Next Big Challenge

Next Big Challenge

IoT – Security. What are they talking about?

Mobile devices control our lives. My toothbrush squeals to an app about my brushing pattern. Computers are hijacking our beloved ones, our cars.

Yes, the world has changed a lot over the last five years and now we’re facing the next big challenge: the Internet of Things (IoT), and how to get it right.

Internet of Things? There have been many attempts to define what “IoT” or a “Thing” is. Definitions vary, like “interconnected objects uniquely addressable,” and according to Techopedia, IoT itself is “a computing concept that describes a future where objects will be connected, and be able to identify themselves to devices.”

Others recommend treating Things like people and thinking about Things as employees hired to fulfill specific functions. Even the Maslow’s hierarchy of needs, first published in 1943, has been applied to the Thing for the same reason. It is an approach; it puts everything into a different perspective. Regardless of how IoT is defined or viewed, physically there are an enormous number of Things from microscopic sensors to washing machines, all talking to each other. One primary question arises: What are these Things talking about?

The elusive answer is, “it depends.” It depends on the type of device, with whom, or what, it is communicating. Maybe it is a medical device transferring glucose data from a sensor to a mobile app, or a car receiving a software update over the air. Perhaps it is a toothbrush watching me brush my teeth? There are many more use cases in the Smart Home, Smart City context, at the point of sale, and literally and physically in the air, like in-flight entertainment systems or actual Internet-connected flight decks.

Let’s talk about privacy, device integrity and the protection of personally identifiable information in the context of IoT. The good news is that most recent expert publications in this area come with a subtle hint that security might be a critical requirement for getting the future of IoT right. It is clear that every Thing that is connected can be exploited and will be exploited. We know that all too well. And the risk is not only based on getting remote access to a device (or a set of devices) by hacking into a network. The risk goes well beyond data compromise; it covers device subversion, spoofing and a hall of horrors of intolerable scenarios far more serious than a runaway toothbrush.

Of course, there is no silver bullet technical answer to any of this, and those who will tell you otherwise are either hackers or uninformed. The answers lie in proper design, system architecture, secure systems best practices and software and hardware tamper resistance.

At a recent RSA conference in San Francisco, an IDC analyst noted that with consumer devices, there is no money in security. Of course, he explained it a bit more and put some context around it. I would say that this is a bold statement. Yes, security has its price, but it’s usually computed after a significant attack and expected for free beforehand. But, wouldn’t it be great to be informed about the absence of security? So that we can compare and make decisions such as, “Ok, this vendor takes my privacy and user data protection seriously.”

I don’t think I want to ask myself this question when it comes to medical, automotive, payment and other related products. I would like to assume that I wouldn’t have to buy a product that doesn’t fulfill proper cybersecurity standards. The scary part is we know better. We need to focus on what can be done to mitigate the risks, as we know them.

The Internet of Things encompasses a broad spectrum of products, devices and use cases. With connectivity comes risk. It’s not just the Things, though, that need to incorporate a certain level of security and protection. Data generated by these Things and broadcast over the Internet, ending up on users’ mobile devices or across the cloud, also need security and protection. Mobile applications, which provide rich UIs to visualize and act upon this data, are often extremely vulnerable and easy to attack. Data stored and processed on mobile devices, or in the cloud, are likely to be more attractive targets than the Things themselves for a couple of reasons. First, the devices and the cloud represent more focused attack points, and secondly the amount of data and the potential for reward is greater.

Regardless of where the Thing is running, on a mobile device, a computer, or on an embedded device, it can be attacked at various layers, on different platforms or operating systems, with very different goals in mind. This is a very complex problem for companies who want to protect their devices, software and data.

We know that the weakest link in a secure system will get the attention of hackers. So a robust and efficient software and data protection scheme is an absolute must for software that communicates with or runs on a Thing, at least if sensitive data is involved. This scheme should add tamper resistance to an app at the source-code level and make the app self-defending. In addition, a protected app should only use a whitebox implementation of standard crypto algorithms to process sensitive data or for authentication purposes. These implementations use encrypted keys only, even during data processing at runtime. Using whitebox algorithms, plain crypto keys never get revealed in memory.

Last, but not least, it’s important that a protection scheme is applied across all platforms: you don’t want to protect an app on one platform, but leave the door open on others. Attacks get exploited cross-platform; hackers learn from weaknesses in one place to exploit another in what are called “differencing attacks.”

This may sound technical. The point is that help is available. It is perfectly possible to build secure networked Things that provide sufficient levels of system security, allowing us to sleep at night. It is important to match the level of security technology to the magnitude of the threat and the impact of an attack. Not all devices can afford to incorporate hardware security as it boosts their bills of materials. Fortunately, less expensive software-based security solutions add high levels of tamper resistance that protect crypto keys securely and increase the level of overall system security by orders of magnitude.

At some point, regulations and standards will kick in, much like with product safety standards around electrical codes, such as UL or CE. These regulations and standards will help educate everyone from manufacturers to consumers and will achieve cybersecurity standards throughout different industries.

Until then, we live in a self-organizing world where the onus is on the technology developers to protect their users (and in doing so, protect their future as a business). Of course, consumers of these life-changing Things should be on the lookout and should ask vendors what they are doing to protect their privacy and security. The companies with the right answers will be the ones that will ensure long-term profitability in the distributed software world of IoT.

This article originally appeared in the April 2016 issue of Security Today.

Featured

  • Windsor Port Authority Strengthens U.S.-Canada Border Waterway Safety, Security

    Windsor Port Authority, one of just 17 national ports created by the 1999 Canada Marine Act, has enhanced waterway safety and security across its jurisdiction on the U.S.-Canada border with state-of-the-art cameras from Axis Communications. These cameras, combined with radar solutions from Accipiter Radar Technologies Inc., provide the port with the visibility needed to prevent collisions, better detect illegal activity, and save lives along the river. Read Now

  • Survey: 84 Percent of Healthcare Organizations Spotted Cyberattack in Last 12 Months

    Netwrix, a vendor specializing in cybersecurity solutions focused on data and identity threats, surveyed 1,309 IT and security professionals globally and recently released findings for the healthcare sector based on the data collected. It reveals that 84% of organizations in the healthcare sector spotted a cyberattack on their infrastructure within the last 12 months. Phishing was the most common type of incident experienced on premises, similar to other industries. Read Now

  • Keynote Speakers Announced for ISC West 2025

    ISC West, hosted in collaboration with premier sponsor the Security Industry Association (SIA), unveiled its 2025 Keynote Series. Featuring a powerhouse lineup of experts in cybersecurity, retail security, and leadership, each keynote will offer invaluable insights into the challenges and opportunities transforming the field of security. Read Now

    • Industry Events
    • ISC West
  • Study: Video Doorbells Have a 71% Service Attach Rate

    Parks Associates recently announced a new white paper, Consumer IoT Product Development: Managing Costs, Optimizing Revenues, which provides companies with a business-planning blueprint to evaluate how a consumer IoT solution will perform across its lifetime. Subscription services, such as video storage and professional monitoring, can be critical for covering ongoing cloud and support costs Read Now

Featured Cybersecurity

Webinars

New Products

  • Unified VMS

    AxxonSoft introduces version 2.0 of the Axxon One VMS. The new release features integrations with various physical security systems, making Axxon One a unified VMS. Other enhancements include new AI video analytics and intelligent search functions, hardened cybersecurity, usability and performance improvements, and expanded cloud capabilities 3

  • Automatic Systems V07

    Automatic Systems V07

    Automatic Systems, an industry-leading manufacturer of pedestrian and vehicle secure entrance control access systems, is pleased to announce the release of its groundbreaking V07 software. The V07 software update is designed specifically to address cybersecurity concerns and will ensure the integrity and confidentiality of Automatic Systems applications. With the new V07 software, updates will be delivered by means of an encrypted file. 3

  • ResponderLink

    ResponderLink

    Shooter Detection Systems (SDS), an Alarm.com company and a global leader in gunshot detection solutions, has introduced ResponderLink, a groundbreaking new 911 notification service for gunshot events. ResponderLink completes the circle from detection to 911 notification to first responder awareness, giving law enforcement enhanced situational intelligence they urgently need to save lives. Integrating SDS’s proven gunshot detection system with Noonlight’s SendPolice platform, ResponderLink is the first solution to automatically deliver real-time gunshot detection data to 911 call centers and first responders. When shots are detected, the 911 dispatching center, also known as the Public Safety Answering Point or PSAP, is contacted based on the gunfire location, enabling faster initiation of life-saving emergency protocols. 3