IoT Security Issues

IoT Security Issues looks at the burgeoning growth of devices of all kinds controlled over the Internet of all varieties, where product comes first and security second. In this case, security trails badly. This book examines the issues surrounding these problems, vulnerabilities, what can be done to solve the problem, investigating the stack for the roots of the problems and how programming and attention to good security practice can combat the problems today that are a result of lax security processes on the Internet of Things. This book is for people interested in understanding the vulnerabilities on the Internet of Things, such as programmers who have not yet been focusing on the IoT, security professionals and a wide array of interested hackers and makers. This book assumes little experience or knowledge of the Internet of Things. To fully appreciate the book, limited programming background would be helpful for some of the chapters later in the book, though the basic content is explained. The author, Alasdair Gilchrist, has spent 25 years as a company director in the fields of IT, Data Communications, Mobile Telecoms and latterly Cloud/SDN/NFV technologies, as a professional technician, support manager, network and security architect. He has project-managed both agile SDLC software development as well as technical network architecture design. He has experience in the deployment and integration of systems in enterprise, cloud, fixed/mobile telecoms, and service provider networks. He is therefore knowledgeable in a wide range of technologies and has written a number of books in related fields.

Table of Contents:
Introduction | 1 Part I: Making Sense of the Hype Chapter 1 – The Consumer Internet of Things | 5 A Wave of Technology, or a Wave of Hype | 5 IoT Skeptics and the Role of Security Issues | 6 The Internet of No-thing | 7 Where are these IoT devices? | 8 Why the ambiguity in IoT uptake? | 9 The Media and Marketing Hype | 9 Lack of Killer Applications | 11 There be Monsters | 11 Buying Secure IoT Devices? | 12 Making Things That Just Work | 16 Is this a consumer Internet of things? | 16 Skepticism, but the future looks bright | 17 Consumer Trust – or Lack of It | 19 Losing Control? | 19 Toys for the Rich | 21 IoT isn’t DIY | 22 Is Security a Major Inhibitor? | 23 Part II: Security Chapter 2 – It’s Not Just About the Future | 27 Looking back to move forward | 27 Security by Design | 29 Data Mobile Networks | 30 A Confluence of New Technologies | 32 Basic Security Practices | 34 Chapter 3 – Flawed, Insecure Devices | 35 Why are so many insecure devices on the market? | 35 A Manufacturer’s Perspective | 35 The Device Production Cycle | 36 Software development in an agile market | 37 Clash of Cultures | 37 Developers and the Security Puzzle | 38 Reputational loss | 40 Chapter 4 – Securing the Unidentified | 43 The Scale of the Problem | 44 What Type of Devices to Secure? | 44 Unplanned Change | 44 The Consumer’s View on Security | 45 Chapter 5 – Consumer Convenience Trumps Security | 49 Plug n’ Pray | 49 Easy install – no truck rolls | 51 Convenient but insecure | 51 Many home networks are insecure? | 53 Customer Ignorance | 53 Chapter 6 – Startups Driving the IoT | 55 Installing IoT Devices | 56 Security knowledge is lacking | 56 Chapter 7 – Cyber-Security and the Customer Experience | 57 Pushing Security onto the Consumer | 58 Industry regulations and standards – where are they? | 58 The home ecosystem | 59 Security negativity | 60 Security Anomalies | 61 What device can be trusted | 61 Chapter 8 – Security Requirements for the IoT | 65 Why security issues arise | 65 Security and product confidence | 66 Me-too manufacturing | 66 Cutting development costs | 67 Security is not an extra | 67 Loss of product trust | 68 Designing appropriate security | 69 Chapter 9 – Re-engineering the IoT | 71 Comparing Apples and Oranges | 73 The Bluetooth lock saga | 74 Device vulnerabilities and flaws | 75 Flawed firmware | 76 Code re-use | 76 The issue with open source | 77 Chapter 10 – IoT Production, Security and Strength | 79 Manufacturing IoT Devices | 80 ODM design | 81 The tale of the Wi-Fi Kettle | 83 Push Vs. pull marketing | 83 Chapter 11 – Wearable’s – A New Developer’s Headache | 85 IoT by stealth | 87 The consumer IoT conundrum | 90 Designing in Vulnerabilities | 91 Passwords are the problem | 93 Why are cookies important? | 94 Chapter 12 – New Surface Threats | 97 Hacking IoT Firmware | 97 Part III: Architecting the Secure IoT Chapter 13 – Designing the Secure IoT | 107 IoT from an Architect’s View-Point | 109 Modeling the IoT | 109 IoT communication patterns | 111 First IoT design principles | 113 Chapter 14 – Secure IoT Architecture Patterns | 117 Event and data processing | 118 Chapter 15 – Threat Models | 121 What are threat models? | 121 Designing a threat model | 122 6 steps to threat modeling | 122 Advanced IoT threats | 124 Devices | 124 Networks | 125 Infrastructure | 127 Interfaces | 127 Part IV: Defending the IoT Chapter 16 – Threats, Vulnerabilities and Risks | 131 IoT threats & counter-measures | 131 Chapter 17 – IoT Security Framework | 135 Introduction to the IoT security framework | 135 Chapter 18 – Secure IoT Design | 141 IoT Network Design | 145 IoT protocols | 148 The IoT Stack | 149 Link layer | 150 Adaption layer | 152 IPv6 & IPsec | 154 Routing | 154 Messaging | 157 Chapter 19 – Utilizing IPv6 Security Features | 159 Securing the IoT | 162 Confidentiality | 162 Integrity | 162 Availability | 163 Link layer | 164 Network layer | 164 Transport layer | 165 Network security | 165 Part V: Trust Chapter 20 – The IoT of Trust | 169 Trust between partners – there isn’t that much about | 170 IBM Vs. Microsoft | 171 Apple vs. Samsung | 171 Uber Vs Crowdsources drivers | 172 Manufacturer and customer trust model | 172 Dubious toys | 173 Kids play | 174 Chapter 21 – It’s All About the Data | 175 Appropriating data | 176 The Data Appropriators | 177 Where is the fair barter? | 178 Trust by design | 179 Chapter 22 – Trusting the Device | 185 Hacking voicemail | 188 Unethical phone hacking | 189 Chapter 23 – Who Can We Trust? | 191 Free is an Earner | 193 Pissing into the Tent | 193 IoT Trust is Essential | 194 The Osram debacle | 194 LIFX’s another Hack? | 195 Balancing Security and Trust | 196 So, Who Can We Trust? | 196 Open Trust Alliance | 197 Part VI: Privacy Chapter 24 – Personal Private Information (PIP) | 201 Why is the Privacy of our Personal Information Important? | 201 Collecting Private Data | 204 Data is the New Oil, or Is It? | 204 Attacks on data privacy at Internet scale | 205 Young and Carefree | 206 Can we Control our Privacy? | 207 Ad-blockers – They’re Not What They Seem | 207 Google and the dubious ad blockers | 208 Privacy Laws Around the Globe | 208 United States of America | 209 Germany | 210 Russia | 211 China | 211 India | 212 Brazil | 212 Australia | 213 Japan | 213 UK (Under review) | 213 Different Laws in Countries – What Possibly Could Go Wrong | 214 Facebook’s EU Opt-out Scandal | 214 Chapter 25 – The U.S. and EU Data Privacy Shield | 217 When privacy laws collide | 219 Losing a Safe Harbor | 219 After the closure of the Safe Harbor | 220 Model and Standard Contractual Clauses | 220 The new EU – US Privacy Shield | 220 New shield or old failings | 221 Contradictions on privacy | 222 Leveraging the value of data | 224 Part VII: Surveillance, Subterfuge and Sabotage Chapter 26 – The Panopticon | 229 The good, the bad and the ugly | 229 Home surveillance | 229 Law enforcement – going dark | 231 Dragnet Exploits | 233 The 5-Eyes (FVEY) | 235 PRISM | 237 Mastering the Internet | 241 Project TEMPORA | 241 XKEYSTORE | 243 Windstop | 244 MUSCULAR | 244 INCENSER | 246 Encryption in the IoT | 249 The Snooper’s charter | 251 Nothing to hide nothing to fear | 254 Its only metadata | 255 Index | 257

About the Author :
Alasdair Gilchrist has spent 25 years as a company director in the fields of IT, Data Communications, Mobile Telecoms and latterly Cloud/Sdn/Nfv technologies, as a professional technician, support manager, network and security architect. He has project-managed both agile Sdlc software development as well as technical network architecture design. He has experience in the deployment and integration of systems in enterprise, cloud, fixed/mobile telecoms, and service provider networks. He is knowledgeable in a wide range of technologies and has written a number of books in related fields.