The Challenge of Securing Data in our IoT Future
Since 2008, the number of people connecting to the Internet has been outpaced by the number of objects. With the growth of devices that collect and transmit data online expected to continue rising exponentially to 26 billion by 2020, the amount of data, much of it very personal, is expected to similarly explode.
Despite the rising connectedness of our lives with technology, nearly 87% of individuals remain unfamiliar with what the Internet of Things means and how it affects them. The term, referring to devices that aggregate and transmit data via the Internet, includes everything from wearable devices, cell phones, coffee makers, headphones, lamps, alarm systems, vehicles, thermostats and almost anything else that can be connected online.
In a commercial setting, jet engines and oil rig drills are among the many objects which are now online. The ultimate goal of this connectedness being to empower new business models and improve the quality of life through embedding objects and devices with electronics, sensors, software and network connectivity.
This network of smart devices, objects and sensors and the data they produce promises to make our lives easier, improve efficiency and give us insights into a variety of aspects not previously possible. Smart cities where resource consumption and costs are reduced through real-time data from people and objects are just one example of the benefits attributed to IoT.
However, with so much data being produced by so many different devices, there is a major risk associated with this emerging Internet of Things (IoT) era — data security.
More Data = More Vulnerability
In order to ensure both business data and personal information remain secure in the IoT age, companies must understand the risks associated with IoT and keep their security practices up-to-date.
There are ten concerns which are especially predominant for connected devices. These include:
- insecure web interfaces
- insufficient authentication/authorization
- insecure network services
- lack of transport encryption
- insecure cloud interfaces
- insecure mobile interfaces
- insufficient security configuration
- insecure software
- poor physical designs
To showcase the vulnerabilities associated with IoT, security researchers such as Samy Kamkar have put some of the devices we use in our daily lives to the test. OwnStar, a device Kamkar created, was capable of intercepting communications from GM vehicles’ OnStar app, making it possible to geo-locate cars, unlock them and even turn on their engines. While the growth of automation in the automotive industry may make car owners lives more convenient, it can also make them more susceptible to hackers.
Another example of critical vulnerability is medical equipment such as pace makers and drug infusion pumps with wifi capabilities. Tests conducted by students at the University of Alabama successfully hacked a pacemaker implanted in a dummy patient, proving their ability to accelerate and slow down the heart rate. Similar tests by security researcher, Billy Rios, concluded that hijackers with malicious intent could ultimately change the dose of drugs administered to patients by hacking drug infusion pumps in hospitals.
Establishing Security Throughout the Device Lifecycle
Ultimately, the most effective solution for protecting privacy is for security to be addressed at each stage of a device’s lifecycle. From the initial architectural design to its daily use, device makers and businesses that adopt these technologies must have security at the forefront of their priorities. Luckily, there are several strategies companies are adapting to protect themselves from security breaches.
- Choosing Partners Carefully: Since companies have control over the design process of every connected device they manufacture, a consideration process must be in place to ensure suppliers provide physical components and/or software that does not compromise security.
- Improve Cloud Security: With most connected objects, much of the security functionality will depend on the integrity of the web service used. In these cases, working with cloud service providers to establish controls will be integral.
Another approach which has gained popularity recently for enabling cloud security is having an independent processing area on the the silicon of the device itself, otherwise known as trusted execution environments.
- Secure Device Booting: When powering an IoT device, digital signatures are used to verify the authenticity of the device’s software. This digital signature safeguards against software which has not been authorized from running on the device.
- Device Authentication: Each device that joins your network should authenticate itself before it begins transmitting data. Stored in a secure storage area, a set of credentials should be used by each machine to access a network, similar to a username and password.
- Facilitate Deep Packet Inspection and Firewalling: A form of computer network packet filtering, deep packet inspection controls potentially harmful traffic being routed through the device. In the instance of deeply embedded devices, such as a smart energy grid, unique device protocols exist simultaneously with IT protocols making extra security measures such as DPI and firewalls necessary.
- Controlling Security Patches and Software Updates: Ironically, security can be compromised when a multitude of devices carrying out critical functions and services rely on security patches and updates. To minimize the possibility of compromising a device’s functional safety, these updates must be rolled out in a way which conserves bandwidth and secures the functional safety of each device.
IoT is already promising to be an enormous business opportunity, with some estimates indicating it will add $10-$15 trillion to global GDP over the next 20 years. However the explosive growth of these new technologies means that more effort needs to be put into the safety of personal and business data being passed through billions of devices.
With more existing in the cloud, the amount of information vulnerable to breaches is continually expanding. Staying up to date on the latest security guidelines will help ensure companies are able to leverage this opportunity while being protected from security breaches.
Originally published at www.kiwaluk.com.