Next Big Challenge

IoT – Security. What are they talking about?

• By Thorsten Held
• Apr 01, 2016

Mobile devices control our lives. My toothbrush squeals to an app about my brushing pattern. Computers are hijacking our beloved ones, our cars.

Yes, the world has changed a lot over the last five years and now we’re facing the next big challenge: the Internet of Things (IoT), and how to get it right.

Internet of Things? There have been many attempts to define what “IoT” or a “Thing” is. Definitions vary, like “interconnected objects uniquely addressable,” and according to Techopedia, IoT itself is “a computing concept that describes a future where objects will be connected, and be able to identify themselves to devices.”

Others recommend treating Things like people and thinking about Things as employees hired to fulfill specific functions. Even the Maslow’s hierarchy of needs, first published in 1943, has been applied to the Thing for the same reason. It is an approach; it puts everything into a different perspective. Regardless of how IoT is defined or viewed, physically there are an enormous number of Things from microscopic sensors to washing machines, all talking to each other. One primary question arises: What are these Things talking about?

The elusive answer is, “it depends.” It depends on the type of device, with whom, or what, it is communicating. Maybe it is a medical device transferring glucose data from a sensor to a mobile app, or a car receiving a software update over the air. Perhaps it is a toothbrush watching me brush my teeth? There are many more use cases in the Smart Home, Smart City context, at the point of sale, and literally and physically in the air, like in-flight entertainment systems or actual Internet-connected flight decks.

Let’s talk about privacy, device integrity and the protection of personally identifiable information in the context of IoT. The good news is that most recent expert publications in this area come with a subtle hint that security might be a critical requirement for getting the future of IoT right. It is clear that every Thing that is connected can be exploited and will be exploited. We know that all too well. And the risk is not only based on getting remote access to a device (or a set of devices) by hacking into a network. The risk goes well beyond data compromise; it covers device subversion, spoofing and a hall of horrors of intolerable scenarios far more serious than a runaway toothbrush.

Of course, there is no silver bullet technical answer to any of this, and those who will tell you otherwise are either hackers or uninformed. The answers lie in proper design, system architecture, secure systems best practices and software and hardware tamper resistance.

At a recent RSA conference in San Francisco, an IDC analyst noted that with consumer devices, there is no money in security. Of course, he explained it a bit more and put some context around it. I would say that this is a bold statement. Yes, security has its price, but it’s usually computed after a significant attack and expected for free beforehand. But, wouldn’t it be great to be informed about the absence of security? So that we can compare and make decisions such as, “Ok, this vendor takes my privacy and user data protection seriously.”

I don’t think I want to ask myself this question when it comes to medical, automotive, payment and other related products. I would like to assume that I wouldn’t have to buy a product that doesn’t fulfill proper cybersecurity standards. The scary part is we know better. We need to focus on what can be done to mitigate the risks, as we know them.

The Internet of Things encompasses a broad spectrum of products, devices and use cases. With connectivity comes risk. It’s not just the Things, though, that need to incorporate a certain level of security and protection. Data generated by these Things and broadcast over the Internet, ending up on users’ mobile devices or across the cloud, also need security and protection. Mobile applications, which provide rich UIs to visualize and act upon this data, are often extremely vulnerable and easy to attack. Data stored and processed on mobile devices, or in the cloud, are likely to be more attractive targets than the Things themselves for a couple of reasons. First, the devices and the cloud represent more focused attack points, and secondly the amount of data and the potential for reward is greater.

Regardless of where the Thing is running, on a mobile device, a computer, or on an embedded device, it can be attacked at various layers, on different platforms or operating systems, with very different goals in mind. This is a very complex problem for companies who want to protect their devices, software and data.

We know that the weakest link in a secure system will get the attention of hackers. So a robust and efficient software and data protection scheme is an absolute must for software that communicates with or runs on a Thing, at least if sensitive data is involved. This scheme should add tamper resistance to an app at the source-code level and make the app self-defending. In addition, a protected app should only use a whitebox implementation of standard crypto algorithms to process sensitive data or for authentication purposes. These implementations use encrypted keys only, even during data processing at runtime. Using whitebox algorithms, plain crypto keys never get revealed in memory.

Last, but not least, it’s important that a protection scheme is applied across all platforms: you don’t want to protect an app on one platform, but leave the door open on others. Attacks get exploited cross-platform; hackers learn from weaknesses in one place to exploit another in what are called “differencing attacks.”

This may sound technical. The point is that help is available. It is perfectly possible to build secure networked Things that provide sufficient levels of system security, allowing us to sleep at night. It is important to match the level of security technology to the magnitude of the threat and the impact of an attack. Not all devices can afford to incorporate hardware security as it boosts their bills of materials. Fortunately, less expensive software-based security solutions add high levels of tamper resistance that protect crypto keys securely and increase the level of overall system security by orders of magnitude.

At some point, regulations and standards will kick in, much like with product safety standards around electrical codes, such as UL or CE. These regulations and standards will help educate everyone from manufacturers to consumers and will achieve cybersecurity standards throughout different industries.

Until then, we live in a self-organizing world where the onus is on the technology developers to protect their users (and in doing so, protect their future as a business). Of course, consumers of these life-changing Things should be on the lookout and should ask vendors what they are doing to protect their privacy and security. The companies with the right answers will be the ones that will ensure long-term profitability in the distributed software world of IoT.

This article originally appeared in the April 2016 issue of Security Today.