Securing the Internet of Things in an Insecure World
Care should be taken to engineer safety and trustworthiness into IoT products and services.
Jun 02, 2015—
According to the 2014 Hewlett-Packard Internet of Things Research Study, 70 percent of connected products analyzed did not use data encryption when establishing network connections. Yet, that's a standard that has been in place for websites transmitting personal data for nearly 20 years.
If you work for a company that is banking on the promise of the Internet of Things, that kind of statistic should keep you up at night. This poor state of security protections in IoT devices threatens to undermine the enormous economic opportunity that the IoT represents—and the lack of encryption is only one of the many weaknesses in shipping connected products.
From hacked routers to smart refrigerators sending spam e-mail, no sector or industry is immune from attack. A couple of high-visibility breaches will spread distrust of the entire IoT ecosystem.
The Domino Effect of Vulnerabilities
Consider a connected heating, ventilating and air-conditioning (HVAC) system. Such a system communicates with a back-end server that may relay information from a mobile device or communicate user-specific usage patterns. If the system does not mandate complex encryption keys, any data that travels to and from it will be insecure, and can thus be tapped and used to gain access. One compromised HVAC system could then lead to an attack on other buildings' systems, enabling the attackers to ascertain when a building is unoccupied, or even snoop on other networks or devices. Yes, it is possible to turn an HVAC system into a spy.
And about those hacked refrigerators: While you may think an attack would lead to nothing more than spoiled milk, gaining control of a device behind a firewall could enable attacks on more important devices on your network, and could even lead a nefarious party to financial or company data. (And it's not just a concern for homeowners. Does your office have a fridge in the break room?)
Security Is a Journey, Not a Destination
The only way to prevent breaches is to build security into a device—and the infrastructure that connects and serves it—at the outset. This may include encryption, secure boot, hardware protections and cryptographic authentication, at a minimum. Security cannot be an afterthought. Instead, it needs to be treated as a continuous process that is agile, adaptable, timely and managed throughout a product's lifetime.
This doesn't have to be complicated and time-consuming. If you think carefully about the security implications at each step of the product-design process, it is entirely possible to engineer in safety and trustworthiness.
SIGN UP FOR THE IOT JOURNAL NEWSLETTER
ASK THE EXPERTS
Simply enter a question for our experts.
Sign up for the RFID Journal Newsletter
We will never sell or share your information