Cybersecurity system scans Internet of Things devices
The IoT refers to ordinary objects – other than computers, phones and tablets – having an internet connection. Among countless others, these typically include home appliances, medical devices and utilities meters. Although the connections are convenient, they are built using so many communications technologies, for so many purposes, that security levels vary greatly. Many connections are highly insecure and vulnerable to hacking. Such cyberattacks have already brought about severe consequences. The EU-funded SecIoT project helped close the security gap. Experts in IoT security are relatively scarce, while demand for IoT security consultations is growing. Hence, the project team developed a plan for an automated cybersecurity expert system, intended for companies manufacturing IoT devices. The system will ultimately allow manufacturers to test their products for vulnerability and make necessary improvements. Automated security testing “Our first goal was to understand the complexity of existing IoT solutions,” explains project leader Olga Pavlovsky. “Despite the fact that most IoT devices are relatively cheap, they are complex beasts constructed over several hardware and software layers.” To map the complexity, researchers performed security tests on many devices. This yielded a universal methodology for vulnerability testing that was also a step towards automated vulnerability scanning. Vulnerability scanning is where special software (security scanners) assesses the defences of a target device. This process is time-consuming but also routine, and therefore suitable for automation. SecIoT’s automation allows simultaneous use of several security scanners. Easy interface A friendly system interface will allow both expert security and non-expert software developers to conduct vulnerability scanning. The software will suggest certain kinds of scan, which the user may accept or override. Scanning examines networks, systems, other hardware and software code that are often a primary source of vulnerability. The proposed interface will provide ease of use, while the multiple embedded security scanners will detect code vulnerabilities that a human would be unlikely to find. The project’s system will present the scanning results as an easily read report that suggests ways of fixing any security problems found. The system’s simplicity will also enable developers to run vulnerability scans as often as necessary during development, instead of once at the end as usual. Security problems found early in the process are easier to resolve. “All this means that experts will be able to devote more time to fixing vulnerabilities,” says Pavlovsky. “This will reduce the number of issues present in devices and software that reach end users.” Next, the team hopes to improve the design. In particular, the system currently automates vulnerability scanning on security layers 4 to 7; layers 1 to 3 were checked manually. The team plans to automate testing across more layers. This, and other planned upgrades, will allow the software to address even more IoT security situations and detect more vulnerabilities. Worldwide, the IoT market is expected to reach nearly USD 10 billion by 2025. Since the project is still defining the best application for the system, researchers are reluctant to make market forecasts. Nevertheless, even a small share of that market would be very lucrative for European SMEs.
Keywords
SecIoT, security, IoT, vulnerability scanning, security scanner, Internet of Things, software developer