Security in IoT systems - Issues and Solutions

With the term Internet of Things (IoT) we define an eco-system formed by interconnected “smart” objects (things) that: are connected, able to interact,and exchange and elaborate data. To communicate its data and to have access to aggregate information of neighbors make a thing recognizable and it is the basis to fuel it with ‘intelligence’, as is the ability to autonomously re-act to changes in the environment. As an example, an alarm clock could ring earlier than expected according to the expected travel time needed to reach the destination, an heating system could adjust its settings if the outside temperature drastically decreases, etc. In order to perform its operations, IoT devices are able to map the real word in the “cyber” one and vice-versa.It easy to understand that the possible applications of IoT systems are end-less: manufacturing processes, autonomous driving, health, environmental protection, etc.It is extremely difficult to design a protocol that is able to embrace every single IoT use-case due to the diverse scenario requirements and the heterogeneous devices types. Recently, new protocols able to simplify the communications have been standardized. As an example, Institute of Electrical Electronic Engineers (IEEE) 802.15.4 defines the physical and Medium Access Control (MAC) layers for Wireless Sensor Network (WSN). Moreover,in order to fully interconnect the IoT devices through Internet, a number of adaptation layers have been defined by the Internet Engineering Task Force (IETF) community, such as 6LoWPAN and RPL. Application-level protocols have been standardized as well, even though they suffer from the usual trend between the need for standardization and the tendency of manufacturers to create a ‘closed’ ecosystem to lock the customers to a specific vendor. Nevertheless, the market seems to be oriented toward open proto-cols, like Constrained Application Protocol (CoAP) (developed by IETF),Message Queue Telemetry Transport (MQTT) (ISO/IEC PRF 20922), and Lightweight M2M (LwM2M) (developed by the Open Mobile Alliance for M2M).Obviously proprietary solutions still exist, and paying a royalty offers the advantage of “certified” devices that (hopefully) should inter-operate in a seamless way. The principal industrial solutions are ZigBee, LoRa/LoRaWAN, and Sigfox. One of the most serious issues in IoT are in the privacy and security areas. Firstly, the devices to communicate use wireless technologies and, for definition, are easy to eavesdrop, secondly the devices interact directly with the real world, raising concerns in the privacy and safety of users. These are aspects must not be underestimated because a small “incident” can lead to safety risks. In general, IoT security issues are quite similar to the “traditional” devices ones, e.g., use un-encrypted messages, weak authentication methods, guessable password and user names, default login information left unchanged upon deployment, etc. In addition to these problems, IoT devices have computational and memory limitations, they are often battery-powered,and placed in inaccessible areas. These problems make it hard, if not impossible, to use ‘traditional’ security policies and attack countermeasures. As a consequence, novel security approaches must be developed.