The Internet of Things Demands Trust

In the IoT, every connection is a threat vector. But by banding together and deploying sensible baseline security standards, the industry can turn the Internet of Things into the Internet of Trust.
By Philip Lewer

No matter what the online scenario may be, authentication plays an essential role in keeping the process secure for everyone involved. Two-step verification is a relatively new method of authentication that companies are using to keep information secure, like adding an extra step to the login process by texting a user a time-sensitive passcode, using a second factor device such as a FIDO Alliance USB dongle, or scanning a person's fingerprint in addition to having that individual enter his or her password. For the IoT, effective security prevents criminals from accessing data. This protects against the kinds of sabotage that can cripple the public infrastructure—which increasingly relies on smart grids and other network-controlled operations—and makes the IoT a safe place for private users, from the homeowner programming a remotely controlled thermostat to the global corporation managing thousands of connected devices.

While it makes sense, in theory, to require all IoT devices to meet baseline security requirements, the reality is that adding security costs money, and unless a hack actually occurs, there is little return on the manufacturer's investment. To prompt IoT manufacturers to make that investment, we could take a lesson from the automotive industry, in which drivers are required to carry liability insurance that pays for damage they might do to others on the road. In a similar fashion, IoT manufacturers could be required to add a minimum set of security features, so as to minimize the risk of online sabotage and, in a way, invest in the safety of others.

An alternative, arguably more expedient route would be for the industry to take matters into its own hands, through either existing coalitions like the FIDO Alliance or the creation of a new IoT security focused industry consortium that encourages a baseline standard for security technologies. This could entail the requirement of public key cryptography for mutual authentication among nodes, gateways and the cloud; the secure storage of private keys in tamper-proof secure elements, with keys never being transmitted in the clear; or requiring that all firmware be signed, resulting in all nodes and gateways having to boot up securely based upon a protected, secure element-based hardware root of trust. The good news is that these technologies are readily available today, and are commonly used in such industries as banking, transportation and e-government. Such technologies can be leveraged for a fraction of the cost of what it takes to deal with the recalls, support and brand impact of a breach.

Every potential connection is a threat vector. Access control across billions of devices will be imperative to ensure data integrity and protection. A key requirement of access control is authentication, and authentication must be based on a unique, immutable identifier rooted in hardware which establishes trust—a hardware root of trust. For the Internet of Things to flourish, it must become an Internet of Trust.

Philip Lewer is the marketing director for IoT and smart homes for the Americas at NXP Semiconductors. He has more than 20 years of marketing, business-development and engineering experience in various technology industries.

JOIN THE CONVERSATION ON TWITTER
Loading
ASK THE EXPERTS
Simply enter a question for our experts.
Sign up for the RFID Journal Newsletter
We will never sell or share your information
RFID Journal LIVE! RFID in Health Care LIVE! LatAm LIVE! Brasil LIVE! Europe RFID Connect Virtual Events RFID Journal Awards Webinars Presentations