For most of us, technology has become an integral part of our daily lives and promises to become even more prevalent in the near future due to the emerging technological revolution called the Internet of Things (IoT). The number of connected objects now exceeds the world’s human population, and is expected to grow exponentially over the next three to five years.
The early stage of IoT has already started making our lives easier and far more comfortable, giving us the ability to remotely monitor our homes and businesses, turn on the lights and heat before we return home from a long day, and even help us find a place to eat in an unfamiliar city. In fact, so many of our daily activities are becoming automated through the use of IoT technologies, we will soon wonder how we could have functioned without them – similar to looking back now on the pre-smart phone era!
However, as history has taught us well, any technology can be just as easily turned against us if it hasn’t been properly secured. In fact, there seems to be a direct correlation between the value of a connected object in our daily lives and the degree of pain inflicted if that object falls prey to hackers. As hackers and the security community converge on Las Vegas this week for the DEF CON and Black Hat conferences, I’ve come across two pieces of news that seem remarkably timely. The first is a report from The Guardian that a British computer scientist and cryptography expert has been banned from publishing an academic paper in a security journal, because it reveals the algorithm used in chips that start luxury cars. Of course, this goes beyond one scientist and a paper – much of the research he conducted to crack the code was gathered from a publicly available website, where the software behind the code has been available for the past four years.
Now while most of us have neither the means nor the deep cryptographic understanding that this scientist has, the point is that it can be done – then it can easily be made publicly available and widely distributed.
Similarly, a Forbes article highlights a home automation app that lacked appropriate levels of security, thereby allowing anybody to control lights, televisions, and any other connected electronics from literally anywhere in the world. No special skills required.
For me, the takeaway is two-fold: integrate robust security throughout your IoT implementation; and layer that security for a comprehensive solution with no single points of failure. Of course, this isn’t new advice – both of these suggestions have been best practices for all types of networks since the dawning of modern-day threats. But since the power of IoT lies in its ability to connect just about every aspect of our lives in a very personal way, security must be the proverbial lynchpin of the entire operation. Many IoT use cases also include the analysis of vast amounts of data, including what may be considered sensitive, and make rapid decisions on that data to make immediate changes to the device based on current conditions. Therefore, security must be layered at multiple points in the system – the cloud, the data, each of the touchpoints throughout the system, and even the devices themselves. This way, whether a provider has inadequate security (as in the case of the home automation device), or a strong security measure is thwarted (as with the crypto algorithm), other layers of the security solution can compensate for the weakness to protect against attack.
Again, this is nothing new. But with IoT, so much more is at stake than with prior networks, it warrants being repeated. One thing is sure; the Internet of Things means that technology is here to stay – and getting closer to home than ever before – so we’d better learn to properly secure it, so that we can enjoy its benefits without falling victim to its risks!