IoT Security Challenges and 5 Effective Ways to Handle Them

There are some major security challenges facing IoT. Let's take a look at how to effectively handle them.

Over the years, the number of devices connected to the Internet has increased exponentially. From a little over 15 billion devices in 2015, over 23 billion devices are connected in 2018.

It is estimated that the figure will exceed the 30 billion mark by 2020 and over 75 billion devices are expected to be connected to the Internet by 2025.

IoT 物联网（Internet of Things）

effectively adv. 有效地

exponentially adv. 以指数方式

面对物联网行业存在一些主要的安全挑战。让我们来看看如何有效的应对它们。

这些年来，连接到互联网的设备数量呈指数级增长。接入互联网的设备从2015年的150多亿到2018年的230多亿。

据估计，到2020年，这一数字将超过300亿，到2025年，预计将有超过750亿部设备接入互联网。

IoT Security Challenges

The increasing popularity of this concept has raised a lot of security issues, especially privacy concerns that make IoT users susceptible to cyber attacks and identity theft. Major IoT providers also use default or hardcoded passwords that can create room for security breaches. This and many other loopholes can be exploited by cybercriminals to gain remote access to devices and wreak havoc on the devices or the users.

The increasing security threat to IoT underlines the importance of finding practical solutions that may address the issue and drastically reduce the rate at which IoT devices are attacked by criminals operating from the cyberspace.

cyber adj. 网络的 计算机的

hardcode 写死 指的是把输出或输入的相关参数直接写死在原始码中，而非在执行时期由外界设定。

security breach 安全漏洞

loophole n. 漏洞；枪眼；

remote access 远程访问

wreak havoc 肆虐；造成严重破坏

drastically adv. 大幅度的 彻底的

物联网安全挑战

这一概念的日益普及引发了许多安全问题，尤其是隐私问题，这使得物联网用户容易受到网络攻击和身份盗窃。主要的物联网供应商也使用默认密码或直接写死的密码，这可能会造成安全漏洞。网络罪犯可以利用这个漏洞和其他许多漏洞远程访问设备，对设备或用户造成严重破坏。

物联网面临的安全威胁日益增加，突显出找到切实可行的解决方案的重要性，这些解决方案可能会解决这一问题，并大幅降低来自网络空间的犯罪分子攻击物联网设备的频率。

The DDoS (Distributed Denial of Service) attacks that affected IoT services and devices around the world in 2016 is an eye-opener and a proof that the security threat against IoT is real.

However, all hope is not lost. You can put some personal security measures in place to fortify your devices against attacks by harmful cybercriminals. This is where IoT security comes in.

DDoS (Distributed Denial of Service） 分布式拒绝服务

eye-opener n. 使人惊奇的事物；使人大开眼界的事物

2016年全球范围内影响物联网服务和设备的DDoS攻击让人大开眼界，也证明了针对物联网的安全威胁是真实存在的。

然而，并非所有的希望都破灭了。你可以采取一些个人安全措施来保护你的设备免受有害网络罪犯的攻击。这就是物联网安全的切入点。

What is IoT Security?

什么是物联网安全？

IoT Agenda defines IoT security as “the technology area concerned with safeguarding connected devices and networks in the Internet of Things (IoT).” Simply put, IoT security refers to the precautionary measures taken to beef up the security of IoT devices and reduce their susceptibility to attacks from unauthorized criminals.

Five proven solutions that you may implement to increase the security of your IoT devices are:

precautionary adj 预防的；预先警戒的

precautionary measure 预防措施

susceptibility n. 敏感性

implement vt.实施；执行

物联网议程将物联网安全定义为“物联网中保护联网设备和网络的技术领域”。简单地说，物联网安全是指为加强物联网设备的安全性，降低其易受未经授权的不法分子攻击而采取的预防措施。

为提高物联网设备的安全性，你可采用五种已获证实的解决方案是:

1. Use IoT Security Analytics

The vulnerabilities and security issues associated with IoT can be drastically reduced by implementing security analytics. This involves collecting, correlating, and analyzing data from multiple sources that can assist IoT security providers to identify potential threats and nip such threat in the bud.

Thus, there is a need for multi-dimensional security analytics apart from monitoring IoT gateways alone. Malicious and suspicious anomalies can then be identified by correlating data from a wide range of domains. That allows security experts to correct such anomalies and prevent them from having a negative impact on the connected devices.

More so, a spike on the sensor’s CPU, if the devices are still performing its assigned task or other related security issues, can easily be detected. The combination of such valuable pieces of information and threat intelligence data can prove helpful in effectively detecting harmful threats and finding effective solutions to the threats.

vulnerability n. 弱点；漏洞

Vulnerability scan 漏洞扫描；弱点扫瞄

nip in the bud 防患于未然；消灭于萌芽状态

gateway n. 网关

malicious adj. 恶意的

malicious software 恶意软件

suspicious adj.可疑的

anomaly n.异常

1. 使用物联网安全分析

通过实现安全分析，可以大大减少与物联网相关的漏洞和安全问题。这包括收集、关联和分析来自多个来源的数据，这些数据可以帮助物联网安全提供商识别潜在威胁，并将此类威胁扼杀在萌芽状态。

因此，除了监视物联网网关之外，还需要进行多维安全分析。然后，恶意和可疑的异常可以通过关联来自广泛领域的数据来识别。这使得安全专家能够纠正这些异常，防止它们对连接的设备产生负面影响。

此外，如果设备仍在执行分配的任务或有其他相关安全问题，则很容易检测到传感器CPU的一个尖峰值。将这些有价值的信息与威胁情报数据相结合，可以有效地检测有害威胁，找到有效的威胁解决方案。

2. Use Public Key Infrastructure

The Public Key Infrastructure is “a set of policies, software/hardware, and procedures, which is required for the creation, management, and distribution of the digital certificates.” This security process has proven over the years to be an effective solution to IoT security issues.

PKI ensures the encryption of data through both symmetric and asymmetric encryption processes. In the former, both the data encryption and decryption is done with the same key while different keys are used for the data encryption and decryption in the latter. The data encryption and decryption ensure that data privacy is maintained and the chances of data theft are reduced to the bare minimum.

Security measure involve using digital certificates for verifying the identity of all the devices connected together in an IoT. It also maintains the privacy of information to keep it away from the reach of potential attackers.

Cryptographic key and X509 digital certificate are some IoT PKI security methods that can be used as well as public or private key management, distribution, and revocation.

PKI n. (Public Key Infrastructure) 公钥基础设施；公钥架构

encryption n 加密

decryption n 解密

symmetric adj 对称的

asymmetric adj 非对称的

verify vt 核实；查证

Cryptographic key n 密钥

2.使用公钥基础设施

公钥基础设施是“一组用于创建、管理和分发数字证书的策略、软件/硬件和过程”。“多年来，这一安全流程已被证明是物联网安全问题的有效解决方案。”

PKI通过对称和非对称加密过程来保证数据的加密。在前者中，数据加密和解密都使用相同的密钥，而在后者中，数据加密和解密使用不同的密钥。数据加密和解密确保了数据隐私的维护，并将数据被盗的可能性降低到最低限度。

安全措施包括使用数字证书来验证物联网中连接在一起的所有设备的身份。它还维护信息的隐私，使其远离潜在的攻击者。

密钥和X509数字证书是一些物联网PKI安全方法，可以用于公钥或私钥管理、分发和撤销。

3. Ensure Communication Protection

The IoT concept works on communication between the connected devices. However, when communication is compromised, there will be a communication breakdown that can render the devices useless.

Many people don’t know how to prevent putting themselves at risk online regularly. They don’t know that to ensure smooth communication always, the communication should be encrypted. The same principle applies to communication between the connected devices and the interface such as web apps and mobile apps.

breakdown n 故障；崩溃

interface n. 接口

3.确保通信受到保护

物联网概念适用于连接设备之间的通信。然而，当通信被破坏时，通信故障会导致设备失效。

许多人不知道如何防止将自己置于经常性的线上风险。他们不知道，为了确保通信的顺畅，通信应该被加密。同样的原理也适用于连接设备与web应用程序和移动应用程序接口间的通信。

4.Secure the Network

IoT devices are connected to back-end systems that are already connected to the Internet via an IoT network. This network plays a crucial role in the smooth operation of IoT devices.

To sustain the smooth operation, there is a need for the IoT network to be protected and secured. By employing some endpoint security features like anti-malware, antivirus, intrusion prevention, and firewalls, you can effectively protect the network and secure it against attacks.

4.安全的网络

物联网设备连接到已经通过物联网网络连接到Internet的后端系统。该网络对物联网设备的顺利运行起着至关重要的作用。

为了维持物联网的平稳运行，有必要对物联网网络进行保护和防卫。通过利用一些终端安全功能，如反恶意软件、反病毒、入侵预防和防火墙，你可以有效地保护网络并使其免受攻击。

5.Ensure Device Authentication

You can also reduce your IoT devices’ vulnerability to attacks if you carry out a comprehensive device authentication for your devices.

There are multiple authentication features that are available for IoT devices. Some, like digital certificates, two-factor authentication, and biometric, ensure that

nobody can have unauthorized access to your devices. A potential attacker will need some personal information to gain access to the devices and pieces of information that you are the only one that has access to.

Although using IoT devices is not a crime and poses zero threat, the vulnerability to attacks from the cyberspace makes it important that you secure your devices and reduce your exposure to attacks.

Authentication n. 证明；证实

5.确保设备认证

如果对设备进行全面的设备身份验证，也会降低物联网设备面对攻击的脆弱性。

物联网设备可以使用多种身份验证特性。有些，如数字证书、双重身份验证和生物识别，可以确保没有人可以未经授权访问你的设备。一个潜在的攻击者将需要一些个人信息来获得对设备和信息片段的访问，而你是唯一有访问权限的人。

虽然使用物联网设备不是犯罪，也不会造成任何威胁，但来自网络空间针对漏洞的攻击使得保护设备和减少遭受攻击变得非常重要。

---------------------------------------------------------------------------

聊一聊

数字签名，是只有信息的发送者才能产生的别人无法伪造的一段数字串，这段数字串同时也是对信息的发送者发送信息真实性的一个有效证明。数字签名是现代信息安全的核心技术，应用十分广泛。

简单介绍一下数字签名技术。A要给B传送一份文件，为防止文件被伪造或篡改，A用密钥给这份文件加密，B收到文件后用密钥给文件解密。这个过程中，如果A加密用的密钥和B解密用的密钥是相同的，称之为对称密钥。目前的对称密钥算法有DES、3DES、AES等，而密钥则一般是一串固定长度的字符。

一把钥匙，即可以加密，又可以解密，在安全上和应用上都会存在问题。所以对称密钥不能满足实际应用中的需求。于是出现了非对称密钥。非对称密钥即将密钥分为公钥（publicKey）和私钥（privateKey）两种。公钥加密的内容，使用私钥可以解开；而私钥加密的内容，公钥可以解开。然而，单独的知道公钥或私钥，却没有办法推出另一份密钥。

实际应用中由于传输的文件可能很大，为了证明文件的不可抵赖性和不可篡改性，需要对整个文件进行加密，由于非对称算法效率较低，这样做的代价太大。因此常规的做法是用到信息摘要和数字签名的方式。所谓信息摘要，其实就是某种HASH算法。将信息明文转化为固定长度的字符，信息摘要也称作信息的指纹。目前主要的摘要算法有MD5和SHA1。用私钥加密后的信息摘要，就是数字签名。

我们将原始文件和摘要密文称作签名结果,摘要密文就是数字签名。

为了让接收者能够方便的辨别公钥，我们可以考虑对给公钥附加一些信息，例如该公钥使用的算法，该公钥的所有者（主题），该公钥的有效期等一系列属性。这样的数据结构我们称作PKCS10数据包。

为了防止有人冒充公钥，就需要一个权威的第三方机构，对P10结构的数据进行认证。就如同对P10文件盖上一个权威的章，防止冒充。这样的权威机构，我们称作CA(Certificate Authority)数字证书认证中心。CA机构认可了公钥所有者的身份后，使用自己的私钥对P10请求进行签名。这样的签名结果，我们就称作数字证书。

正规的可执行程序通常会有程序签名，用于确保其来源可靠且未被篡改。以阿里旺旺安装程序为例，它的数字签名是这样的：

详细信息中可以查看它的数字证书。