The objective of this post is to explain 3 basic concepts related to information security – privacy, integrity and authentication, and give some examples about them in the context of IoT.
Privacy consists on guaranteeing that the contents of a message are only seen by its intended recipients . This means that if an entity A sends a message with entity B as destination, no one other entity can read that same message, even if it is able to capture that message in the communication medium. Figure 1 exemplifies a situation where privacy is not guaranteed.
Figure 1 – Attacker captures and reads message.
This property is achieved by encrypting data, which is the process of transforming a plain text message in another format that can only be read by authorized entities that share a key or secret. Figure 2 exemplifies this procedure.
Figure 2 – Encryption is used to guarantee data privacy.
Naturally, this is a desired property for IoT, to keep user’s data private. This is specially important with the proliferation of the use of IoT devices in companies, to protect sensitive information that may be exchanged.
Integrity consists on guaranteeing that a message is not either intentionally or unintentionally tampered . Naturally, when considering security aspects, the main concern is intentional tampering. Figure 3 exemplifies an attack to the integrity of a message.
Figure 3 – Attacker tampers message.
Integrity is typically achieved by using hashing mechanisms to create message integrity codes that are sent with the message and can then be used by the receiver to check the integrity of the content. Figure 4 illustrates the application of an integrity mechanism.
Figure 4 – Integrity check mechanism.
This is critical for IoT applications, especially when the devices are actuators. Take as an example a remotely controllable air conditioned. If we want to turn it on remotely, we send a message saying “Turn on for 17 degrees”. If there is no integrity mechanism, an attacker can just capture the message and change it to “Turn on for 30 degrees”. Naturally, the air conditioned will interpret the received messaged, which says 30 degrees, and thus produce a wrong output.
This need for data integrity becomes even more critical for IoT applications involving monitoring and controlling, for example, industrial processes. In this case, a violation of this property can cause serious consequences, such as damaging machines or even cause harm to surrounding workers.
Authentication consists on guaranteeing that the entities are who they claim to be. If entity B receives a message that is identified as being from entity A, authentication means having a mechanism for B to ensure that the message was really from A. Figure 5 exemplifies an impersonation attack.
Figure 5 – Impersonation attack.
Naturally, there are also mechanisms that allow a secure authentication of users. One such example is the HMAC. Figure 6 exemplifies the use of an authentication mechanism to prevent impersonation attacks.
Figure 6 – Use of authentication mechanism.
This is also an important property for IoT applications to guarantee that the entities are who they claim to be. For example, for monitoring applications it’s important to know that a message was really sent by a determined device and was not sent by an attacker impersonating a valid device.
- We can guarantee integrity without encrypting the data. This means that, if we just implement data integrity and not confidentially, we ensure that the message received by the destination entity is exactly the one sent by the origin entity, but we cannot guarantee that other entities didn’t have access to that data.
- Guaranteeing confidentiality, by encrypting data, doesn’t mean guaranteeing integrity . So, if a message is just encrypted and doesn’t have integrity mechanisms, an attacker can still capture the encrypted message, changing it, and send it to the destination entity. Although the encryption will guarantee that the attacker did not read the message, since no integrity mechanism is implemented, the receiver will not be able to verify that the original message was tampered, and thus interpret it as if it was valid.
- Guaranteeing confidentiality, by encrypting data, doesn’t mean guaranteeing authentication. Imagine that 3 entities communicate with encrypted messages, but they share the same key to decrypt the messages and obtain the plain text. In this case, without authentication mechanisms, if entity C receives a message from A, it doesn’t have a way of guaranteeing that it was really sent from A or if B sent it impersonating A.
As seen below, confidentiality, integrity and authentication are 3 security properties that are desired for IoT systems. Naturally, those properties extend far beyond the scope of IoT communications and are basic for secure communications between systems. Thus, the diagrams presented were illustrated in relation to generic entities, which can be users, IoT nodes, servers, mobile apps, etc..
Although many microcontrollers currently in the market can implement mechanisms to guarantee those security properties when communicating with other systems, security will always be a challenge in IoT due to the limitation of computational resources and the constant evolution of malicious attacks.
So, the implementation of those security mechanisms needs to be carefully planned to avoid impacting the performance of the applications, but maintaining acceptable levels of security.
Besides that, no matter how good the security mechanisms implemented are, it’s always wise to have a contingency plan if they fail. So, it may be a good option to guarantee some hardcoded rules on the devices themselves to guarantee that they cannot be damaged or cause harm to the surrounding environment.
Take as an example a remotely controlled lamp that can be turned on and off. If an attacker manages to break the security measures and becomes able to send on/off commands, he can start sending many requests per second to destroy the device. A good approach would be to hardcode a security rule in the device itself to guarantee that no more than a predefined number of state toggles can occur in a given period, no matter what the instructions sent remotely are.