IoT security: How to do it (mostly) right

2 Comments

The Internet of Things could get out of control pretty fast. We’re still pretty far from self-aware homes trying to procreate, but as Gigaom Research analyst Craig Foster noted in his recent report on IoT security, the dangers are already very real. Take a look at the maritime industry. Earlier this year, hackers tilted and shut down an oil rig, and many tanker crews disable their own electronic tracking and guidance systems to avoid interception by tech-savvy pirates. Yes, ships carrying more than 100 million gallons of oil are running blind. If the energy security and environmental concerns of that example doesn’t bother you, consider this: Any finalist in the Qualcomm Tricorder XPrize Competition — all consumer-grade devices — will be able to diagnose the following conditions, at a minimum:

  • Anemia
  • Urinary tract infection
  • Diabetes
  • Atrial fibrillation
  • Stroke
  • Sleep apnea
  • Tuberculosis
  • Chronic obstructive pulmonary disease (COPD)
  • Pneumonia
  • Otitis (“ear infection”)
  • Leukocytosis
  • Hepatitis A

That’s highly sensitive information that could be very valuable to criminals and rule-bending marketers. Widely distributed consumer devices like the Tricorder are also perfect targets for hackers. They store or transmit valuable personal information, generally over consumer-grade networks, with enough aggregate volume to make significant hacks worth the effort. Pair this with inevitable automated prescription dispensers and you have a fraudster’s dream. And while it hasn’t happened yet, the Homeland pacemaker assassination hack is indeed very possible.

The good and bad news is that despite its velocity, the IoT is very, very young. No one can say with any degree of confidence what the plumbing beneath connected devices will look like in five years. We don’t know which of the various device connection protocols will win, how certain categories of devices will be regulated, or how any of this will be secured. Again, that’s good news for hackers in the short term, but it’s also a call to action for the rest of us to make things right before they get too dangerous.

So what can a solitary device manufacturer or app developer do? Quite a lot. Here are three places to start.

Take it seriously. The first step is acknowledging that risk exists. Very few companies in the IoT world started out that way. Nike made clothes. Coca Cola mixed sugar and water. In most cases, business opportunities just happened, and the infrastructure followed the money – features first, safety second. Security isn’t a big concern when you’re plugging an anonymous heart rate monitor into a PC, but tie that heart rate to a phone number and a blood sugar tracker and in aggregate, you have something you need to protect.

As Foster pointed out, many businesses are unwilling to accept suggestions about how to shore up networks and devices, because it’s still not a big deal. Target thought that way, ignoring repeated alerts from its security team before the meltdown of 2013. Don’t be Target.

Use what you know. This new breed of sensor-based devices is different from what’s come before, but it’s not that different. Translate established practices like secure boot and sandboxing that are already part of your other development efforts, and if you’re using common communications protocols, be sure to apply the same types of security that you do there. Government and industry regulations are generally slow to catch up to the pace of hardware development, so to cover yourself, implement your best approximation of existing mobile or Web-based compliance measures as a stop-gap. You’ll close most of the big holes, and you’ll show your regulatory agency that you’re one of the good ones.

Shape the industry. At this year’s TechEd, I asked several members of the Windows Intune staff what they were doing to address the IoT issue. Their answer was “participating in standards discussions, leading where it makes sense, and listening when it doesn’t.” Not ver flashy, but you’ll never hear a vendor give better advice.

If your industry already has a regulatory body, you’ll certainly want to push tech issues there, but the IoT needs volunteers to help drive standards. Organizations like the AllSeen Alliance (the security-focused partner of the Linux Foundation’s Alljoyn) are setting standards that will extend far beyond any one industry or use case. It’s important to know what’s coming, and even more important to help guarantee that tomorrow’s standards will actually work for you.

2 Comments

Manu Namboodiiri

Agreed – this could become a serious issue. With physical devices, if might help to look at the control plane and data plane separately as a way to reduce scope. From a privacy and value perspective, the data plane might be more important (though one cannot discount the disruptions caused by rouge take over of a critical infrastructure device).

An approach around whitelisting, lockbox-type metaphors for massively scalable information sharing across the ecosystem, context-based policy definitions (i.e policies that are based on what is happening in the environment now) could be the basis of a good security model..

Thanks for the interesting article..

slhong

The main issue is going to be that every device in the network must be able to communicate securely. With IoT, all it takes is for one device to fall prey to a hacker and all of the devices in the network will be compromised. We have developed a potential solution to this problem by using sensor data as the backbone of encryption technology. This way, every device is capable of protecting everything that it transmits and breaking the encryption becomes virtually impossible. Check out our solution at: http://retechtive.wordpress.com

Comments are closed.