New Security Solutions Emerge as IoT Moves into the Public Spotlight

In today’s world everything is connected. Turn on your crockpot from your phone while you’re standing in line at Target. Check on your sleeping baby while you watch a movie. Though these modern conveniences are great, the interconnectivity of these devices—the Internet of Things (IoT)—is fundamentally unsecure.

IoT Security in the Public Spotlight

Back in September, we discussed IoT security issues that still needed to be resolved. Since then, security in the IoT has gained a lot of attention from national media and is moving into the public spotlight.

CBS News talked about the IoT in a recent 60 Minutes segment. Correspondent Lesley Stahl was instructed to drive a car around a parking lot while an on-site hacker tried to gain access to the car’s computer systems.

In (what seemed like) a few minutes, the hacker had reprogrammed the software for car controls and started commanding the vehicle from the computer. He gained access to the horn, brakes, acceleration, and even the windshield wipers. It was laughable at first but quickly turned frightening.

Home automation and monitoring hacks are also becoming commonplace. BMW patched a security flaw a few weeks ago that could’ve allowed hackers to open doors for over 2 million cars. This week a Senator from Massachusetts released a report covering the security and privacy gaps in the car industry.

This is an exciting time for innovation, but the IoT environment is unique and growing at a rapid pace. There are still topics that need to be addressed—particularly surrounding user privacy and security.

Security Solutions: New Technology or New Restrictions?

With security issues in the Internet of Things gaining more attention, many organizations are attempting to create solutions either through new technology or new restrictions.

This change in attitude toward IoT security has even reached the government. Just last month, the Federal Trade Commission released a report urging consumers and manufactures to consider security and other safeguards.

For now, the Commission is focused on initiatives such as law enforcement, taking action on actors that are in violation of laws that apply to IoT, consumer and business education materials, stakeholder groups who discuss guidelines, and promotion protections through advocacy. The report covers three main areas:

Security

The FTC urges companies to build security into devices from the beginning. Companies should conduct privacy assessments and consider risks associated with collection of consumer data. Built-in security features should be tested before taking the product to market, and companies should also ensure internal security practices promote good security.

Data Minimization

In short, data minimization reduces potential harm associated with data breaches. A major IoT concern surrounds consumer information collection, distribution, and use. The Commission urges companies to impose reasonable limits for collection of data. For example, collecting a zip code instead of an exact geolocation.

Collecting data for future marketing and product development should be balanced with limiting security risks for users. Companies should also scrutinize how long consumer data is retained and consider collecting de-identified information.

Notice and Choice

Consumers should receive notice about data collection and choices in order to make informed choices. For example, companies could offer information collection options at point of sale, during tutorials, during setup, etc. Don’t bury notices in long documents; keep information clear and prominent.

PKI and IoT Security

Not only should consumer information be stored securely once collected, but the entire IoT environment should also be secured for ultimate protection at every stage of the information exchange process.

SSL Certificates and public key infrastructure can be used to securely exchange information on IoT devices, and provide solutions for the currently unsecure Internet of Things.

  • Keith Hill

    We would love to use SSL certs in our emdedded devices’ web server but we can’t have certs that expire in 1 to 3 years. Our devices have a 15-30 year serviceable life. We also can’t dictate to our customers what the IP address and/or SPN of the device should be on their network. And frequently our customers use our devices on private networks that are never connected to the internet. Is there a form of SSL cert that can meet these needs? If so, I would love to hear more about it.

    • Hi Keith,

      I had Brian, our IoT specialist reach out to you about your specific implementation and discuss a possible solution for that case. Did you see a response from him? If not, let me know. I can follow up with him.

      • Keith Hill

        I had emailed Paul and he gave me some suggestions. One was to consider generating a self-signed SSL cert but given the current Superfish incident, I’m not so sure that is a good idea.

        • Right. We can continue discussing this through Brian and see how we can work out a solution.

      • Keith Hill

        Yes, I replied. Also got some help from Paul T.

  • Pingback: Is the IoT skating on slippery security grounds? - IoT Mashups Co. - Sensing the Internet of Things()