Unicorns, Sasquatch & IoT Security June 2, 2014 | by Sean Lorenz
Media attention around IoT-related security breaches have escalated over the past year, causing many to wonder how, exactly, we are going to make sure our connected world is secure. Hoax or not, there has been quite a bit of talk lately about how difficult it will be to secure IoT-enabled devices. I recently attended the excellent Security of Things Forum in Cambridge, Mass. where a room full of bright security experts spoke as if IoT security was non-existent. It felt a bit like a group of people hunting down Big Foot, Sasquatch, or magic fairies.
It’s easy to understand the fear and myth-like status of security concerns for connected devices. Even though a few security breach stories such as that of the hacked refrigerator turned out to be an urban legend, the possibility of easily accessing these products online is absolutely possible. The Internet of Things brings with it a host of new concerns such as:
- Default credentials and missing encryption
- Regular device security updates
- Firmware updates on both legacy and new connected objects
- Security and data encryption on lightweight microcontrollers
- Password-protecting the device itself
- No standard method to monitor or manage a device
Let’s assume for a moment that someone was indeed trying to hack into your refrigerator, gaining access to all your secret cheese drawer, Tupperware and decaying fruit information. How can we move from panicked discussions of how the IoT is inherently insecure and being, well, securing our connected objects?
Quick and dirty methods for getting data streaming to the cloud is a great development tool for internal testing of an idea, but a piecemeal programming approach to IoT connectivity is most likely not going to be scalable or secure. Let’s think through all the various potential actors involved in your hip new connected refrigerator (which shall here forth be called iFridge by Connecto-Kitchen Inc.).
- Connecto-Kitchen Inc. operations application
- Connecto-Kitchen Inc.Salesforce.com system
- Connecto-Kitchen Inc.billing system
- Connecto-Kitchen Inc.Tableau Server system
- Connecto-Kitchen Inc. technician tablet application
- Your personal iFridge unit
- Sensors and actuators inside your iFridge unit
- Connecto-Kitchen Inc. user smartphone app
- Connecto-Kitchen Inc. home gateway
- iStove, iToaster, and other connected devices
Building a connected prototype for one device constrains your security issues, but a fundamental advantage of the Internet of Things is to turn grounded data into actionable information. And this means connecting across multiple systems for exponential insight as both a consumer and as a business. Unfortunately, this is the type of scenario that makes security experts a bit flummoxed. Thankfully, there is are some good places to begin the conversation. The secret sauce starts with an IoT platform possessing a trust engine that requires each and every one of the actors above to authenticate based on a central service that checks each actor’s permissions to make sure they have access to either publish or subscribe to data they’re trying to access. By strictly governing device, gateway, application, user, topic (also called queues) and domain access, each transaction can be either completed or denied based on permissions given to that actor within a cloud-based directory system.
Let’s return to our iFridge example. Connecto-Kitchen can’t keep their IoT-enabled kitchen products on the shelves. To keep their customers’ data private and secure, Connecto-Kitchen first needs to make sure they have a secure pipe connection (a topic for another post) from the customer’s product(s) to the Connecto-Kitchen Inc. gateway, and then on to the cloud. Next, they want to garner business intelligence across each customer’s connected devices as well as discover trends across their entire customer base to deliver better service and support. Connecto-Kitchen gives special credentials to each device, application, and 3rd party software service so that all data is being handled on a need-to-know basis at every point of contact, greatly reducing a good number of the fears regarding IoT and security.
In order for the mythical IoT security unicorn to become no more than a regular old horse, companies will need to implement a centralized cloud trust engine service with object directory offering permission sets for everything from publish-subscribe rights to determining what applications and services have access to what device data. As you could imagine, this is how Xively handles securing the Internet of Things. More on our platform and security here.