Approaching security in IoT

It seems that the 50 billion connected devices by 2020 figure has become a shorthand for describing just how much the networking of the physical world will and is changing our lives. But while some are excited by that prospect, those in security circles see an enormous challenge—now there are 50 billion access points that are hackable and that connect to higher value targets.

The common example cited by security consultants relates to what happens when employees enter a facility with their own connected devices. Consider an extreme example like a nuclear power plant that has opted to significantly shut down outside internet connections due to the obvious security/cyberwar risks of losing control of a nuclear power plant.

But what happens when an outside service tech enters the facility, realizes he needs an internet connection to access a piece of information and hooks his 4G phone into his laptop, which is on the internal network?

A nuclear power plant is an outlier example, perhaps, but your average enterprise institution is not. And it’s not just using a smartphone as a hotspot that’s an issue. Rather, a wearable like a Fitbit could be hacked and once it’s on a local network, syncing with someone’s phone that’s in turn on a company network, the vulnerabilities become more clear. Using soft targets like wearables to access harder targets like enterprise servers is not unthinkable, particular if mesh networks increase.

So what do you do about these 50 billion devices? One solution is to begin to have a conversation about putting security on the device itself. We’re seeing the beginning of this with microcontroller makers like Freescale and NXP starting to build chips with security built onto the hardware.

Alternatively, you can continuously push security software updates to the piece of hardware but with the proliferation of devices out there, this is a tough road to hoe. With billions of devices running multiples patches a year, the numbers add up as does the need for storage and processing power. It gets even tougher when you consider that many of these devices are very inexpensive and device makers are reticent to slow down a production cycle to build better security into a product. This is even more true when the unspoken perception remains that a security breach of something like a fitness wearable is low impact.

There are likely to be an array of approaches to the new world of security threats but one novel approach is coming from startup Bastille, which has offices in San Francisco and Atlanta, and has raised over $11 million in early funding. Bastille is looking to track and characterize all wireless transmissions in a given physical area so that companies can begin to know precisely every device transmitting. It “sniffs” the airwaves from 50 megahertz up to gigahertz for transmitters. The devices can then be characterized from that information, localized physically, and then potentially associated with an employee badge.

Knowing what devices are transmitting from an environment that needs to be secured opens up the door to better security. One use case is an environment like a data center where unusual activity like a high amount of wireless data transfer coming from a specific rack and row within a facility would give an alert to be investigated.

Bastille is in early stages, running pilot tests with customers. Its early target market is the financial services industry. We’ll see whether continuously sniffing the electromagnetic spectrum of a physical location proves to be part of the IoT security solution, but from hardware to software providers, it’s clear we’re going to need new security solutions to accommodate the growth of IoT.