Why Your Servers May Be the Weakest Link in Your IoT Security

It's important to ensure both device- and application-level security—but don't stop there.
By Geoff Kratz
Sep 11, 2015

This brave new world of the Internet of Things has sparked, amongst other things, a discussion about security. A lot of the chatter tends to focus on device security—in particular, the security of a Bluetooth Low Energy (BLE) connection. A recent CBC article refers to this specifically, although it does touch tangentially on a larger security issue: the server.

Is device security important? It most certainly is. The device is the thing that is out there, in the wild, usually in a place many people can see or reasonably reach via a radio. The communication between any device and a smartphone or smart home router (also known as a hub or base station) needs to be strong. You don't want a flaw in the device to leave it vulnerable to attack, particularly a security device such as a door lock. However, the IoT device is not the real target.

The real targets are the servers behind the devices. By themselves, the devices are interesting, but not always useful. They will generally need to communicate with some kind of server-side system. In most cases, devices won't, by themselves, send push notifications or even SMS text messages. Do you want users to be able to set up sophisticated rules for who to call, and when, automatically, in response to a given event? You'll be doing that on the server, not on the device or a nearby supporting device, such as a smartphone.

It's All About Scalability
Consider two ways to take advantage of security flaws. The first is to attack the devices directly. This means that I, as the attacker, would have to be within wireless (and possibly visual) range of the device, and ultimately that I would have to actually find its physical location, or hopefully identify it via its radio transmissions. Either way, I would need to have boots on the ground, searching for these devices.

The weakness of this method is that it may require that the device owner use his or her device while I have equipment listening. Either way, to attack thousands of devices in a useful way may require dozens or even hundreds of people. To get at hundreds of thousands devices, I would need thousands of people out there, gathering data and attacking them directly.

If I were to attack the server, on the other hand, I could compromise all of the devices. I could accomplish this either by allowing myself (and anyone who pays me) access to every device, or by injecting malware into individual devices to create a back door that would let me attack the server. But, more importantly, I could access a server and obtain a copy of the registered customer database—since many firms do very little to protect consumer data on their servers. This might not give me all known devices (not everyone registers his device, and some customers use fake information), but it would likely grant me access to the majority of registered users of a particular device. Now, not only would I have access to any devices I wanted, but I would also know where in the world they were located.

Simply enter a question for our experts.
Sign up for the RFID Journal Newsletter
We will never sell or share your information
RFID Journal LIVE! RFID in Health Care LIVE! LatAm LIVE! Brasil LIVE! Europe RFID Connect Virtual Events RFID Journal Awards Webinars Presentations