Ensuring wireless privacy and security in the Internet of Things

October 21, 2015 // By EDN
Tim Bonnett, Director, Alpha Micro Components
The security of devices in the Internet of Things (IoT) is a key challenge for developers today. Protecting the integrity of access to, and data within, the enterprise networks that connect up the IoT is essential for both companies and customers. With many different wireless technologies being used to make these connections, there are many different ways for hackers to attack the network.

One of the most exciting wireless technologies for connecting up the IoT is Bluetooth. The launch of  Bluetooth Smart 4.0  (also called Bluetooth Low Energy, or BLE) has led to a boom in wearable devices and enabled smartphones to become the most natural controller for IoT devices. With Bluetooth Smart, a phone can be used to unlock a door, turn on lights and air-conditioning or query the functional status of a piece of machinery.

But that ubiquity brings challenges for both security and privacy. There have been vulnerabilities and exploits. Wearable devices such as fitness bands have been hacked, allowing an intruder to access all the data inside. Techniques such as ‘bluejacking’ have allowed obscene images to be sent to an unsecured phone in a crowd.

The National Security Agency in the US points to publicly documented Bluetooth attacks involving identity detection, location tracking, denial of service, unintended control and access to data and voice channels, as well as unauthorised device control and data access.

Newer Bluetooth specifications (4.1 and 4.2) take greater steps to protect the integrity of a link, as this is the first stage in the chain of the IoT. If a hacker can infiltrate an IoT node, it is possible to inject malicious code into the network to carry out further penetration of the system and access sensitive data. As Bluetooth Smart 4.1 devices can now also act as both hubs and endpoints, this is a key part of what is known as the ‘attack surface’ that is targeted by hackers.

Some of this is the result of weak passwords and a lack of encrypted links, but for enterprise IoT networks, embedded security is a key part of the design.

One of the main threats is the ‘man in the middle’ attack, where a hacker intercepts the communication between a phone and the network node and is able to decipher the encryption keys. One solution is an approach called Whisper Mode – by reducing the transmission power of the node for sensitive operations, a phone must be physically close to a node, eliminating stray signals that could be intercepted. 

Bluetooth smart modules such as Laird’s  BL600 series  include Whisper Mode , alongside a reduced set of Bluetooth addresses - the public IEEE format and the Random Static addresses - that also limits the attack surface. The modules also have their own programming language, called smartBASIC, that allows specialist security protocols to be set up to further protect the link.

Protecting the security of a wireless node in the Internet of Things is now an essential part of an enterprise network design. Bluetooth Smart can provide much of the security infrastructure, while innovative module design and solutions like Whisper Mode can stop intruders and close vulnerabilities at the design level.