The Key to IOT Security

on September 15, 2015

The potential opportunities within the Internet of Things (IOT) continue to be at the forefront of many people’s minds. But lurking in the back corners of those same minds are concerns about the potential security nightmares of a fully connected world.

Even barring the crazy Skynet scenarios from The Terminator, there are plenty of good reasons to be concerned about the hyper-connectedness of IOT, as I’ve written about in the past. In fact, the possibility of security-based issues creating problems is one of the key reasons I believe it will be a very, very long time before we see widespread use of fully autonomous automobiles on our roads.

We’ll certainly see lots of great developments in smarter cars that have collision avoidance features and other automated safety improvements, but that’s still a big difference from being fully autonomous. In other areas, we’ll likely see similar types of adjustments that reflect concerns around the potential for insecure connections.

To be sure, the move toward greater connectivity across multiple devices continues to gain momentum, and it’s arguably an unstoppable force at this point. Nevertheless, conscientious efforts to modestly slow, or perhaps refocus or reshape some of these developments around a security-based paradigm, is going to be critically important for the long-term success of IOT.

One way of doing that is by looking at some of the essential ways to drive a more secure IOT environment. I believe one of the key solutions is going to be leveraging hardware-based security models—think embedded tokens, device IDs or secure elements that can uniquely identify a given device on a network.

By establishing a root of trust on a device, a secure embedded element can help the device and any embedded operating system on it assure that they “are” who they think they are, and also ensure that no changes have been made to any firmware or boot code on the device. Though admittedly very technical, this is a key element in maintaining the security of a single device.[pullquote]By establishing a root of trust on a device, a secure embedded element can help the device and any embedded operating system on it assure that they “are” who they think they are.”[/pullquote]

Even more importantly, however, a hardware-based security element can also be used to identify and authenticate a device on a network. At a simplistic level, this is actually how SIM cards work with carrier networks—they identify your phone to the network, assuring that the phone can function and that your phone’s number/identity is who it says it is.

Of course, the concept of an embedded hardware element and the reality of its implementation can be two different things. Long-time industry observers may recall the brouhaha that Intel created many years back when it tried to put CPU IDs into its processors.

Times have changed, however, and the security breaches that bombard us in the news every day have likely changed the minds of individuals who may have had concerns about these technologies in the past. Plus, the highly networked nature of all our devices makes the issue more pressing now than it ever has been.

There are now a significantly larger number of companies (and devices) involved in trying to solve these issues. Everyone from SIM card makers like Gemalto to CPU vendors like Intel to IP licensing companies like ARM, Imagination Technologies, Synopsys and others are working to create different types of device ID “card” equivalents that can be used to piece together a more secure environment for IOT.

Just as one type of key won’t work on all types of locks, there’s still a lot of hard work to ensure that the different types of secure IDs and different security protocols and authentication methods can talk to one another. But software alone can’t solve the challenges of IOT security—it’s still going to take some hardware to make digital security keys really work.