessing sensitive data. Therefore, it is essential to choose interdependency versions with low vulnerability to this threat.
In order to increase cyber security in IoT, implementing data encryption operations exclusively using cryptographic systems, such as TPMs or HSMs would be the most desirable approach.
The cryptographic mechanism you use to ensure data confidentiality must be used carefully and correctly. The key to this will be accurate configuration and ruling out the scenario of renegotiating the connection by devaluing them to schemes with known vulnerabilities (Downgrade Cryptographic Attack).
Remember that encryption is only effective if it keeps pace with the exponential growth of computing power, according to Gordon Moore’s law. Moore is one of the founders of Intel, who observed the exponential growth rate of transistors. Cryptographic schemes that fail to keep up with it have been withdrawn from the market due to safety concerns.
Problems in encryption schemes
The most significant security flaws of the old SSL schemes: the SSLv2 DROWN attack or the SSLv3 – Poodle attack, are due to vulnerabilities in the architecture of these solutions. They enabled the transition to TLS schemes. The direst possible solution would be to renegotiate a form of communication without encryption in any shape or form.
What is renegotiation? Imagine calling your friend to arrange a Saturday lunch. The chances are that you won’t find them at the restaurant if they don’t pick up. It is, however, more likely that your meeting will take place if they do answer the call.
The encryption protocols used in IoT devices are sometimes similar. As the protocols must collate, a kind of ‘connection negotiation’ occurs at one of the layers before they connect. Whenever a client receives a request from the server that has an encryption type it does not support, another one is proposed – in other words, renegotiation takes place.
This poses a risk you can mitigate by remaining very assertive with a server-side client that proposes unsafe encryption methods or no encryption at all.
Encryption in IoT is a must!
As much as possible, you should avoid protocols that do not use encryption in communication when building an IoT system. These can include Telnet, FTP, HTTP, or SMTP, among others. In addition, you can enhance network security and data privacy by using VPN technology.
Are you seeking a technology partner to create a cyber-secure IoT solution? Solwit’s team has successfully completed many projects that required the highest level of system security and would be happy to advise you on how to do so, too. Set up a free consultation!
