IoT Security & Privacy: Reducing Vulnerabilities

Ensuring data security and privacy in IoT networks means taking a different approach and building protection in from the start.

Isaac Potoczny-Jones

November 2, 2015

6 Min Read
Network Computing logo

In a recent 2015 cybersecurity report, AT&T charted a 458% increase in Internet of Things (IoT) vulnerability scans of devices. This is  just the latest indication that hyper-growth of IoT devices, sensors and systems across business, consumer and government sectors puts users' information privacy and security at risk.

The Internet of Things (IoT) universe of devices, sensors, networks and technologies is so vast that meaningfully addressing any aspect of it -- such as security and privacy -- can be daunting. Even narrowing the scope down to specific IoT use cases, such as vehicles/robots, smart homes, critical infrastructure, connected medical devices, wearables, or HVAC systems, requires factoring in numerous and complex security considerations.

That said, market growth projections make it clear that the stakes are too high and business opportunity too great for vendors to shy away from efforts to improve IoT security and privacy. In this post, I'll examine the current state of IoT security and privacy, and what needs to be done to preserve the privacy and security of information that travels across connected networks.

Insecure legacy

Growing adoption of IoT requires overcoming a legacy of insecurity. This is not unique to the Internet of Things: Too often, software and products today are built to work as intended, and then after the product is out on the market cybersecurity is factored into the equation. More specifically, this process occurs in the following stages:

  1. A new technology gets developed without security in mind

  2. That technology gets traction and flourishes

  3. It gets plugged into the Internet or made more widely available

  4. Good guys in the security profession notice that it’s insecure and start trying to help companies fix the problems.

  5. Responsible companies address these issues and release fixed products, but this can take a long time, depending on the development lifecycle.

  6. Less responsible companies keep driving ahead with innovation and new product releases, but ignore or under-invest in security. Often this is because there’s a perception that the bad guys don’t stand to benefit from hacking their product.

  7. The bad guys figure out a way they can benefit from hacking the product.

  8. Everyone now has to invest significant resources in fixing it. It’s a big distributed problem because in step 2, the technology has flourished.

For some context, email is in stage 8. It originally had no security, but senders and recipients trusted one another. Then spam happened and everyone recognized the need to address security and privacy issues. IoT is currently somewhere between stages three and four. It isn’t yet ubiquitous, but many people believe it’s poised to get huge, and if it becomes a stage eight technology without security and privacy addressed on the front end, it's a recipe for disaster.

IoT security & passwords

A number of IoT devices available today have defaulted to the lowest hanging fruit for security and authentication: passwords. Passwords are bad for the web; for IoT, they’re a disaster for a number of reasons. First, IoT devices are almost always very limited in their user interface -- they don’t have keyboards to type a password into, nor do they have screens on which to display random “pairing codes."  When you try to bolt a “password-like” system onto something with a difficult interface, you usually end up with something weak.

For example, I have an Internet-connected music player at home where I have to key in my router password with the tuning knob. Similar things happen with TV systems. Your router password needs to be strong, but these systems make it super hard to key it in. A password that’s hard to type means that it will be very short and hackable, while a PIN code, usually only four characters, is even worse as any computer can brute-force 10,000 combinations in a matter of seconds.

As a result, most devices mix up the concept of its user’s identity (and which user in the household is the user) and its own identity (the device proving itself to a remote network). We can barely fix the federated identity problem on the Internet, let alone the new problem of low-power, low-UI devices.

Passwords endure as a frustratingly popular yet weak security link, one that is terribly inadequate for IoT and should challenge vendors to embrace more secure authentication methods throughout the development process.

Developing a different approach

Vendors must adapt a different approach for IoT than was done with the Internet, which was “you are the product, not the customer.” Sticking with this old approach would treat IoT user privacy as second fiddle. Getting privacy right is even more important with IoT than it is with computers because IoT extends beyond a smartphone or laptop screen to end user applications such as Internet-connected baby monitor video cameras, door locks that can be opened remotely with an app, wearables that track our movement and smartphones that track our location.

The physical nature of IoT has an enormous potential impact on privacy because it involves going beyond “what you do on your computer” to “what you do anytime, anywhere.” As referenced at the outset, wrapping our arms around security and privacy across the entire IoT system is a daunting task. Nonetheless, a vendor and industry approach should consider the following layers:

  • Privacy policy: Vendors should take privacy seriously. They must respect their customers enough to understand that privacy is a legitimate human need. NIST is working on some privacy standards that might help. Sometimes systems are secure (they work the way they’re intended), but violate someone’s privacy because they are designed to do so. For instance, they track people when they don’t want to be tracked.

  • Security policy: Vendors must intentionally build secure systems. A system that’s not intentionally secure is definitely insecure. Someone needs to think hard about the security of your system, and that person needs to be pretty experienced in order to do a good job.

  • Application-level security: Many IoT security flaws are the same types of bugs we’ve seen on the Internet for years, such as default “backdoor” admin passwords, weak passwords, not using encryption over the network, and open ports.

  • Protocol-level security: Wireless protocols such as ZigBee have some weaknesses, so even if you secure the application layer, the communication link itself can be intercepted or modified.

Emerging IoT solutions for security and privacy are promising. These include making users' mobile phones their security and privacy “key” that can confirm device pairing, leveraging cryptography instead of a keyboard and passwords, and privacy-preserving personal data storage systems so users control their  private data shared across IoT systems. IoT can be made secure and user privacy can be preserved if vendors, government and enterprises build security into the IoT from the beginning.

About the Author(s)

Isaac Potoczny-Jones

Research Lead of Computer Security at GaloisIsaac has been a project lead with Galois since 2004. He is an active open source developer in the areas of cryptography and programming languages. Isaac has led many successful security and identity management projects for government organizations. His projects have included secure cross-domain collaboration (Navy, DOD), practical solutions in identity credentials for first responders (DHS), federated identity for the Open Science Grid (DOE), anonymous authorization and cross-domain search (DOD), mobile password-free authentication (DARPA), and authentication for anti- forgery in hardware devices (DARPA). He has also led numerous commercial and government projects for security assessment and penetration testing. In 2013, Isaac founded Tozny, a Galois spin-off company that provides strong cryptography for authentication, without the hassles of passwords. Isaac is a member of the Haskell open source community, where he was the first developer and maintainer of Cabal. He also ia a member of the Debian community, where he was one of the implementors of APT's secure package download framework. Isaac has been a professional Haskell developer for a while now; prior to coming to Galois, he worked at Ohio State University and Cisco Systems. Isaac earned his master's degree in cybersecurity from the University of Maryland, University College, and his B.S. in computer science from Ohio State University

Stay informed! Sign up to get expert advice and insight delivered direct to your inbox

You May Also Like

More Insights