The amount of IoT devices in the three domains of home, commerce, and healthcare is increasing at a rapid rate . As the number of devices increases in their respected domains, it is important to focus on the security of each device to mitigate the chances of integrity compromises for the entire network. In this section, we discuss the need for device-level security to create a secure IoT network as well as advantages and disadvantages that it brings to the end-users.
Defining IoT Device-Level Security
IoT device-level security consists of protecting the network at the level of the individual device to create an overall safe environment for the users. To develop a security scheme that adequately protects the network, there must be analysis at the device-level as well as identification of the critical vulnerabilities that arise in specific devices. These vulnerabilities are scaled using the NIST-CVSS scoring process that considers the Temporal, Environmental, and Base metrics to provide an assessment of the severity of various vulnerabilities . Based on this scoring, portraying the severity of several different vulnerabilities at the device-level exemplifies the need to analyze each device to be able to supply a consistent security protocol that comes with these potential risks.
Importance of IoT Device-Level Security
Vulnerabilities often stem from a weak link in a network that typically correlates to the ongoing exploitation of a device within an IoT network. It is critical to analyze these vulnerabilities in order to formulate an accurate assessment of the network as a whole. In this paper, we have analyzed the vulnerabilities at the device-level to provide a concise perspective about the source of vulnerabilities in an IoT environment and to emphasize the importance of eradicating these weaknesses. Providing sufficient protection for IoT devices is crucial as exposure to security compromises can potentially devalue the device itself. As the devices increase in their respected EF (exposure or exploitation factor) score, the more detrimental the threat/attack could be upon the device. Thus, portraying the potential damage that could be caused within the overall network if a device is not adequately secured. The devaluation of the devices due to their vulnerabilities can cause various degrees of loss in each IoT domain. The significance of looking at the IoT security at the device level can be analyzed by understanding its applications in each relevant IoT domains.
In the healthcare domain of IoT, device-level security is critical as it pertains to the preservation of lives. The utilization of IoT devices in healthcare has dramatically increased as it is estimated that there will be 161 million IoT devices shipped worldwide in the year 2020 . It is important to understand what vulnerabilities arise at the device level to predict what security controls to apply during the event of potential threats/attacks. For example, wearable activity tracking devices (e.g., Fitbit) transmit data over a Bluetooth connection which is poorly encrypted and, in turns, makes the device susceptible to MITM attacks. Therefore, it is recommended to apply Traffic Delay Detection (SC 1.1/2) to mitigate the risk of attack. Dissecting each device to know how it functions within the network is important in catching vulnerabilities that would not be as explicit otherwise. According to a survey conducted by Irdeto , 8 in 10 organizations that specialize in sectors such as transportation, manufacturing, and healthcare have experienced an IoT cyberattack within 12 months and of those organizations, there have been 90% that experienced inconveniences during the attack such as downtime or compromising of customer data. Downtime in healthcare IoT devices is very dangerous as many patients rely on devices such as pacemakers in order to survive. This demonstrates for the need of corporations to heavily consider a device security approach as finding applicable security controls at the device level would have appropriately protected each device and possibly prevent extensive network downtime.
In the home domain of IoT, each device is directly correlated to one main network. This implies a compromise in one device could lead to a hacker gaining access to all personal devices that are connected to the home network. Without the proper protection and monitoring of each device to find suspected severe vulnerabilities, it would be difficult to find one specific device that has been exploited and is the initializer of compromising the home network. Cyber researchers at Ben-Gurion University of the Negev  found that there are several ways to hack a home network just from the poorly secured IoT home devices that consumers purchase. The products under different brands turn out to have the same common default passwords which consumers and businesses do not realize are there, allowing a hacker to logon to the entire Wi-Fi network and retrieving passwords in stored devices . As exemplified in the case-study in Figure 5, without the multi-factor security measure being implemented that was sourced from the discovery of the Default Passwords vulnerability, the IP Cameras would have been easily accessed by the attacker. The attacker would then have access to the home network and could manipulate other user devices. Providing users with a sense of privacy and proper security is effectively achieved through the careful review of each connected device and its respected vulnerabilities.
In the commerce domain of IoT, a device could become corrupted by a hacker using various attack commands or physical measures that disable the targeted device. It is imperative to provide secure transactions for consumers and preserve the monetary integrity of certain devices used by large companies. Damage to these devices may result in not only the company but the average consumer losing a copious amount of money due to illegitimate transactions that were facilitated through NFC. As exemplified in Figure 4, a relay attack could easily allow an attacker to intercept unencrypted data transfers such as various payment methods. Securing the NFC system using the device-level approach will allow a user to apply the proper security controls to mitigate the exposure to the vulnerability of exploiting the NFC link.
Analysis of Advantages and Disadvantages of IoT Device-Level Security
There are many advantages to using a device-level approach when securing IoT networks. For instance, being able to troubleshoot specific network problems by pinpointing the device issue, applying effective security measures because of a thorough analysis of the potential device-specific vulnerabilities, and the opportunity to mitigate the most severe vulnerabilities that are attached to certain devices. When securing the entire network, it can be detrimental as one would leave out some of the most critically scored vulnerabilities when developing a security schema. This creates an opportunity for hackers to plan attacks on the weakest devices in the network. Dissecting the network and deciphering what devices are most vulnerable to attacks will save consumers and businesses the loss they would experience due to overlooking an exploit. The disadvantage of device-level security for IoT is that it could be tedious when having a plethora of devices. Individually inspecting each device and its respected vulnerabilities could take some time for businesses, however, it would save corporations money and having to deal with data compromise or other security issues in the future.