The potential opportunities within the Internet of Things (IOT) continue to be at the forefront of many people’s minds. But lurking in the back corners of those same minds are concerns about the potential security nightmares of a fully connected world.
Even barring the crazy Skynet scenarios from The Terminator, there are plenty of good reasons to be concerned about the hyper-connectedness of IOT, as I’ve written about in the past. In fact, the possibility of security-based issues creating problems is one of the key reasons I believe it will be a very, very long time before we see widespread use of fully autonomous automobiles on our roads.
We’ll certainly see lots of great developments in smarter cars that have collision avoidance features and other automated safety improvements, but that’s still a big difference from being fully autonomous. In other areas, we’ll likely see similar types of adjustments that reflect concerns around the potential for insecure connections.
To be sure, the move toward greater connectivity across multiple devices continues to gain momentum, and it’s arguably an unstoppable force at this point. Nevertheless, conscientious efforts to modestly slow, or perhaps refocus or reshape some of these developments around a security-based paradigm, is going to be critically important for the long-term success of IOT.
One way of doing that is by looking at some of the essential ways to drive a more secure IOT environment. I believe one of the key solutions is going to be leveraging hardware-based security models—think embedded tokens, device IDs or secure elements that can uniquely identify a given device on a network.
By establishing a root of trust on a device, a secure embedded element can help the device and any embedded operating system on it assure that they “are” who they think they are, and also ensure that no changes have been made to any firmware or boot code on the device. Though admittedly very technical, this is a key element in maintaining the security of a single device.[pullquote]By establishing a root of trust on a device, a secure embedded element can help the device and any embedded operating system on it assure that they “are” who they think they are.”[/pullquote]
Even more importantly, however, a hardware-based security element can also be used to identify and authenticate a device on a network. At a simplistic level, this is actually how SIM cards work with carrier networks—they identify your phone to the network, assuring that the phone can function and that your phone’s number/identity is who it says it is.
Of course, the concept of an embedded hardware element and the reality of its implementation can be two different things. Long-time industry observers may recall the brouhaha that Intel created many years back when it tried to put CPU IDs into its processors.
Times have changed, however, and the security breaches that bombard us in the news every day have likely changed the minds of individuals who may have had concerns about these technologies in the past. Plus, the highly networked nature of all our devices makes the issue more pressing now than it ever has been.
There are now a significantly larger number of companies (and devices) involved in trying to solve these issues. Everyone from SIM card makers like Gemalto to CPU vendors like Intel to IP licensing companies like ARM, Imagination Technologies, Synopsys and others are working to create different types of device ID “card” equivalents that can be used to piece together a more secure environment for IOT.
Just as one type of key won’t work on all types of locks, there’s still a lot of hard work to ensure that the different types of secure IDs and different security protocols and authentication methods can talk to one another. But software alone can’t solve the challenges of IOT security—it’s still going to take some hardware to make digital security keys really work.
3 thoughts on “The Key to IOT Security”
There’s one key (sorry !) difference between mobile network security and Internet security: carriers control their mobile network end-to-end. Nobody controls anything on the Internet.
A phone authenticates to its carrier’s network, then data never ever leaves it (except for roaming, but since it’s still going through a carrier, that basically the same, all carriers are legit – except for stingrays… remember those ? https://en.wikipedia.org/wiki/Stingray_phone_tracker).
On the Internet, the data goes through an unknown route, through any number of servers that can be safe, unsafe, hackers’, not even the server they pretend/are supposed to be… The security issues are completely different and much more cumbersome to solve. On the Internet, you have to treat any connection as a stingray…
SIM-like authentification and security won’t work by itself. Also, GSM encryption was cracked years ago, showing that anything hard-coded is just a recipe for disaster.
“I believe it will be a very, very long time before we see widespread use of fully autonomous automobiles on our roads.”
Travis Kalanick at Uber has big plans for self-driving cars, as they eliminate the need to pay a driver and therefore (according to him) can make using Uber cheaper than private ownership of cars. He is hiring experts on the subject and poached 50 people from Carnegie Mellon’s National Robotics Engineering Center; many were top employees. Additionally, Uber hired two well-known car hackers to help devise its own defenses.
We all know that Uber is hyper-aggressive and tends to roll over anything in its way. So I suspect Kalanick would have a sharp difference of opinion with you on how soon fully autonomous automobiles will be seen everywhere on our roads.
You’re worried about hacking of cars. Are you not aware of the difficulty of hacking 128 bit (or even 256 bit) encryption?