Securing the Internet of Things in an Insecure World

Care should be taken to engineer safety and trustworthiness into IoT products and services.
By Hugo Fiennes
Jun 02, 2015

According to the 2014 Hewlett-Packard Internet of Things Research Study, 70 percent of connected products analyzed did not use data encryption when establishing network connections. Yet, that's a standard that has been in place for websites transmitting personal data for nearly 20 years.

If you work for a company that is banking on the promise of the Internet of Things, that kind of statistic should keep you up at night. This poor state of security protections in IoT devices threatens to undermine the enormous economic opportunity that the IoT represents—and the lack of encryption is only one of the many weaknesses in shipping connected products.

With an expected 50 billion devices connecting to the Internet by 2020, an exponential number of vulnerable entry points are being created across myriad business sectors. Enterprise and infrastructure security incidents can affect millions of people and impact a company's brand reputation and bottom line.

From hacked routers to smart refrigerators sending spam e-mail, no sector or industry is immune from attack. A couple of high-visibility breaches will spread distrust of the entire IoT ecosystem.

The Domino Effect of Vulnerabilities
In certain cases, the compromise of a single device—maybe one to which an attacker has physical access—could lead to data leakage that could compromise other devices remotely. To ensure that this is not possible, it is important for devices to use hardware-protection mechanisms, where available, to safeguard critical digital keys.

Consider a connected heating, ventilating and air-conditioning (HVAC) system. Such a system communicates with a back-end server that may relay information from a mobile device or communicate user-specific usage patterns. If the system does not mandate complex encryption keys, any data that travels to and from it will be insecure, and can thus be tapped and used to gain access. One compromised HVAC system could then lead to an attack on other buildings' systems, enabling the attackers to ascertain when a building is unoccupied, or even snoop on other networks or devices. Yes, it is possible to turn an HVAC system into a spy.

And about those hacked refrigerators: While you may think an attack would lead to nothing more than spoiled milk, gaining control of a device behind a firewall could enable attacks on more important devices on your network, and could even lead a nefarious party to financial or company data. (And it's not just a concern for homeowners. Does your office have a fridge in the break room?)

Security Is a Journey, Not a Destination
So how do you secure your connected business in an insecure world?

The only way to prevent breaches is to build security into a device—and the infrastructure that connects and serves it—at the outset. This may include encryption, secure boot, hardware protections and cryptographic authentication, at a minimum. Security cannot be an afterthought. Instead, it needs to be treated as a continuous process that is agile, adaptable, timely and managed throughout a product's lifetime.

This doesn't have to be complicated and time-consuming. If you think carefully about the security implications at each step of the product-design process, it is entirely possible to engineer in safety and trustworthiness.

Simply enter a question for our experts.
Sign up for the RFID Journal Newsletter
We will never sell or share your information
RFID Journal LIVE! RFID in Health Care LIVE! LatAm LIVE! Brasil LIVE! Europe RFID Connect Virtual Events RFID Journal Awards Webinars Presentations