close search bar

Sorry, not available in this language yet

close language selection

Definition

The Internet of Things (IoT) exemplifies the trend of formerly autonomous devices becoming increasingly connected (directly or indirectly) to the Internet. IoT refers to multiple “things” that can communicate with one another to do more than if they were operating on their own. Devices that incorporate a microprocessor and data communication capabilities are IoT devices. 

What is the "Thing" in IoT?

The “Thing” indicates hardware and software that, in the past, performed its function: 

  • Mechanically (e.g., a door lock).
  • With basic electrical circuitry (e.g., a light switch or washing machine).
  • With some isolated computing capability (e.g., a car).
  • Without a connection to the outside world.

What is the "Internet" in IoT?

The “Internet” refers to the ability for devices to communicate with one another. In many IoT systems, communication between things isn’t necessarily conducted over the Internet. Things may use Internet protocols to communicate with each other.  Alternatively, they may use proprietary protocols. However, in most systems, a connection to the Internet is present at some point. Common examples using the Internet involves devices communicating to one of the following: 

  • A mobile phone
  • A gateway device
  • An embedded cellular connection

This is true even if the IoT devices themselves don’t use a connection, but when the user’s mobile device does. 


Fix security issues before they disrupt your business

Get started

Why is the Internet of Things so important?

IoT allows users to control devices in ways that were not previously possible. In the past, physical proximity was a requirement when interacting with devices. Engineers connected mechanical or electrical devices to perform or respond to a localized physical event. The proximal mechanical connection limited the ways to control the device. Today, microprocessors with advanced communications capabilities are inexpensive and easy to design into products.

Physical and proximal access that constrained past interactions are now performed with a command sent wirelessly or via wire. This freedom allows users to control things in ways not previously imagined. It also allows for the creation of IoT ecosystems. For example, cars, homes, and factories now contain rich collections of IoT devices. They sense and control one another using data rather than rigid mechanical systems.

Data communications provide tremendous flexibility in device use. They eliminate the need for a physical presence or physical connections.

What really makes IoT so important is that we now rely on these connected devices to perform critical functions. Self-driving cars are a good example of something that is safety-critical to many. This includes the occupants of the car itself, nearby cars, pedestrians, and structures. The potential benefit is not fully understood yet. That also goes for the potential risk of something going wrong.


Why is it important to secure Internet of Things devices?

The freedom and flexibility of IoT devices also provides new opportunities for attackers to abuse devices. Attackers once had to be physically present, controlling one device at a time. An Internet connection now allows many devices to be simultaneously attacked.

A system under attack may not even have a direct Internet connection. An attacker may take over a connected device and use it as a conduit to control a disconnected system. In 2015, researchers demonstrated how an Internet connection allows drivers to lock and unlock their car. The research showed how a would-be attacker could also have gained control of the vehicle’s systems—including the brakes. More recently, researchers have demonstrated the ability to re-program an electronic control unit (ECU) and control other critical auto systems (e.g., steering and acceleration).

In the new IoT world, ensuring that systems are performing the correct and intended functions can be essential to human safety. 

Concerns that users of IoT ecosystems need to be aware of include: 

  • Increasingly interconnected devices create a growing attack surface.
  • Common software technologies such as Bluetooth and WiFi may contain known vulnerabilities.
  • Understanding and controlling the software supply chain is a crucial effort.
  • Connectivity also provides the opportunity for remote attacks that affect many devices.
  • Connections between IoT device networks and other corporate systems may provide a communication path for attackers attempting to breach those corporate systems.

Let’s also consider the IoT device manufacturers. It’s their responsibility to make security a priority. Attacks on IoT devices aren’t necessarily limited to the primary functionality of the device. After all, security issues can lead to costs in areas other than the product’s primary function. 


What’s unique about Internet of Things security challenges?

In comparison to Web, mobile, desktop, and business application security, IoT security provides unique challenges including: 

  • Attack surfaces that are as varied as the concept of IoT itself.
  • Devices that are often difficult to update with security fixes. 
  • Unlike server-side security, IoT devices don’t allow for silent roll-out fixes. 
  • High recall cost.
  • Lack of physical security. 
  • Different models for configuration, management, and maintenance.
  • Product life cycles that are measured in years or decades, instead of weeks or months.

More and more industries are building IoT devices. However, many are not familiar with the necessary measures needed to make software secure. At Black Duck, we adapt security fundamentals to the unique features of the IoT ecosystem. The target result is a sustained organizational initiative around IoT security that provides continuous and comprehensive security risk identification and mitigation.