8 Comments

Summary:

As we move closer to an always-connected world, we must remember that anything connected to the Internet is vulnerable to attack. The problem may be complex, but the solutions are simple. We just need to agree as an industry.

The internet of things (IoT) promises us a world of intelligent fridges that automatically order groceries from the supermarket, smartwatches that relay our blood pressure to the doctor, and connected ovens that preheat when they see that we’ve left work. But amid all the breathless speculation about our connected future, little attention is being given to how we will ensure that the internet of things is safe.

Cisco predicts that by 2020 there will be 50 billion connected devices around the world, all communicating with a variety of systems, databases, people and machines. This represents a hugely expanded network of potential vulnerabilities. Meanwhile, the nature of IoT communications makes the consequences of a successful attack even more harmful.

Who are you, really?

We need the ability to establish the true identity of any device that connects to the internet, and any system or person that communicates with a device. Without this, the IoT could enable criminals to attack high-value targets such as your home security system or to disable the alarm on your internet-connected car. They could also intercept sensitive communications by posing as the intended recipients of the data — which could prove catastrophic in critical national infrastructure and other “mission critical” settings.

Yet this fundamental requirement for each item to have a secure, trusted identity is missing from the vast majority of connected devices today. In the rush to bring these devices to market, development costs and time-to-market have taken precedence over security. The result is that we are about to fill our homes and offices with devices which, rather than improving our lives, leave us wide open to a new generation of cyber threats.

We seem not to have learned the simple lesson that anything connecting to the internet is vulnerable to attack. This is especially frustrating since we have come so far in the fight against cybercrime. For example, chip and PIN technology has become widely adopted across Europe and has proven valuable for consumers and businesses alike as it has made financial transactions significantly safer by enabling consumers to trust financial transactions — and for the bank to establish the identity of the person conducting them.

Yet comparable measures are completely missing from the current crop of connected devices, leaving them entirely unguarded from fraud, extortion and theft. We must urgently address the issue of how we can categorically establish the true identity of these devices.

Photo by Denys Prykhodov/Shutterstock

Photo by Denys Prykhodov/Shutterstock

We have the tools; we just need to start using them

The good news is that more and more connected devices already contain the means to become secure. Phones and tablets have elements such as a Trusted Execution Environment (TEE) or SIM which are secure parts of the device, out of the reach of hackers, while many other connected devices have similar secure environments. By placing a credential onto these environments, a unique and secure identity for that machine can be created, ensuring that it can be trusted by other devices or systems with which it communicates.

As one can see, the underlying principle of securing devices is hardly new — nor is it complicated to understand or use. Authentication systems work because they combine high security with convenience and ease of use, making it easy to show the benefits to the end user. This is what we must achieve with the internet of things, beginning with educating technology providers and the public about the very real dangers inherent when we can’t verify the identity of devices.

A call for a common standard

The conversation about the internet of things must mature, and quickly. We need to speculate less on the potential future applications of the technology (which, anyway, we cannot predict with any great accuracy) and work out how we can ensure we can trust the devices that we communicate with.

Thankfully, the necessary technology and methodologies are already available, tried and tested in the real world. I’ve shown how the underlying requirements in the form of secure credentials and secure environments already exist. What is needed is a collective effort on the part of the technology industry, from chip providers to device manufacturers to telecoms firms, with the aim of developing a common standard for providing machines with secure identities. At the same time, we need to educate the public about the security risks of the internet of things, and ensure they understand the importance of being able to authenticate connected devices.

I would like to see this cooperation result in a common standard to which every manufacturer can adhere, so that we do not confuse and alienate end users with a variety of different methods of authentication. I have no doubt that many manufacturers are currently investigating how they can create trusted identities for the devices that they make. What will speed industry cooperation, however, is to build demand for simple, secure authentication by raising awareness of the security risks of unverified connected devices.

There is still time for us to pull back from the brink of an unsecured internet of things. By making education and cooperation our priorities, we will be able to achieve all the promised benefits without jeopardizing our security.

Allen Storey is the product director at cybersecurity firm Intercede, which specializes in human ID security and access control. 

Featured image from Tatiana Popova/Shutterstock. Image of connected home from Denys Prykhodov/Shutterstock.

  1. You’d figure there would be a service to evaluate if these things work like they are suppose to. But that’s why we have YouTube review videos because there are people out there who can

    Reply Share
  2. Chris Matthieu Sunday, May 4, 2014

    A common IoT identity standard would be great for smart devices but we don’t even have this standard in place for humans. We have social media personas and mobile phone numbers that can, at best, be used to establish reputation and/or financial billing. We use OAuth to leverage our social media personas to sign into other systems.

    I’m the founder of SkyNet.im, an open source IoT platform. Each smart device that connects to SkyNet registers and authenticates with a 36 character UUID and secret token. We would love to allow people to claim and connect these device UUIDs to their social media personas and/or billing platforms. We’ve been thinking about the concept of claiming a smart device via its UUID and maybe location such as being behind your ISPs IP address and firewall – or same public IP address as your login via social media.

    We would support discussion on a public IoT identity standard!

    Reply Share
    1. Rick Bullotta Monday, May 5, 2014

      Chris, I know you’re aware that “UUID’s aren’t” (inherently unique, that is) – and when devices with limited capabilities connect over non-secure channels (HTTP vs HTTPS or a non-encrypted UDP or TCP message), all the tokens in the world won’t protect you.

      In general, security in terms of authentication and identity may well be the *easiest* piece of IoT security to deal with. Access and privacy controls will prove to be a far greater challenge IMO.

      Reply Share
  3. Right now we can’t. The companies that stand to make billions need to make a universal security protocol to prevent a Heartbleed style breach before the widespread introduction of the Internet of things.

    http://techsplyce.wordpress.com/2014/04/29/security-and-the-internet-of-things/

    Reply Share
  4. Rufo Guerreschi Monday, May 5, 2014

    The same way you trust everything else on the internet, you don’t. The only solution is to make computing 100 times simpler and with less features, have extreme transparency in all phases and have an extreme amount (relative to complexity) amount of actual verification in place.

    Reply Share
  5. if you are not secure with your ability to handle the unknown, the security of the known is best cloaked in transparency. #right2know #netneutrality

    Reply Share
  6. XMPP is an open standard and mandated by DoD for its security and interoperability! Stop trying to make other protocols into XMPP. UPnP forum announced standard for cloud is XMPP, IETF standardized in 2004, IEC/ISO/IEEE 21451-1-4 is standardizing XMPP for sensors an actuators, IEC TC57 is standardizing XMPP for energy. Let’s start moving IoT forward!

    Reply Share
  7. Steve Milanesi Friday, May 23, 2014

    Security (or lack there of) is the inhibitor for sure – CloudPassage has a great solution that hardens cloud security & compliance at the workload for elastic cloud…. check them out before diving into the IoT.

    Reply Share