When the internet of things (IoT) arrives in force it will be two things: a boon for scientists, analysts, and anyone else interested in making things run better, faster, cheaper and, potentially, a security nightmare for everyone else.
The boon comes from finally having enough data to make causal connections between events and outcomes: X leads definitively to Y, not X may have led to Y "but we just don't know" (a favorite defense of attorneys everywhere). This can be as simple as improving your health by counting steps with an accelerometer to improving crop yields or understanding ocean currents by deploying armies of sensors.
The potential security nightmare comes from the billions of new network holes created by billions of devices that will be calling home to corporate, government and, increasingly, home-based networks with updates.
"At a minimum you need some type of encryption between the device and whatever it is talking to," says Tom Hunt, CEO of WindSpring, an IoT data compression company that, because of the work it does at the sensor level compressing data, is in a unique position to understand the difficulties of securing IoT devices. "And that is just phase one when extending the client/server model [to sensors]."
There are a number of security challenges facing IoT makers. First off, devices have to be cheap. This does not allow for much onboard compute or storage -- often just a few kilobytes. Because of this, even light-weight security protocols like PK Zip cannot run at the device level. Nor can technologies like virtual private networks (VPNs) that would secure data in transit and prevent hackers from gaining network access via that data stream.
Next comes the challenge of sensor-to-sensor network security. With such low levels of power and compute, these devices will serve up a cornucopia of network access points for hackers to exploit. "What scares IoT managers the most is more and more access is being provided to their systems from devices that they've never touched," says Hunt referring to extended sensor networks that may include devices from partners' or customers' networks that they have no control over.
And, thirdly, physical device security will be of great concern since many IoT devices will be deployed, unprotected in the field.
Another important issue is what Hunt calls the "DIY attitude" on the part of device makers. Like the early days of the PC industry, these manufacturers are not taking security seriously; thinking their engineers can just bolt on some open source protocol or other and call it done.
"There's a zillion protocols and most of them are not well suited to IoT," says Hunt. "I sat down with a carrier outside the US who said they are going to provide security by running VPN links from all of their IoT sensors back to the network and I said 'How are you going to do that? You've got 2K of memory. What VPN client runs on 2k of memory?'" (The answer, in case you were wondering, is none.)
Some IoT observers may not see device level security as that big a deal since hacking into a temperature sensor doesn't yield a lot of data, but what if they change the reading and that affects the command and control of an industrial process? Or, and this is what keeps chief information security officers (CISOs) awake at night, that same sensor allows a hacker to gain network access?
"It's when you tap into that sensor, what else can you get access to?," says Hunt. "Here security is more important than ever because, unlike any system we've deployed before, you now have a low cost unattended thing that's sitting out there communicating with your host and if you don't protect, the consequences are far greater than they were [with previous technologies]."
Read about a new approach to securing today's distrubted workforce and devices