Blog Post

The internet of things needs a new security model. Which one will win?

Stay on Top of Enterprise Technology Trends

Get updates impacting your industry from our GigaOm Research Community
Join the Community!

The Target data breach occurring over compromised point-of-sale terminals. The recent news that a botnet army which sent 750,000 spam emails included a refrigerator. The discovery of a Linux worm that could infect security cameras. In the last two months all of these headlines have served to stoke fear over the vulnerability of connected devices and current security practices. Much like the cloud has allowed denial of service attacks to grow in might, the array of relatively dumb and unsecured connected devices threatens to participate in botnets, leak data or act as a weak point for hackers to target.

And when it comes to securing the internet of things, it’s likely that the current methodologies will have to change, given the characteristic of how a connected and interconnected world works. Instead of keeping bad guys out, the zeitgeist is moving toward assuming everything is compromised and working out a way to prevent attacks from becoming a success or figuring out a way to establish and then re-establish a trusted environment.

Target store

This is hard. But first, let’s focus on some of the things that make the internet of things such a challenge to secure in the first place.

Why isn’t the internet of things secure yet?

  • Promiscuity across networks. Because devices are not only expected to talk to the internet, but also with each other that means that every node on the network is a potential weak point — and depending on whose numbers you believe those devices will number in the 30 to 50 billion in the next five or six years. You aren’t only securing the internet of things from dangers that might attack it over the public internet, but because most connected device networks are mesh networks, you must secure a bad node from attacking or co-opting other devices on the same mesh.
  • Connected devices are stupid. As this post from Gartner points out, not all connected devices are like smartphones or even packing the computational power of a 32-bit microcontroller. That means tasks like encrypting data are going to be impossible and any type of security must be lightweight.
  • The owners of connected devices are stupid. Fine, they may not be stupid, but they certainly aren’t using password generators or even making sure their hardware is up to date or changing the admin password on the devices. Many consumer connected devices have to be dead simple and have security to match. And of course, if the trade-off is between security and convenience (two-factor authentication? No way!) security will lose.
  • The great unknown. We haven’t figured out how we’re going to get devices to talk to each other and to automate our workplaces and lives yet. It’s really hard to secure an amorphous concept, which is pretty much what most implementations of the internet of things looks like today. Sure, there are closed systems that may feel more secure, but if we accept that the goal here is to build services on top of hardware and software that shares its data, then those closed systems are going to look like relics of a quaint and forgotten past. But so far, we don’t know what will evolve, what protocols it will use and what ways to build out the system will win.

Which framework wins out?

There are many, many more issues some of which are subsets of these and others that are just crazy, like the idea of denial of power attacks by which an attacker sucks an essential sensor battery dry. So how will we secure this?

One idea gaining ground is that we will accept that the system is insecure and then develop software and procedures to determine what we can trust on the fly. I have no idea what it might look like, although my friend Jason Hoffman at Ericsson likened it to a Turing test for security that devices might perform. It has the same underlying assumption that influences Netflix’s Chaos Monkey concept, which is to assume systems will break and prepare for it in all manner of ways.

In a related concept, perhaps instead of stopping data breaches we’ll stop those who profit from them, from actually making money. This week, Shape Security, a startup founded by some ex-Googlers, launched a product that tries to prevent people from mass-charging goods at online retailers. Shape’s magic is that it can generate a dynamic and ever-changing version of the HTML, CSS and Java on a web page while still keeping the front-end looking the same.

The benefit of this is the hackers who have stolen credit card information can’t write scripts that automatically fill out the order forms on web sites like Amazon or Wal-Mart. When you’re trying to monetize 30 million stolen credit cards, you aren’t entering that data by hand.


And finally there’s the concept of designing with security in mind, which is of course a lot harder than it might seem. But this is the approach most security researchers are advocating, with some even encouraging government agencies to impose fines of CE companies if their products are hacked. This might involve using chips that have trusted zones to store sensitive data or rewriting the firmware for these devices with far more secure code. Many attacks on security cameras and routers are hacked via the firmware.

It’s not an area that gets much investment because, until now, it was something the user doesn’t see. It’s like not dressing up for a conference call taken from the home office — it doesn’t matter until suddenly the conference call becomes a Google Hangout or video conference. Once these embedded devices started connecting to the internet they were switched from voice to video and everyone could see their flaws.

Other elements of designing for security might be limiting access, or securing how the device talks back to the cloud and making sure the servers it talks to are secured. It might be the locked-down version of security we’re familiar with today, or it might mean implementing that type of Turing test to ensure it’s secure before transmitting information.

Basically, security models change over time in the IT realms and, as we enter a new realm with more nodes, differing interconnections, normal users and dumb devices, we’re going to have to adapt. Let’s talk about how.

Target image provided by Flickr user Kevin Dooley.

8 Responses to “The internet of things needs a new security model. Which one will win?”

  1. Rick Bullotta

    Security, privacy, and identity are inseparable in this context. Also, traditional views of multi-tenancy fall flat on their face in a connected world. We’ve spent a great deal of time adding IP to our platform to deal with these challenges. Happy to show you sometime!

    Rick Bullotta
    ThingWorx – A PTC Company

  2. You make a great point that recent security breaches are serving as a wake-up call to corporations trying to secure their connected devices, as well as to consumers who want to be assured they can shop safely online or in a store without having their information compromised. Securing devices with both anti-virus software and hardware has been shown to reduce the likelihood of infection from a significant breach such as a man-in -the-browser attack:

  3. It won’t be the MS model that lead to an unpatched POS with 12 year old Embedded OS. As long as the real security holes are hidden, covered up, and unreported, we will never have true security.


  4. WatchDox

    The security model is going to be a bit different for the infrastructure side of the IoT and the data side. The content and data displayed by smart devices will increasingly need to be self-defining and self-defending (i.e. if you want your personal files on your smart car/refrigerator/watch, you have to authenticate and the bits of the files themselves need to know to only decrypt for you). On the infrastructure side, there won’t be one easy model to address all the possible permutations.

  5. Very good article relating to a very important and leading concern with M2M and IoT – Security. Unlike the old “security” models, privacy is now at the forefront and should not be confused with security. Whitelisting has now replaced blacklisting are the predominant model and again is quite different from the previous attempts, underpinning this is an encrypt everything approach. Interestingly, older AES (due to size) is not a perfect fit for ALL encryption so the author of this article is correct new methods of security are required.

    On the open standards side, ‘we’ are starting to make progress with MQTT and specifically the alignment and efforts to support guidance and mappings for the very important NIST Cyber Security Framework.

    Geoff Brown – OASIS MQTT, Secretary and OASIS MQTT Security Chair.
    – CEO of Machine-To-Machine Intelligence (M2Mi) Corporation

  6. James Hicks

    The problem is that every product and service wants to use and/or sell our data for marketing and advertising. Most don’t need to know who we are in order to delver their value.

    For instance… I don’t care if a hacker breaches my connected thermostat and learns that some unknown person likes it to be 68 degrees in his living room…

    But when the company selling the thermostat wants to know my name, email address, income, birthdate, and so on, the hacker has enough data to potentially breach my Yahoo account, where he can learn all about my bank account, etc.

  7. How about network segregation?
    At the moment routers typically offer 2 networks, your home network, and a guest network. This needs to change. My nest doesn’t need t talk to my computer just the internet. If it is compromised someone might be able to have it send out emails like the refrigerator but it won’t be able to jump to my computer without an additional hack of the router. Every device should be completely segregated from other devices by default including computers and then special networks created for common functions like say a shared network printer.

    Every device could come with some info about what type limited network protocols it needs to support. Changing this could be baked into some hardened code so that the hacker essentially has to be able to root the connected device to change the protocols mitigating the damage of non-root hacks.