Most of you might have seen the movie Die Hard 4.0. The plot
is about the antihero who does a cyber-crime (a “fire sale”) by a hacking major government
applications and taking control over them; in the course of the movie the male protagonist
fights with him and sets everything right. Well it is kind of extreme to think
about it in real life , but it always get reminded to me very often when I look
at “IoT”. Yes, buzzword that we have
been hearing every now and then and getting linked to every technology to give
a new face and dimension. To put it simple, IoT is all about getting the current state and behavior of a Physical
object. This one seems like a new
game, but what if it catches up very quickly?
What is it all about?
Let’s try to put it in the form of real time use-cases and
see how it generally works and majorly why it is a challenge for Security
testing
Simple use-case
Know if the light in my bedroom is on off and if it is on
then off it
Devices – one light with a sensor to access it
Little complex
use-case
When I hit someone by car, then the car should send a
message for ambulance, my insurance company should be notified for any damage,
the traffic control signals should know there was accident and then provide alerts/instructions
to all the vehicles/transports, the ambulance should be able to look at the medical
history of the person who was hit and provide him right first aid and on and on
and on...
Devices – Car sensors, devices, traffic device to multi-cast
messages, wearable’s etc..
Now something more complex
Let me not explain you what it and leave the use-case to your imagination :)
Well current applications are pretty huge enough who have
such kind of applications and talk among heterogeneous platforms/systems, but IoT
is little different. You program the device to react on certain events or
actions. In the chaos of data transfer across multiple applications what if
someone breaches in? This definitely lays down huge responsibility for the
testers to certify the IoT applications. It’s all together a new area for
testers too and the reasons would be too many new technologies
devices, sensors, chips, network, signals, multicast, gateways
-
IoT is all about devices which would be the
physical object, sensors and chips.
-
Data transmission will be mostly multi-cast(just
like push notifications)
-
Gateways – interface between the Machines/Smart
Machines/Sensors/devices to communicate
Analytics and Big-data(This one is not new, but will be heavily used)
Now with the amount of devices/wearable’s we might be having with IoT
applications, the amount of data that we need to store/ monitor and access
would be very huge in-addition to the existing customer/business use-cases data.
Big-data might be a key player here to maintain and access such kind of data
across different structural/non-structural databases in a very short time
across multiple devices. Data comes with a history and one need to monitor the
history and get its statistics and that is where we see the role of “Analytics”.
Connection protocols
HTTP has been there for a very
long time and it might be opted out with some new connection protocols like
CoAP and MQTT.
Above all, Security
What kind of protocols are going
to be used if it is not HTTP to make connection secure. There might be WPA
level security but we are talking about security while accessing the data. Any
new safer authentication mechanisms for M2M or M2D communications? And if not,
what kind of SLA’s would be followed across in the industry for security.
In future we might definitely be seeing cloud platform offerings
for building IoT applications, but to validate the IoT application or
certifying the applications of not being vulnerable to any attacks would be
serious concern. If we just look at IoT as an adaption for new technology then
it is as good as testing a new mobile feature but when we look it up as
integration of technologies then little ink, white-board, techies(like you) and
a word document might give us a wonderful Strategy on Security testing for IoT.
No comments:
Post a Comment