Internet of Things
— a new security paradigm
Talking with large enterprises it is evident that the slow adoption of the Internet of Things is due to security concerns. Although user stories and concepts are drawn up, showcased at consumer fairs, promoted in press releases, the future itself is not yet here.
Where the Internet of Things has gained praise and adoption is with products from multi-billion companies such as Nest or things that are not dependent on cooperation with tech incumbents. Instead focus is put on time to market contrary to security concerns. Low-powered networking such as Bluetooth Low Energy is one keyword, not surprisingly as the benefits are many and appealing. It’s doubtful however that early-adopters know that their things can easily be eavesdropped, or even hijacked. For people in the industry it’s known knowledge, not seen as a show-stopper as specifications and standards are rolled out to fill the holes. While complete security solutions are products of the future, Internet of Things vendors have to think delicately when designing the security of their platform.
The Internet of Things can roughly be divided into two categories.
- Internet of Me
Things that communicate to you and the Internet via your smartphone. If you, with your smartphone, are not nearby then the thing is disconnected from the rest of the world. Typical devices today are smartwatches and fitness trackers. - Everything else
This is in the truest sense things that are directly connected to the Internet.
The latter category is not that trivial though, how many things that are directly connected to the Internet do you own? To turn a conventional product into an Internet connected thing, its security must be convincing. Another hurdle is that commercially available things are often based on power-hungry WiFi for connectivity — hence most things are in need of a power outlet. For light-weight things such as sensors, connecting to a 220V outlet is not a viable option.
Different categories, same security needs
Regardless of these two categories, security is equally important and must be approached in the same way. It can be inconvenient to get your coffee machine hijacked, but it would be disastrous to get your apartment smartlock hacked. Even small things such as sensors can be vital. Imagine a smarthome sensor that reports the air smoke density. If someone hijacks the sensor, or replaces data sent from the sensor, the fire alarm could be falsely triggered — resulting in an array of unintended consequences. Each thing must therefore implement a way of authenticating itself to the decision maker, be it a central server or a smartphone. It has to be assigned an identity and a mean of authentication.
Widely adopted and accepted authentication methods do exist. the Internet browser is the best example. When visiting e-commerce or Internet banking sites, somehow the websites prove to us (or more specifically to our browser) that they indeed are who we expect them to be. Otherwise we would not trust them with our credit card details (maybe we shouldn’t anyhow). The same system can be replicated in the Internet of Things, however with different nuances that are better fitted to be used in low-powered environments.
Let’s look at what we would like to achieve. One example is the straight-forward model of controlling a pack of things that a person owns. This can be done through a cloud server or a person’s smartphone. Another future-thinking aspect is inter-operability with other things that are not necessarily owned by the same person. This can be as simple as you providing a guest access to certain things in your home, or as difficult as you receiving access to new things in various locations. This can be exemplified with hotel facilities and parking lots. This kind of access adds another tough challenge to the security model.
It’s easy to think of the security in Internet of Things with old-tech terms. If a thing is connected via WiFi, all it needs is a password to the network. If something is connected to a smartphone via Bluetooth Low Energy, pairing is in order. However this leads to great inflexibility and security leaks when scaled up. A thing can not be compared to a computer or a phone that is connected to a network, there’s no constant user presence if any at all. Instead, once a thing is put into work it has to authenticate and ensure privacy in the same way as a real person. Similarly to real people, things will want to communicate with other things in ad-hoc terms — for instance a smartwatch or a car paying for the parking ticket without ever having been paired with the parking machine before.
This type of paradigm needs another view of thinking. For one, authentication per thing is not a step by step process where each thing has a different code or PIN. Instead access and control is all managed by one super account, which belongs to one specific person. When new things are added, the super account must approve, followed by a distribution of identity to the newly added thing. Without an identity the thing has no mean of authentication, hence also no function. The identities of a super account’s Internet of Things are controlled from a computer, smartphone or any other thing — as long as it has previously gained an identity.
Combining old and new
Luckily such a system for distributing identities already exists, Public-Key Infrastructure (or PKI). Comparing with other PKIs, for instance electronic ID-card systems, a super account is the person holding the ID-card. Now in the Internet of Things model this person can derive new ID-cards, in other words new identities, by herself. Each identity submits to the super account. The created identities are both used to authenticate to the super account, as well as to other things if permission is given.
Coming back to our earlier example of e-commerce and the Internet browser, public-key cryptography is used in a similar way. This Internet of Things identity scheme is in fact not that different to how the e-commerce was forecasted to work — surely anyone who shops online needs to identify herself to the e-shop and provide strong authentication? It turned out that this was not needed for e-commerce to flourish, instead it was sufficient that the shops themselves identify themselves to you. Few Internet services require strong authentication from the user, typically Internet banking sites or tech savvy governments that allow e-voting.
The practical follow-up question is how to use public-key cryptography on low-power and processing constrained Internet of Things. Sometimes the thing is only a small sensor with no capacity to perform the same computing as our Internet browsers. Without going into details there are now widely available low power integrated circuits that perform authentication and encryption with the same strength as modern computers — perfectly suited for the Internet of Things. Often these integrated circuits are combined with a secure element, keeping the keys locked away from the most vicious attackers.
How to work out things in practice is still up to each vendor, according to exact needs. Still, a central exchange where previously unfamiliar things can authenticate with each other on an on-demand basis, according to a set standard, might be what accelerates the adoption of the Internet of Things.
