As the number of Internet connected-devices in any home skyrockets from a few, to a few dozen, to perhaps even a few hundred—including interconnecting thermostats, appliances, health and fitness monitors and personal accessories like smart watches—security concerns for this emerging Internet of Things (IoT) will skyrocket too. Cisco projects that there will be 50 billion connected devices by 2020; each such node should ideally be protected against malware, spyware, worms, and trojans, as well as overzealous government and commercial interests who themselves might produce their own privacy-compromising intrusions.
It’s a tall order, says Allen Storey, product director at the UK security firm Intercede. But the biggest challenges today are not so much technical problems as they are matters of awareness and education. Consumers need to know, says Storey, that IoT security is a real concern as the first wave of gadgets roll out into the marketplace. And unlike devices with faster processors and bigger memories, security is a product feature that the marketplace may not by itself reward.
Writing in the journal Network Security in July, Storey said that “Without the threat of end-user backlash, there is no strong business case for manufacturers to add a ubiquitous security element into the development process.” Moreover, he said, commercial pressures could in fact only reduce IoT security as many small players rush to be first to market. It's also likely that all the players could pursue siloed security standards that would leave substantial security holes as those devices interconnect with still other Internet-enabled devices (e.g. routers, smartphones, smart watches).
In the absence of any clear industry-wide IoT security standards, Intercede CTO Chris Edwards says consumers should shop for devices that rely on tried and tested security schemes, especially public key cryptography.
“When you’re looking at authenticating devices, the only real standards at the moment that offer any real interoperability tend to be Public Key Infrastructure (PKI),” he says. “The idea here is that you have a secure hardware element in that device that is able to generate and store and use private cryptographic keys that cannot be exported. So you can’t clone that device.”
So PKI chips, like those found in most smart cards, can help secure IoT communications. One other security standard that could be important in the IoT’s early years, Edwards says, is that of the FIDO (Fast IDentity Online) Alliance.
FIDO, a commercial consortium whose members include Microsoft, Google, PayPal, Lenovo, BlackBerry, and MasterCard, offers a lower-overhead variation of PKI that authenticates users and devices in part via biometrics (e.g. fingerprint-sensing chips) and PINs. This in turn makes FIDO more readily scalable to home networks with many devices on them, some of which may not have the battery or processor power to do classic private-public key cryptography for every communication.
“I don’t want the whole world to trust my watch,” Edwards says. “I just want to make sure the front door trusts my watch.”
Apple is conspicuously absent from FIDO's membership roll, which means that the Apple Watch's security will involve a yet to be disclosed set of proprietary security standards. Those protocols will thus probably form an important second web of security standards for the most secure IoT devices.
As an example of an IoT network that uses both PKI and FIDO, Edwards imagines a smartphone that communicates with a smart refrigerator in its owner’s home. The phone and refrigerator have already been introduced to each other and thus don’t need the highest PKI security levels. In that situation, FIDO would suffice for communications between the two devices such as the smartphone telling the fridge to go into low-power mode when the family goes on vacation, or the fridge reporting to the phone that it's time to pick up some milk from the grocery store.)
On the other hand, if the fridge communicates directly to the store to order more milk, the grocery store isn’t going to want to deal with FIDO certifications for its hundreds of customers. It’s more likely to insist on PKI security and authentication when a nearby fridge orders a gallon of milk or a case of beer.
In all, Storey says, the landscape of IoT security standards demands a company that can manage all such secure transactions behind the scenes for the cornucopia of third-party IoT device makers—perhaps like antivirus software today is managed and regularly updated by a small set of private, specialized companies.
“Given the absence of one standards agency producing cover-all protocols, an opportunity has emerged for security vendors and service providers to offer their own umbrella solutions that enable the individual to take control,” Storey wrote. “This is an exciting new dawn, but the industry must first come together to ensure it is a secure one for everyone concerned.”