IoT products still need to be secured. Encryption and other crucial steps to take
Our desire for a connected world conflicts with our need for personal privacy and security. Per-device security on par with what’s found at IT facilities is becoming a necessity for even the tiniest sensors and monitors. The Internet of Things (IoT) makes data security even more important.
Forbes reports that the global market intelligence firm IDC projects 22 billion connected devices by 2018, with more than 200,000 apps and services being developed for the IoT specifically. Big businesses are already swooping in to claim their share of the market. But any concerted effort to inject high levels of security into the tsunami of technology is running behind the curve.
Security specialists Charlie Miller and Chris Valasek snagged headlines with their study on the vulnerability of connected cars. They hacked into a Toyota Prius and a Ford Escape with a laptop connected the vehicles’ diagnostic ports. It gave them control of headlights, steering, and braking.
In 2014, Scott Erven and a group of security researchers published the results of a two-year study on the vulnerability of medical devices. It exposed security flaws that could present risks to the health and safety of patients using IoT-enabled devices. They discovered that they were able to remotely control devices such as linked defibrillators and drug infusion pumps.
3 Categories of risks
1. Attacks against IoT devices
IoT devices are alluring targets to hackers. Private lives and valuable, sellable data are there for the taking. A connected security cam, for example, can provide details about security that’s in place at a given location.
Best defense: Use Device ID Certificates to establish identity and facilitate authentication to services and other gadgets.
2. Attacks against communications
A common attack technique includes monitoring and modifying messages as they are communicated. The volume and sensitivity of information passing through the IoT environment makes these types of attacks dangerous. Messages and information are easy to intercept and manipulate while in transit.
Best defense: Make the default transmission method secure and encrypted.
3. Attacks against the masters of devices
Every device in service of IoT has a master. The master’s function is to manage devices and analyze data. If you attack or gain control of the master, you have the ability to inflict massive damage. As consumers place deeper trust in IoT manufacturers, it won’t take more than one or two well-publicized attacks of this nature to inflict financial ruin on a company and cast a pall on the idea of IoT.
Best defense: Code finalizing of firmware is an essential defense.
Why protecting IoT isn’t easy
Can’t we just port over the security measures we already use elsewhere? They’re not perfect, but we’ve got some pretty strong security protection protocols in place in our data centers. Unfortunately, they won’t necessarily work because they can’t all scale.
SSL was not designed for the challenges dealing with IoT. Firewalls and SSL will not be able to keep up with the medium’s scale and device fragmentation.
IoT continues to gobble up new spheres of control. Billions of devices will be added in the coming years. Enterprises currently have a full-time job protecting their far-less-complicated data centers. What will life be like that when they have to expand the effort to secure all of the IoT devices brought on board?
One solution: end-to-end encryption
It’s predicted that within the next five years, 90 percent of all IoT data will live in third-party clouds. That figure is just one example of why businesses should embrace an “encrypt-everything” approach right now and going forward to safeguard against IoT-enabled breaches.
This technique maximizes defense. It doesn’t matter whether the data resides in a public or private cloud. It’s also going to remain secure in transit. Encrypting everything keeps data safeguarded when preliminary defenses fail.
There’s soon going to be too much data on too many IoT devices to do it any other way. Many of these devices will be too “dumb” to have the capacity to process encryption or decryption at their end. They’ll need to secure and compress data in real time in a single pass at the byte level. Approaching it this way also ensures that the user experience isn’t impacted. Who wants a sluggish IoT device, even if it’s a secure one?
Network data efficiency is just as important, because many IoT devices will use cellular networks. Encryption approaches will have to be mindful of the compression necessary to reduce the expense. Somebody has to pay for that bandwidth.
Walking the line
The challenge to the burgeoning IoT industry will be finding ways to create millions of affordable things (such as smart thermostats) smart enough to keep you comfortable, as well as shielded from the consequences of the data they need to do it.
If you’d like to learn more about how encryption is becoming essential and other important security protocols in today’s IoT and cloud environment, contact CloudHesive today.