Keeping the peace in the Internet of Things – Part 3
Testing an Internet or cloud is necessary because the system is too complex for anyone to analyse and predict every possible form of vulnerability or failure. Apart from the physical complexity of a large network, there are many different levels to analyse, beginning with the firmware and different operating systems on the network.
Then there is a constantly evolving population of applications on the network, plus all the different protocol and security systems. In a cellular network access security can be in the SIM card, where a passcode is needed for WiFi access, where Bluetooth can either use a password or pre-shared application key, says Sameer Dixit, senior director, Security Consulting Spirent.
Next there are specific security functions such as authentication of human or machine users, and determining what level of interaction they are authorised to have when accessing the network. Finally there are questions of physical security: are the endpoints and the actual network sufficiently rugged? Are they accessible to being tampered with?
A lot of thought will go into each of these aspects but, when it comes to determining the overall end-to-end security, there is only one way to know and that is to test it. The network can be modelled accurately under laboratory conditions and tested exhaustively for functionality. Then it can be tested for performance to see if it works reliably under all normal operating conditions. It is also possible to monitor an operating network continuously for signs of trouble.
Then there is the question of how an IoT will perform under extreme or stress conditions. There are many obvious and less obvious ways these extremes can arise. Taking for example an IoT that connects intrusion alarm systems across a metropolitan district: typically these alarms use the local Wi-Fi to maintain connection with headquarters and only turn up a 3G connection if the
Wi-Fi fails. So what impact will it have on the mobile network if there is a power cut across a whole district and thousands of alarm systems are simultaneously connecting to the mobile network? How might that briefly affect other systems on the network, let alone the actual alarm response?
It demands experience and in-depth understanding of the many factors involved to be able to anticipate such problems and recommend suitable tests, but we already have test solutions readily programmable to emulate every such situation. The tester does not have to build up realistic traffic scenarios parameter by parameter – though that is certainly possible. Instead the system can record real-life traffic data and then multiply it many times to emulate traffic storms – as when some emergency causes a surge in activity.
Independently, or at the same time as the performance is being tested, the network can be subjected to any number of known malware attacks – and if it is a cloud based test solution it will be kept up-to-date with the very latest malware. Spirent also has extensive experience of “fuzz testing”, where you are not just testing for known attacks but also borderline errors that can arise when wrong data is accidentally or deliberately injected into the system.
There are endless opportunities offered by connecting machines to machines via an Internet of Things, but we have a lot to learn about the risks that might arise from such a complex system – especially the risks posed by deliberate criminal intentions. Key areas that will need very careful and comprehensive security measures include the automotive industry, healthcare and industrial and utility control systems.
Although the IoT adds many new factors and combinations of risks, the basic techniques for testing complex, multi-protocol networks are already well established. Sophisticated test solutions are already available, and have long proven their ability to anticipate problems and ensure security under every normal and extreme operating condition.
The learning curve may be steep, but with the help of penetration testing and security testing solutions there is considerable expertise available on the slope.
The author of this blog is Sameer Dixit, senior director, Security Consulting Spirent.
About the Author:
Sameer Dixit is a leader in cyber security with over 15 years of experience in penetration testing and security research. At Spirent, Sameer is leading the ethical hacking and security research team called Spirent Security Labs.
Prior to Spirent, Sameer has worked for leading security companies such as Trustwave-SpiderLabs and Cenzic Inc. where he led the penetration testing, vulnerability scanning and managed security testing services team.
Sameer has contributed research for OWASP, been quoted in various industry-leading security and business publications such as Security Week, Business Insider, ZDnet, SC Magazine, and more. Additionally, he has spoken at various Cyber Security Threat Summits, Universities, conducted webinars, and actively blogs on emerging Web & Mobile security trends.