Internet of Everything

Internet of Things Journal

Subscribe to Internet of Things Journal: eMailAlertsEmail Alerts newslettersWeekly Newsletters
Get Internet of Things Journal: homepageHomepage mobileMobile rssRSS facebookFacebook twitterTwitter linkedinLinkedIn


IoT Authors: Automic Blog, Pat Romanski, Liz McMillan, Kevin Benedict, Elizabeth White

Related Topics: Security Journal, Big Data on Ulitzer, Internet of Things Journal

Blog Post

IoT Gateways and Security Vulnerabilities | @ThingsExpo #AI #IoT #Security #SmartCities

Although IoT is promising innovation, you must be careful about security vulnerabilities

How to Protect IoT Gateways from Security Vulnerabilities
By Atri Raychowdhury

On October 2016, Dyn, a Domain Name Server (DNS) company was the target of a massive coordinated distributed denial of service (DDoS) attack leaving the world not able to connect to popular websites such as Twitter, Amazon.com, BBC, Reddit, Spotify, and more. DDoS attacks occur when multiple resources flood the bandwidth and/or resources of a targeted system which in turn overloads it, preventing it from fulfilling legitimate requests. This attack was carried out by installing malware on Internet of Things (IoT) enabled devices including baby monitors and cameras. Although IoT is touted as a promising, emerging innovation that will drive tremendous business value, attacks such as these highlight the security vulnerabilities that currently exist and their grave implications.

Internet of Things refers to a system of devices and sensors that connect to the Internet, allowing them to send and receive data without human intervention. The capturing and exchanging of data unlocks greater insights that, in turn, may unlock competitive advantages for businesses.

IoT Gateways Sit Between Your Ecosystem and the Cloud. Gateways translate fragmented IoT based protocols into a standard one.

In order to scale, IoT enabled devices need to operate on low power, which limits transmission distance and flexibility. It is not beneficial nor feasible to have to frequently change batteries of large amount (sometimes 1,000's) of sensors and devices in a constrained environment. To account for these limitations, many different IoT focused communication protocols have emerged; strong protocols must have multicast support, asynchronous message exchange, low header overhead, simple parsing process, and URI + content-type support. Currently there is no standardization of IoT communication protocols and many different types exist (CoAP, MQTT, XMPP, AMQP, etc.), each with their own benefits and limitations. The rise of IoT enabled devices brings forth a new set of parameters and challenges which makes it extremely difficult to have a "magic bullet" that can solve all IoT security issues. Securing the Internet of Things requires an end to end approach and a wide range of security technologies.

Gateways are an important part of an IoT ecosystem but are a vulnerable, single point of hackability. Gateways can communicate with sensors/devices over varying protocols and then translate the data into standard protocol (such as HTTP) to be sent to the cloud. Gateway devices act as local processing units, enforcing network access control policies and is a mid-layer between physical IoT-enabled devices and the cloud/backend. As a result, gateways allow interoperability between devices, increases scalability (sensors/devices can communicate shorter distances with lower power to a centralized gateway that interfaces with back end system) and adds a layer of security for IoT environment (as sensors and devices aren't communicating directly to cloud).

We have seen a strong surge in securing communication protocols and devices but you shouldn't forget about IoT gateways! If hacked, all the devices within the environment can be compromised as well. Below we provide four of the most important vulnerabilities we believe you should focus on.

Securing an IoT Ecosystem Requires an End-to-End Approach. Don't Let Gateways Be Your Achilles Heel. Here's What You Should Focus On:

Architecture Design & Over the Air Updates Security: At a high level, the actual design of the system is an important step to maximize security. One must understand the critical role of all the devices and sensors in the ecosystem, as well as all the devices that interface with them. Firmware updates will take place within the ecosystem, and it is necessary to consider how these updates are taking place, and how to conduct them most securely.

Message Security: It is important to use strong end-to-end encryption methodologies. Messages should be encrypted and can only be decrypted by recipient using cryptographic keys. This allows gateway device to still accept and pass on data but it will not be able to read the data. Thus, in the case of a security compromise, the hacker will not be able to parse and read the data from the gateway device.

Device Onboarding Security: Device onboarding occurs when a new device is added within the constrained IoT ecosystem. Key management practices, and how keys are exchanged when new devices are accepted is a large security vulnerability. Physical tampering can also lead to private keys to be extracted. It is important to hone in on how these exchanges take place and implement strong key management practices and consider PUF (physical unclonable function) system.

Integrations Security: Lastly, IoT API security is an important consideration. IoT systems transmit and receive voluminous amounts of data and information, and it is important to be able to have secure data-movement between devices/sensors, gateway devices and back-end databases through REST-based APIs. Because integrations are vulnerable, one must continuously scan and test to ensure integrity of data within the system. One tool that can help with this is Soap UI.

Moving Forward...
Many people forget to look into IoT gateway devices. Gateway devices are an important part in Internet of Things ecosystem especially with the rise of many fragmented communication protocols and limitations that IoT-enabled devices face. We hope that this post helps identify the big security vulnerabilities we think you should look out for in regards to gateway devices so that you can maximize your chances for success using IoT.

21st International Cloud Expo, taking place October 31 - November 2, 2017, at the Santa Clara Convention Center in Santa Clara, CA, will feature technical sessions from a rock star conference faculty and the leading industry players in the world.

Download Show Prospectus ▸ Here

Cloud computing is now being embraced by a majority of enterprises of all sizes. Yesterday's debate about public vs. private has transformed into the reality of hybrid cloud: a recent survey shows that 74% of enterprises have a hybrid cloud strategy. Meanwhile, 94% of enterprises are using some form of XaaS - software, platform, and infrastructure as a service.

With major technology companies and startups seriously embracing Cloud strategies, now is the perfect time to attend 21st Cloud Expo, October 31 - November 2, 2017, at the Santa Clara Convention Center, CA, and June 12-14, 2018, at the Javits Center in New York City, NY, and learn what is going on, contribute to the discussions, and ensure that your enterprise is on the right path to Digital Transformation.

Track 1. Enterprise Cloud | Cloud-Native
Track 2.
Big Data | Analytics
Track 3. Internet of Things | IIoT | Smart Cities

Track 4. DevOps | Digital Transformation (DX)

Track 5. APIs | Cloud Security | Mobility

Track 6.
AI | ML | DL | Cognitive
Track 7.
Containers | Microservices | Serverless
Track 8. FinTech | InsurTech | Token Economy

Cloud Expo | @ThingsExpo 2017 Silicon Valley
(October 31 - November 2, 2017, Santa Clara Convention Center, CA)

Cloud Expo | @ThingsExpo 2018 New York 
(June 12-14, 2018, Javits Center, Manhattan)

Download Show Prospectus ▸ Here

Every Global 2000 enterprise in the world is now integrating cloud computing in some form into its IT development and operations. Midsize and small businesses are also migrating to the cloud in increasing numbers.  

Companies are each developing their unique mix of cloud technologies and services, forming multi-cloud and hybrid cloud architectures and deployments across all major industries. Cloud-driven thinking has become the norm in financial services, manufacturing, telco, healthcare, transportation, energy, media, entertainment, retail and other consumer industries, and the public sector.

Cloud Expo is the single show where technology buyers and vendors can meet to experience and discus cloud computing and all that it entails. Sponsors of Cloud Expo will benefit from unmatched branding, profile building and lead generation opportunities through:

  • Featured on-site presentation and ongoing on-demand webcast exposure to a captive audience of industry decision-makers.
  • Showcase exhibition during our new extended dedicated expo hours
  • Breakout Session Priority scheduling for Sponsors that have been guaranteed a 35-minute technical session
  • Online advertising in SYS-CON's i-Technology Publications
  • Capitalize on our Comprehensive Marketing efforts leading up to the show with print mailings, e-newsletters and extensive online media coverage.
  • Unprecedented PR Coverage: Editorial Coverage on Cloud Computing Journal.
  • Tweetup to over 75,000 plus followers
  • Press releases sent on major wire services to over 500 industry analysts.

For more information on sponsorship, exhibit, and keynote opportunities, contact Carmen Gonzalez by email at events (at) sys-con.com, or by phone 201 802-3021.

The World's Largest "Cloud Digital Transformation" Event

@CloudExpo | @ThingsExpo 2017 Silicon Valley
(Oct. 31 - Nov. 2, 2017, Santa Clara Convention Center, CA)

@CloudExpo | @ThingsExpo 2018 New York 
(June 12-14, 2018, Javits Center, Manhattan)

Full Conference Registration Gold Pass and Exhibit Hall ▸ Here

Register For @CloudExpo ▸ Here via EventBrite

Register For @ThingsExpo ▸ Here via EventBrite

Register For @DevOpsSummit ▸ Here via EventBrite

Sponsorship Opportunities

Sponsors of Cloud Expo | @ThingsExpo will benefit from unmatched branding, profile building and lead generation opportunities through:

  • Featured on-site presentation and ongoing on-demand webcast exposure to a captive audience of industry decision-makers
  • Showcase exhibition during our new extended dedicated expo hours
  • Breakout Session Priority scheduling for Sponsors that have been guaranteed a 35 minute technical session
  • Online targeted advertising in SYS-CON's i-Technology Publications
  • Capitalize on our Comprehensive Marketing efforts leading up to the show with print mailings, e-newsletters and extensive online media coverage
  • Unprecedented Marketing Coverage: Editorial Coverage on ITweetup to over 100,000 plus followers, press releases sent on major wire services to over 500 industry analysts

For more information on sponsorship, exhibit, and keynote opportunities, contact Carmen Gonzalez (@GonzalezCarmen) today by email at events (at) sys-con.com, or by phone 201 802-3021.

Secrets of Sponsors and Exhibitors ▸ Here
Secrets of Cloud Expo Speakers ▸ Here

All major researchers estimate there will be tens of billions devices - computers, smartphones, tablets, and sensors - connected to the Internet by 2020. This number will continue to grow at a rapid pace for the next several decades.

With major technology companies and startups seriously embracing Cloud strategies, now is the perfect time to attend @CloudExpo@ThingsExpo, October 31 - November 2, 2017, at the Santa Clara Convention Center, CA, and June 12-4, 2018, at the Javits Center in New York City, NY, and learn what is going on, contribute to the discussions, and ensure that your enterprise is on the right path to Digital Transformation.

Delegates to Cloud Expo | @ThingsExpo will be able to attend 8 simultaneous, information-packed education tracks.

There are over 120 breakout sessions in all, with Keynotes, General Sessions, and Power Panels adding to three days of incredibly rich presentations and content.

Join Cloud Expo | @ThingsExpo conference chair Roger Strukhoff (@IoT2040), October 31 - November 2, 2017, Santa Clara Convention Center, CA, and June 12-14, 2018, at the Javits Center in New York City, NY, for three days of intense Enterprise Cloud and 'Digital Transformation' discussion and focus, including Big Data's indispensable role in IoT, Smart Grids and (IIoT) Industrial Internet of Things, Wearables and Consumer IoT, as well as (new) Digital Transformation in Vertical Markets.

Financial Technology - or FinTech - Is Now Part of the @CloudExpo Program!

Accordingly, attendees at the upcoming 21st Cloud Expo | @ThingsExpo October 31 - November 2, 2017, Santa Clara Convention Center, CA, and June 12-14, 2018, at the Javits Center in New York City, NY, will find fresh new content in a new track called FinTech, which will incorporate machine learning, artificial intelligence, deep learning, and blockchain into one track.

Financial enterprises in New York City, London, Singapore, and other world financial capitals are embracing a new generation of smart, automated FinTech that eliminates many cumbersome, slow, and expensive intermediate processes from their businesses.

FinTech brings efficiency as well as the ability to deliver new services and a much improved customer experience throughout the global financial services industry. FinTech is a natural fit with cloud computing, as new services are quickly developed, deployed, and scaled on public, private, and hybrid clouds.

More than US$20 billion in venture capital is being invested in FinTech this year. @CloudExpo is pleased to bring you the latest FinTech developments as an integral part of our program, starting at the 21st International Cloud Expo October 31 - November 2, 2017 in Silicon Valley, and June 12-14, 2018, in New York City.

@CloudExpo is accepting submissions for this new track, so please visit www.CloudComputingExpo.com for the latest information.

Speaking Opportunities

The upcoming 21st International @CloudExpo@ThingsExpo, October 31 - November 2, 2017, Santa Clara Convention Center, CA, and June 12-14, 2018, at the Javits Center in New York City, NY announces that its Call For Papers for speaking opportunities is open.

Submit your speaking proposal today! ▸ Here

About SYS-CON Media & Events
SYS-CON Media (www.sys-con.com) has since 1994 been connecting technology companies and customers through a comprehensive content stream - featuring over forty focused subject areas, from Cloud Computing to Web Security - interwoven with market-leading full-scale conferences produced by SYS-CON Events. The company's internationally recognized brands include among others Cloud Expo® (@CloudExpo), Big Data Expo® (@BigDataExpo), DevOps Summit (@DevOpsSummit), @ThingsExpo® (@ThingsExpo), Containers Expo (@ContainersExpo) and Microservices Expo (@MicroservicesE).

Cloud Expo®, Big Data Expo® and @ThingsExpo® are registered trademarks of Cloud Expo, Inc., a SYS-CON Events company.

Read the original blog entry...

More Stories By SmartBear Blog

As the leader in software quality tools for the connected world, SmartBear supports more than two million software professionals and over 25,000 organizations in 90 countries that use its products to build and deliver the world’s greatest applications. With today’s applications deploying on mobile, Web, desktop, Internet of Things (IoT) or even embedded computing platforms, the connected nature of these applications through public and private APIs presents a unique set of challenges for developers, testers and operations teams. SmartBear's software quality tools assist with code review, functional and load testing, API readiness as well as performance monitoring of these modern applications.