Security in Internet of Things Systems
MetadataShow full item record
Security in the current Internet of Things is not as good at it ought to be. This thesis shows some glaring flaws in existing products, which is often created because of oversight from the developers, as the constraints existing in IoT requires a more thorough thought-process than is normal in desktop computing. Due to limited power, bandwidth and processing power, everything needs to get stripped down to the bare minimum, while still maintaining good security properties. Security is an oversight in many projects. Using examples from previous research, and conducting unique analysis on existing products, it is shown that many developers more or less ignores everything related to security (BMW, HomeEasy, Sonos), or creates their own cryptographic algorithms with clear flaws (Eye-Fi, OSGP smart-grid). To ensure that the future of IoT is secure, this thesis aims to make developers think about the limitations that exists, and provide solutions to the problems that will occur when designing a device for the Internet of Things. Securing the Internet of Things is important to consumers. Through previous research it is shown exactly how devastating not focusing on the security of IoT devices can be, with the majority of consumers (62 %) "feeling completely violated and extremely angry to the point where I would take action.". Close to half (48 %) of all consumers would hold the manufacturer responsible if a flaw was to be found in the system, showing the obvious economical risks taken by not securing a device properly. Some of the topics of challenges presented are common in information security, but poses new challenges because of the unique constraints. Securing an IT system requires confidentiality, integrity, and authorization. Where this usually is handled by libraries like OpenSSL and using TLS int desktop computers, deciding on an encryption, authentication and signature algorithm is not as easy as calling a different method. The limited power, bandwidth and processing capabilities will require a thorough thought process to decide how to both efficiently, and effectively secure a device. The other challenges are more specific to the Internet of Things. In regular desktop computing, an advanced user interface is usually available, and physical loss of a device during use is relatively uncommon. IoT devices will on the other hand usually have a really limited user interfaces, and will often be placed in exposed areas and used in situations with high physical stress. Security should be a consideration through the whole project. Long before the first prototype PCB-design is sent to the factory, key decisions on security should have been decided. These include how keys should be distributed to each device, if hardware-acceleration should be used, how updates can be handled, if PKI is a viable solution for the device, what type of cryptographic algorithms should be used, etc.