The Internet of Things Demands Trust

In the IoT, every connection is a threat vector. But by banding together and deploying sensible baseline security standards, the industry can turn the Internet of Things into the Internet of Trust.
Published: July 28, 2015

Forecasted to soon become a trillion-dollar market, the Internet of Things promises—and likely will deliver—a smarter, more connected, safer and more data-driven society. Yet for all its advantages, threats abound: by transforming virtually any device into an interactive part of a powerful network, the IoT could expose the number of vulnerabilities in any given system that scales exponentially. By 2050, Cisco estimates that more than 50 billion objects could be Internet-connected. The extraordinarily vulnerable nature of a hyper-connected world means consumer trust is more paramount to the success of IoT products and companies than ever before. In order to reach its trillion-dollar market potential, the Internet of Things must become an Internet of Trust.

As last year’s incident of a refrigerator being converted into a zombie computer to spread malware demonstrated, the very concept of the IoT presents the vexing challenge that virtually any device can be weaponized. Converting devices into hacking platforms is just the beginning: connected homes and sensors collect data that can be even more devastating than “traditional” computers when leaked. Even medical implants are considered potential threats—or targets. As recently as 2007, then-Vice President Dick Cheney’s heart implant was designed with hacking threats in mind.

Public awareness of hacking vulnerabilities is steadily growing, thanks to high-profile events like the recent Sony Pictures and Anthem hacks. As damaging as these events have been, the United States is faced with the near certainty that future hacks will be even more destructive. With the increasing combination of regulatory action and public concern around cyber-security, trust is crucial: companies must assure their customers and the broader public that data is private, networks are protected and information is safeguarded.

Trust, created through product security, will support data privacy and ensure cyber-safety. Whenever there’s a failure in security due to a data breach, a denial-of-service attack, identity theft, the spread of malware or some other act of sabotage, the failure can almost always be tied to unauthorized access. At some point, someone (or something) found a way to be where they shouldn’t have been, and did damage.

This means that maintaining security is, at its core, about preventing anyone or anything from gaining unauthorized access. Before being allowed to submit data, modify information, save settings or execute tasks, whoever or whatever is trying to gain access—be it a person, a device or a piece of software—must first verify that they are, indeed, who they say they are. This process, known as authentication, is the starting point for all online security. When done right, authentication protects every interaction and makes it safer for people, devices and applications to access and share data.

No matter what the online scenario may be, authentication plays an essential role in keeping the process secure for everyone involved. Two-step verification is a relatively new method of authentication that companies are using to keep information secure, like adding an extra step to the login process by texting a user a time-sensitive passcode, using a second factor device such as a FIDO Alliance USB dongle, or scanning a person’s fingerprint in addition to having that individual enter his or her password. For the IoT, effective security prevents criminals from accessing data. This protects against the kinds of sabotage that can cripple the public infrastructure—which increasingly relies on smart grids and other network-controlled operations—and makes the IoT a safe place for private users, from the homeowner programming a remotely controlled thermostat to the global corporation managing thousands of connected devices.

While it makes sense, in theory, to require all IoT devices to meet baseline security requirements, the reality is that adding security costs money, and unless a hack actually occurs, there is little return on the manufacturer’s investment. To prompt IoT manufacturers to make that investment, we could take a lesson from the automotive industry, in which drivers are required to carry liability insurance that pays for damage they might do to others on the road. In a similar fashion, IoT manufacturers could be required to add a minimum set of security features, so as to minimize the risk of online sabotage and, in a way, invest in the safety of others.

An alternative, arguably more expedient route would be for the industry to take matters into its own hands, through either existing coalitions like the FIDO Alliance or the creation of a new IoT security focused industry consortium that encourages a baseline standard for security technologies. This could entail the requirement of public key cryptography for mutual authentication among nodes, gateways and the cloud; the secure storage of private keys in tamper-proof secure elements, with keys never being transmitted in the clear; or requiring that all firmware be signed, resulting in all nodes and gateways having to boot up securely based upon a protected, secure element-based hardware root of trust. The good news is that these technologies are readily available today, and are commonly used in such industries as banking, transportation and e-government. Such technologies can be leveraged for a fraction of the cost of what it takes to deal with the recalls, support and brand impact of a breach.

Every potential connection is a threat vector. Access control across billions of devices will be imperative to ensure data integrity and protection. A key requirement of access control is authentication, and authentication must be based on a unique, immutable identifier rooted in hardware which establishes trust—a hardware root of trust. For the Internet of Things to flourish, it must become an Internet of Trust.

Philip Lewer is the marketing director for IoT and smart homes for the Americas at NXP Semiconductors. He has more than 20 years of marketing, business-development and engineering experience in various technology industries.