The internet of things needs a new security model. Which one will win?

fingerprint secret

The Target data breach occurring over compromised point-of-sale terminals. The recent news that a botnet army which sent 750,000 spam emails included a refrigerator. The discovery of a Linux worm that could infect security cameras. In the last two months all of these headlines have served to stoke fear over the vulnerability of connected devices and current security practices. Much like the cloud has allowed denial of service attacks to grow in might, the array of relatively dumb and unsecured connected devices threatens to participate in botnets, leak data or act as a weak point for hackers to target.

And when it comes to securing the internet of things, it’s likely that the current methodologies will have to change, given the characteristic of how a connected and interconnected world works. Instead of keeping bad guys out, the zeitgeist is moving toward assuming everything is compromised and working out a way to prevent attacks from becoming a success or figuring out a way to establish and then re-establish a trusted environment.

Target store

This is hard. But first, let’s focus on some of the things that make the internet of things such a challenge to secure in the first place.

Why isn’t the internet of things secure yet?

  • Promiscuity across networks. Because devices are not only expected to talk to the internet, but also with each other that means that every node on the network is a potential weak point — and depending on whose numbers you believe those devices will number in the 30 to 50 billion in the next five or six years. You aren’t only securing the internet of things from dangers that might attack it over the public internet, but because most connected device networks are mesh networks, you must secure a bad node from attacking or co-opting other devices on the same mesh.
  • Connected devices are stupid. As this post from Gartner points out, not all connected devices are like smartphones or even packing the computational power of a 32-bit microcontroller. That means tasks like encrypting data are going to be impossible and any type of security must be lightweight.
  • The owners of connected devices are stupid. Fine, they may not be stupid, but they certainly aren’t using password generators or even making sure their hardware is up to date or changing the admin password on the devices. Many consumer connected devices have to be dead simple and have security to match. And of course, if the trade-off is between security and convenience (two-factor authentication? No way!) security will lose.
  • The great unknown. We haven’t figured out how we’re going to get devices to talk to each other and to automate our workplaces and lives yet. It’s really hard to secure an amorphous concept, which is pretty much what most implementations of the internet of things looks like today. Sure, there are closed systems that may feel more secure, but if we accept that the goal here is to build services on top of hardware and software that shares its data, then those closed systems are going to look like relics of a quaint and forgotten past. But so far, we don’t know what will evolve, what protocols it will use and what ways to build out the system will win.

Which framework wins out?

There are many, many more issues some of which are subsets of these and others that are just crazy, like the idea of denial of power attacks by which an attacker sucks an essential sensor battery dry. So how will we secure this?

One idea gaining ground is that we will accept that the system is insecure and then develop software and procedures to determine what we can trust on the fly. I have no idea what it might look like, although my friend Jason Hoffman at Ericsson likened it to a Turing test for security that devices might perform. It has the same underlying assumption that influences Netflix’s Chaos Monkey concept, which is to assume systems will break and prepare for it in all manner of ways.

In a related concept, perhaps instead of stopping data breaches we’ll stop those who profit from them, from actually making money. This week, Shape Security, a startup founded by some ex-Googlers, launched a product that tries to prevent people from mass-charging goods at online retailers. Shape’s magic is that it can generate a dynamic and ever-changing version of the HTML, CSS and Java on a web page while still keeping the front-end looking the same.

The benefit of this is the hackers who have stolen credit card information can’t write scripts that automatically fill out the order forms on web sites like Amazon or Wal-Mart. When you’re trying to monetize 30 million stolen credit cards, you aren’t entering that data by hand.

webcam

And finally there’s the concept of designing with security in mind, which is of course a lot harder than it might seem. But this is the approach most security researchers are advocating, with some even encouraging government agencies to impose fines of CE companies if their products are hacked. This might involve using chips that have trusted zones to store sensitive data or rewriting the firmware for these devices with far more secure code. Many attacks on security cameras and routers are hacked via the firmware.

It’s not an area that gets much investment because, until now, it was something the user doesn’t see. It’s like not dressing up for a conference call taken from the home office — it doesn’t matter until suddenly the conference call becomes a Google Hangout or video conference. Once these embedded devices started connecting to the internet they were switched from voice to video and everyone could see their flaws.

Other elements of designing for security might be limiting access, or securing how the device talks back to the cloud and making sure the servers it talks to are secured. It might be the locked-down version of security we’re familiar with today, or it might mean implementing that type of Turing test to ensure it’s secure before transmitting information.

Basically, security models change over time in the IT realms and, as we enter a new realm with more nodes, differing interconnections, normal users and dumb devices, we’re going to have to adapt. Let’s talk about how.

Target image provided by Flickr user Kevin Dooley.

loading

Comments have been disabled for this post