Today we are going to discuss on types of communication protocols used in IOT devices and also its security aspects.
What is the internet of things..?
Internet of Things is nothing but the device which is connected with internet and sharing or receiving the data directly or indirectly called internet of things.
Internet of things Communication protocols..?
The term of internet of things (IoT) communication offered by Internet protocols (Internet Architecture Board (IAB) RFC 7452). Many of the devices often called as smart objects operated by humans as components in buildings or vehicles, or are spread out in the environment. Following the theme “Everything that can be connected will be connected”, engineers and researchers designing smart object networks need to decide how to achieve this in practice. Internet Architecture Board (IAB) RFC 7452
Communication types
- Device-to-Device Communications
- Device-to-Cloud Communications
Device-to-Device Communications:
The device-to-device communication model represents two or more devices that directly connect and communicate between one another, rather than through an intermediary application server. These devices communicate over many types of networks, including IP networks or the Internet. Often,however these devices use protocols like Bluetooth-Wave, or ZigBee to establish direct device-to-device communications.
D2D Communication Protocols
Below Chart explains the details about the protocols :
Wireless
Transmission |
NFC | UWB | ZigBee | Z-Wave | Bluetooth | Wi-Fi Direct | LTE |
Transmission Distance | 0.2m | 10m | 10m | 30m | 100m | 200m | 500m |
Data rate | 424 kb/s | 480 Mb/s | 250 kb/s | 9.6/40 Kb/s | 24 Mb/s | 250 Mb/s | 13.5 Mb/s |
Modulation | ASK | PPM/OOK/
PAM/PWM |
QPSK | GFSK | GFSK/DQPSK | QPSK/OFDM | SC-FDMA |
Discovery | Radio-frequency identification | Manual pairing | ID broadcast or coordinator assistant | ID broadcast or coordinator assistant | Manual pairing | ID broadcast and embed soft access point | Service broadcast |
Application | Contactless payment systems | location and tracking systems, auto radar | Home Automation , smart grid & Remote control | Home Automation , security | Object exchange, peripherals connection | Content sharing, group gaming | Content sharing, local advertising |
Attack Surfaces on Device to Device Communication:
- credentials stealing from the firmware
- Sensitive information disclosure
- No proper updating mechanism of firmware , it may cause RCE attacks etc
- DoS Attacks
- Bufferoverflow attacks
Best Practices for securing Device to Device Communication:
- Don’t use hardcoded passwords and/or IP addresses. Instead, enable and enforce the changing of default credentials
- Evaluate hardware components, firmware, software, communications protocols and compatible conduits.
- Try to Make the signed Firmware, software and hash your binaries.
- Follow the OWASP Security Measurements for developing the Device
- Implement the machine to machine authentication securely.
- Get the feedback from the clients to improve the device security levels
Device-to-Cloud Communications:
In a device to cloud communication model, the IoT device connects directly to an Internet cloud service like an application service provider to exchange data and control message traffic. This approach frequently takes advantage of existing communications mechanisms like traditional wired Ethernet or Wi-Fi connections to establish a connection between the device and the IP network, which ultimately connects to the cloud service.
Device to Cloud protocols
Below Chart explains the details about the protocols :
Protocols | AMQP | MQTT | XMPP | CoAP |
Transport | TCP/IP | TCP/IP | TCP/IP | UDP/IP |
Message pattern | Publish — Subscribe | Publish — Subscribe | Point — Point
Publish –Subscribe by extension |
Request – Response |
Security | TLS, SASL | SSL,
Best Practices |
TLS/SSL,
XEP-0198 |
DTLS |
Attack Surfaces on Device to Cloud Communication:
- SQL injection , Cross-site scripting , Cross-site Request Forgery possible attacks on cloud application interfaces
- Username and password enumeration attacks
- MITM attacks
- Man in the Cloud (MiTC) attacks
- Owasp top 10 cloud
Best Practices for securing Device to Cloud Security:
- Check all cloud interfaces are reviewed for security vulnerabilities (e.g. API interfaces and cloud-based web interfaces)
- Make sure cloud-based web interface not having weak passwords
- Ensure that any cloud-based web interface has an account lockout mechanism
- Implement two-factor authentication for cloud-based web interfaces
- Maintain transport encryption
- Ensure that any cloud-based web interface has been tested for XSS, SQLi and CSRF vulnerabilities.
References:
http://www.ittoday.info/ITPerformanceImprovement/Articles/2014-07Keyes2.html
http://www.eejournal.com/article/20150420-protocols/
https://www.internetsociety.org/sites/default/files/Journal_11.1.pdf
https://www.imperva.com/docs/HII_Man_In_The_Cloud_Attacks.pdf
Veerababu Penugonda , is an information security enthusiast working has information security consultant @ ISECURION and interested on IoT security and network security
Nice article Good information keep posting more and All the very best