Internet privacy and security have been heated topics for decades. But the rapid rise and future projections for connected devices and embedded sensors have only escalated the conversation - fueled recently by a lack of substance on security at CES 2016 and this week's #PrivacyAware observance.
Scale and Nature Create Opportunity for Disaster
With numerous reports of hackable smart devices and systems, it's clear that there's a lot of unprotected scenarios in today's connected world. And with 200 billion connected devices projected by 2020, the future scenario at scale is a scary one if individuals and companies fail to take precautions to prevent hacks (the bad kind), leakage and other data breaches.
The scale of hundreds of billions of devices and the nature of those devices being integrated into our daily lives opens the door to everything from hobbyist hackers creating nuisance breaches in the smart home / consumer sector to corporate security breaches to terrorist attacks on a national security level.
Securing the Internet of Things Isn't Impossible
Fortunately, we've seen many advances in both technology and practices in the last 12-24 months that have helped make the Internet of Things a much safer, more secure place to be. One of the most significant advances is the availability of IoT developer platforms like Losant, which provides full encryption between devices and the cloud - all built in to the solution.
We're seeing big players like Google introducing IoT focused operating systems and communications protocols like the new Brillo OS and Weave IoT communication platform. As for other practices and technology helping to improve IoT security and privacy, advances in software/firmware, hardware design and networking have allowed increased capabilies in many security approaches including:
- Secure booting - authentication when power is first introduced to the device.
- Device authentication - authentication between device and network.
- Access control - managment of of who and what has access to "things."
- Deployment of patches and fixes - ability to quickly and efficiently remotely install updates.
Wisdom of the Experts
We've curated a list of some of the best recent talks and sessions on securing the Internet of Things, from high level theory to detailed technical guidance.
The Internet of Things: Dr. John Barrett at TEDxCIT
To serve as a baseline, it helps to reference one of the most popular seminal talks on IoT back when very few people had head the phrase. Barrett describes a connected utopia of convenience and efficiency - which we completely support and believe in. However even back then, Barrett warns of the potential risk of abuse and misuse - which also creates economic opportunity for the internet and software security sector.
Swimming With Sharks - Security in the Internet of Things: Joshua Corman at TEDxNaperville
Corman breaks down the psychology of hackers and touches on the how and why they do what they do. Though he stresses how serious of an issue it is - he encourages us not to be scared, adopting his system described as FUD: Facts, Urgency and Demand Visibility.
Governments Don’t Understand Cyber Warfare. We Need Hackers: Rodrigo Bijou at Ted.com
Bijou suggests that the Internet has transformed the front lines of war, and as a result, leaving governments behind. Modern conflict is being waged online between non-state groups, activists and private corporations, and the digital landscape is proving to be fertile ground for the recruitment and radicalization of terrorists.
Meanwhile, draconian surveillance programs are ripe for exploitation. Bijou urges governments to end mass surveillance programs and shut "backdoors" — and he makes a bold call for individuals to step up.
Securing the Internet of Things - Paul Fremantle at EclipseCon 2014
Digging in to the technical side of IoT security, Fremantle examines the security challenges around using M2M devices with protocols such as MQTT & CoAP. In particular he touches on encryption, federated identity and authorization models. On the topic of encryption, he discusses securing MQTT with TLS, challenges with Arduino, and using hardware encryption for microcontrollers.
On the Internet, protocols like OAuth 2.0, OpenID Connect & User Managed Access have been defined to enable a privacy-respecting user consent & authorization model. Fremantle looks at the issues involved with applying these protocols to the M2M world and reviews existing proposals and activity for extending the above M2M protocols to include federated identity concepts.
The Internet of Fails - Mark Stanislav and Zach Lanier
Stanislav and Lanier dive into research, outcomes, and recommendations regarding information security for IoT - both from their own research as well as the work of people they admire. They review several examples of improper access control, a complete lack of transport security, hardcoded-everything, and ways to bypass paying for things.
The talk wraps up discussing several strategies to introduce better controls and security measures to keep connected devices and cloud based data safer and more secure.
With the emergence of ubiquitous computing accelerating at such a rapid pace, connected devices and embedded sensors will soon surround us and become party of our daily lives. At that scale and level of integration in our lives, security is one of the paramount concerns for IoT adoption.
Though alarming headlines about hacking smart devices and IoT's lack of security may be dominating the headlines lately, the reality is that connected devices and IoT solutions can - and we believe will be - made more secure by implementing practices mentioned by the experts in the videos above and using available technology like IoT platforms that offer full built-in encryption between devices and the cloud.
