Internet of Things

The term refers to the networking of devices that speak independently with other devices over the Internet and exchange information. This includes device classes that cannot be assigned to the classic device classes, such as servers, desktop computers, or smartphones (see Vollmer 2018).

Normally, a command that a person enters via the system triggers a process. With the Internet of Things, it is the devices themselves that give the command. The basic requirement is of course the connection of the device to the Internet. The current term of “smart” devices is on everyone’s lips these days. The basic settings of these devices make it possible that the user does not have to take any action himself, but rather that the devices start communication as soon as a certain event has been reached or triggered.

• Nowadays, printers in private households independently check the ink level. Once a certain limit has been reached, the printer itself places the order with the manufacturer via the Internet.
• Digital fitness armbands (“fitness trackers”), so-called “wearables”, are more and more used in today’s fitness industry. These fitness bracelets measure people’s movements and also collect information about their heartbeat, during exercise or during rest periods. The collected data can be evaluated with appropriate mobile devices and, in combination with sports applications, fitness plans can be created automatically or updated from time to time.
• Amazon Dash was a pioneer of the Internet of Things devices. The Amazon Dash was a USB stick size device with WiFi functionality. In addition, the device could read barcodes from food items and provide a description of the product to the user through integrated speakers. With the push of a button, the device could initiate an order through the Amazon-connected grocery store if the user wanted it.
• Other examples in this segment include digital refrigerators, which regularly trigger an order for a pre-programmed supply through a grocer on their own and are shipped to the customer by the grocer’s delivery service.

In order to efficiently connect functionally limited end devices to the Internet, the network settings also had to be standardized. The Internet Engineering Task Force (IETF for short) introduced a new IEEE 802.15.4 standard in 2004 specifically for this purpose. This standard supports an energy-efficient wireless connection of devices. Another basic requirement was the introduction of Bluetooth 4.0 for mobile devices. Bluetooth enables data to be exchanged between two devices that are located within a short distance of each other.

In addition, the standard of network protocols was raised from IPv4 to IPv6. This change supports a higher number of possible addresses on the Internet. As in real life, each device on the Internet has its own address, which the other devices can use to contact this device, or the device itself can send packets to other addresses.

In addition, the Constrained Application Protocol (CoAP protocol for short) introduced a simplified version of the HTML protocol into the digital world. The background to the introduction was that transmission is also possible with the lowest possible transmission rates. The CoAP protocol makes it possible to call up services on the Internet (e.g. websites) 1.

¹ See complete paragraph Prehofer 2014.

The linking of many different end devices via the Internet, as well as the collection of personal information, in turn, offers scope for criminal activity. Therefore, ensuring the protection of data during collection and transmission is the central challenge in the Internet of Things area. The biggest problem in the area of “smart devices” is the purchase decision of customers, who are guided by the device functions and do not consider the security settings. Furthermore, most smart devices do not have sufficient basic security settings and manufacturers are not quick enough or do not even keep up with the necessary software updates for known vulnerabilities on their end products. This offers cybercriminals easy entry doors to access sensitive information from private individuals or companies (see Vollmer 2018).

A major security vulnerability for private individuals, but especially for companies, is the handling and allocation of IPv6 addresses. Due to the technical properties and the differences between the two types of protocol IPv4 and IPv6, new security gaps have emerged ² . As already mentioned in the previous chapter, the IPv6 standard was introduced because the possible IP addresses in the IPv4 network had been used up since 2011. With the IPv6 standard, 19 times the number of possible IP addresses can now be assigned. As a result, network architects now speak about the “principle of small networks”. Every device can be connected directly to the Internet and has global access. Due to the scarce IP addresses in the IPv4 standard, this was not possible for every device. Often these were linked to a local network and this network only had one IP address through which it communicated with the global Internet. With additional configurations of a so-called network address translation (NAT) between the global Internet and your own network, the security of your own network could be increased. With network address translation, the address in the header of the Internet protocol is changed when packets are sent.

The “principle of small networks” currently harbors the risk that every device, no matter how small, can be attacked from the outside because it is directly accessible from the Internet. Unless a network address translation has been correctly configured by the user himself. If the configuration is insufficient, movement profiles of individual devices can be created, for example, and this simplifies the takeover of the devices by potential hacking groups.

Another disadvantage is possible Denial of Service attacks on individual devices; this can cause devices to crash. It is recommended that the devices communicate with the Internet via a proxy (see BSI guidelines 2012). Depending on the configuration of the proxy, analysis or evaluation of the data traffic can be carried out afterward.

The new IPv6 standard thus entails an increased configuration effort for the owners of the devices and also new security techniques, which in turn should be applied.

The BSI recommends that companies work with IT security companies to set up the configurations and architecture of their networks (see BSI Guide 2012, p. 13, Chapter 3.5).

² For more detailed information, ProSec Networks GmbH recommends the specified guide of the BSI in the sources listed below.