Security considerations for the Internet of Things
Sean Storer | June 16, 2015
The Internet of Things comes home
The Internet of Things (IoT) will soon be the new norm in both our work and personal lives. The adoption of these technologies will usher in a new era of convenience and efficiency; however, it also brings about a unique set of security considerations regarding what these devices do and how they do it. What decision-making ability are we outsourcing to these devices? What is in place to make sure they are only making the decisions they’re authorized to make? And how can we grant them permission to make those decisions—and only those decisions? In short, how will IoT-connected devices interact with their environment, especially when that environment is where we [and our furry friends] live?
What does IoT have to do with cats?
You’ve probably heard of the new Amazon product, the Dash button. They’re small plastic buttons that you stick or hang around your house. These buttons are linked to an Amazon account and place an order when pressed, currently for common household items such as laundry detergent or cleaning supplies. The idea is that you place the button where you use the product and as soon as you notice you’re running low, you immediately push the button and order more, thus avoiding a late-night trip to the store.
These buttons will help consumers remember to buy everyday household items that they take for granted and often forget to refill. But they’re also left out in the open, stuck to walls or hanging from hooks, all the while linked to your Amazon account. As any cat owner can attest, if there is a thing within reach of your cat, it will want nothing more than to swat, scratch, poke, and play with it. While this is usually entertaining, if each swat resulted in another $15 Swiffer refill being ordered on your Amazon account, the consequences for you [and your cat] could be more severe.
That’s it. I’m getting rid of my cat
It’s up to you really, but it’s not going to eliminate the need to deploy tried and true security measures in adaptive ways. One such measure is multi-step or multi-factor authorization (MFA). MFA is the use of at least two different checks prior to authorizing a transaction. It’s typically some combination of something a user knows, such as a password; something a user has, like an access card; and/or something a user is, which refers to biometric indicators (think: fingerprints). It’s also something that most people are very familiar with. When you use an ATM you need two things: (1) your physical ATM card (something you have), and (2) your PIN (something you know).
To its credit, Amazon built in multiple controls to prevent the above-mentioned scenario from playing out. When the Dash button is pressed, an order alert is sent to your phone, which allows you to confirm or cancel, and it won’t place another order until the prior order has shipped.
So, what’s the big deal?
In the case of the Dash button, yes—it passes the cat test. The Internet of Things, however, encompasses more than Amazon and it will only continue to grow.
Jeff Immelt, CEO of GE, estimated that the Internet of Things has the potential to add $10 to $15 trillion to global GDP over the next 20 years. As the Internet of Things expands, there will be a new standard of convenience and information sharing. We will grow accustomed to thermostats that learn our sleep and work habits, and smart electric meters that run our dishwashers when electricity is cheapest. What manufacturers and users of these products need to realize is that these devices are making decisions based on our data, and that data will need to be protected. Manufacturers of thermostats never had to worry about encrypting data-at-rest, but thermostats never used to hold data on whether or not it could be assumed someone was home. These new networked thermostats contain exactly that, and in the wrong hands could be treasure troves for hackers in both the digital and physical worlds.
Security will need to be built into these products from the start in order to prevent them from being the weak link in a home or enterprise network. MFA is merely one such security measure that’s being implemented in both IoT and other Internet-connected services—for example, texting a code to the phone number linked to an email account prior to log in. These same text-based notifications should be built into Internet-connected devices, whether authorizing purchases or turning on a stove.
Another way to build security into IoT devices is to leverage their pattern recognition and machine-learning skills to detect anomalous behaviors. For example, if the smart lock on your front door knows that between 9am and 5pm on weekdays it’s set to lock 99% of the time, it should notify you any time an unlock command is attempted during those hours. Pattern recognition and anomaly detection are not new security features; they’re used by several different types of firewalls. The key is to apply these proven techniques in different ways in IoT-connected devices. If manufacturers diligently apply these security controls to IoT-connected devices, then the balance between security and convenience can be more effectively managed.
Author’s aside: Lastly, for anyone doubting the fact that cats love to swat or knock over anything within range, further evidence can be found here.
Sean Storer is a security solution principal in Slalom’s San Francisco office. He is a fan of the IoT and a friend to the animals.