Aspects of Security Update Handling for IoT-devices

There is a fast-growing number of quite capable Internet-of-Things (IoT) devices out there. These devices are generally unattended, often exposed and frequently vulnerable. The current practice of deploying, and then leaving the devices unattended and unmanaged is not future proof. There is an urgent need for well-defined security update management procedures for these devices. Sufficient, sensible and secure default settings, as well as built-in privacy must be included. This paper presents a brief overview of the IoT threat landscape, argues for the necessity of security update provisioning for the IoT devices. As such, it is a call for action. Finally, an outline of a privacy-aware security update provisioning model is given. We have included incident management as well in the outline, but is only very rudimentary sketch of what one would need to provide. Suffice to say that there may be a need for these capabilities too, but it can probably only be justified for relatively capable devices. Keywords–Security update; Internet-of-Things; Incident reporting; Security maintenance; Privacy; Security management.

[1]  Martín Abadi,et al.  Prudent Engineering Practice for Cryptographic Protocols , 1994, IEEE Trans. Software Eng..

[2]  Udai Pratap Rao,et al.  Internet of Things — Architecture, applications, security and other major challenges , 2016, 2016 3rd International Conference on Computing for Sustainable Global Development (INDIACom).

[3]  Frederik Armknecht,et al.  A security framework for the analysis and design of software attestation , 2013, CCS.

[4]  Athanasios V. Vasilakos,et al.  Security of the Internet of Things: perspectives and challenges , 2014, Wireless Networks.

[5]  IMT Vision – Framework and overall objectives of the future development of IMT for 2020 and beyond M Series Mobile , radiodetermination , amateur and related satellite services , 2015 .

[6]  Markus Gruber,et al.  Prying Open Pandora's Box: KCI Attacks against TLS , 2015, WOOT.

[7]  Geir M. Køien,et al.  Security and privacy in the Internet of Things: Current status and open issues , 2014, 2014 International Conference on Privacy and Security in Mobile Systems (PRISMS).

[8]  Jorge Sá Silva,et al.  Security for the Internet of Things: A Survey of Existing Protocols and Open Research Issues , 2015, IEEE Communications Surveys & Tutorials.

[9]  Ragib Hasan,et al.  Towards an Analysis of Security Issues, Challenges, and Open Problems in the Internet of Things , 2015, 2015 IEEE World Congress on Services.

[10]  Poul-Henning Kamp More encryption means less privacy , 2016, Commun. ACM.

[11]  Anna Lauren Hoffmann,et al.  Recovering the History of Informed Consent for Data Science and Internet Industry Research Ethics , 2016, ArXiv.

[12]  Nitin Gurbani Let’s Encrypt , 2015 .

[13]  Mary Frances Theofanos,et al.  Security Fatigue , 2016, IT Professional.

[14]  Kenneth G. Paterson,et al.  On the Security of the TLS Protocol: A Systematic Analysis , 2013, IACR Cryptol. ePrint Arch..

[15]  Edward Griffor,et al.  Framework for Cyber-Physical Systems: Volume 1, Overview , 2017 .

[16]  M. Hemanth Kumar,et al.  Cyber security and the Internet of Things: Vulnerabilities, threats, intruders and attacks , 2019 .

[17]  Andrew S. Tanenbaum Lessons learned from 30 years of MINIX , 2016, Commun. ACM.

[18]  Rodrigo Roman,et al.  On the features and challenges of security and privacy in distributed internet of things , 2013, Comput. Networks.

[19]  Luigi Alfredo Grieco,et al.  Security, privacy and trust in Internet of Things: The road ahead , 2015, Comput. Networks.

[20]  Marc Stevens,et al.  The First Collision for Full SHA-1 , 2017, CRYPTO.

[21]  Geir M. Køien Security Update and Incident Handling for IoT-devices; A Privacy-Aware Approach , 2016, SECURWARE 2016.

[22]  Chong Kuan Chen,et al.  IoT Security: Ongoing Challenges and Research Opportunities , 2014, 2014 IEEE 7th International Conference on Service-Oriented Computing and Applications.

[23]  N. Postman Amusing ourselves to death : public discourse in the age of show business. , 1985 .

[24]  Tomi Kause,et al.  Internet X.509 Public Key Infrastructure - HTTP Transfer for the Certificate Management Protocol (CMP) , 2012, RFC.

[25]  Sarah Spiekermann,et al.  The challenges of privacy by design , 2012, Commun. ACM.

[26]  Thomas Ploug,et al.  Informed consent and routinisation , 2012, Journal of Medical Ethics.

[27]  Geir M. Køien Privacy enhanced cellular access security , 2005, WiSe '05.

[28]  G. M. Køien Reflections on Evolving Large-Scale Security Architectures , 2015 .

[29]  Geir M. Køien A privacy enhanced device access protocol for an IoT context , 2016, Secur. Commun. Networks.

[30]  Geir M. Køien,et al.  Reflections on Trust in Devices: An Informal Survey of Human Trust in an Internet-of-Things Context , 2011, Wirel. Pers. Commun..

[31]  Daniel Smith-Tone,et al.  Report on Post-Quantum Cryptography , 2016 .

[32]  Hugo Krawczyk,et al.  A Security Architecture for the Internet Protocol , 1999, IBM Syst. J..

[33]  Eric Rescorla,et al.  The Transport Layer Security (TLS) Protocol Version 1.2 , 2008, RFC.

[34]  Daniel Le Métayer Privacy by design: a formal framework for the analysis of architectural choices , 2013, CODASPY '13.