The internet of things (IoT) promises us a world of intelligent fridges that automatically order groceries from the supermarket, smartwatches that relay our blood pressure to the doctor, and connected ovens that preheat when they see that we’ve left work. But amid all the breathless speculation about our connected future, little attention is being given to how we will ensure that the internet of things is safe.
Cisco predicts that by 2020 there will be 50 billion connected devices around the world, all communicating with a variety of systems, databases, people and machines. This represents a hugely expanded network of potential vulnerabilities. Meanwhile, the nature of IoT communications makes the consequences of a successful attack even more harmful.
Who are you, really?
We need the ability to establish the true identity of any device that connects to the internet, and any system or person that communicates with a device. Without this, the IoT could enable criminals to attack high-value targets such as your home security system or to disable the alarm on your internet-connected car. They could also intercept sensitive communications by posing as the intended recipients of the data — which could prove catastrophic in critical national infrastructure and other “mission critical” settings.
Yet this fundamental requirement for each item to have a secure, trusted identity is missing from the vast majority of connected devices today. In the rush to bring these devices to market, development costs and time-to-market have taken precedence over security. The result is that we are about to fill our homes and offices with devices which, rather than improving our lives, leave us wide open to a new generation of cyber threats.
We seem not to have learned the simple lesson that anything connecting to the internet is vulnerable to attack. This is especially frustrating since we have come so far in the fight against cybercrime. For example, chip and PIN technology has become widely adopted across Europe and has proven valuable for consumers and businesses alike as it has made financial transactions significantly safer by enabling consumers to trust financial transactions — and for the bank to establish the identity of the person conducting them.
Yet comparable measures are completely missing from the current crop of connected devices, leaving them entirely unguarded from fraud, extortion and theft. We must urgently address the issue of how we can categorically establish the true identity of these devices.
We have the tools; we just need to start using them
The good news is that more and more connected devices already contain the means to become secure. Phones and tablets have elements such as a Trusted Execution Environment (TEE) or SIM which are secure parts of the device, out of the reach of hackers, while many other connected devices have similar secure environments. By placing a credential onto these environments, a unique and secure identity for that machine can be created, ensuring that it can be trusted by other devices or systems with which it communicates.
As one can see, the underlying principle of securing devices is hardly new — nor is it complicated to understand or use. Authentication systems work because they combine high security with convenience and ease of use, making it easy to show the benefits to the end user. This is what we must achieve with the internet of things, beginning with educating technology providers and the public about the very real dangers inherent when we can’t verify the identity of devices.
A call for a common standard
The conversation about the internet of things must mature, and quickly. We need to speculate less on the potential future applications of the technology (which, anyway, we cannot predict with any great accuracy) and work out how we can ensure we can trust the devices that we communicate with.
Thankfully, the necessary technology and methodologies are already available, tried and tested in the real world. I’ve shown how the underlying requirements in the form of secure credentials and secure environments already exist. What is needed is a collective effort on the part of the technology industry, from chip providers to device manufacturers to telecoms firms, with the aim of developing a common standard for providing machines with secure identities. At the same time, we need to educate the public about the security risks of the internet of things, and ensure they understand the importance of being able to authenticate connected devices.
I would like to see this cooperation result in a common standard to which every manufacturer can adhere, so that we do not confuse and alienate end users with a variety of different methods of authentication. I have no doubt that many manufacturers are currently investigating how they can create trusted identities for the devices that they make. What will speed industry cooperation, however, is to build demand for simple, secure authentication by raising awareness of the security risks of unverified connected devices.
There is still time for us to pull back from the brink of an unsecured internet of things. By making education and cooperation our priorities, we will be able to achieve all the promised benefits without jeopardizing our security.
Allen Storey is the product director at cybersecurity firm Intercede, which specializes in human ID security and access control.