Securing IoT

I recently had the opportunity to gather insights from Billy Meadow, CTO and Founder, Scott Fletcher, President and CEO, and Jeff Kase, Chief Architect of LocatorX to get their perspective on the current and future state of IoT security.

What's your approach to securing IoT devices?

The history of the Internet might have been extremely brief were it not for the ability to address security issues systematically and to adapt to the many ways in which people with bad intentions have been able to be destructive. The first web browsers communicated with servers using unencrypted data streams, affording no protection against those who realized how trivial it is to “sniff” internet traffic. Most computers, in the beginning, had their own internet addresses, without any firewalls or protection against hackers. It was a huge neighborhood full of unlocked houses.

There would be no eCommerce without SSL (TLS) protected communications, user credentials, and other security measures. We are all familiar with the lock icon in the browser bar, indicating a valid certificate is protecting the data being passed; we expect to enter a username and password to identify ourselves, and on our smartphones, we commit our passcodes to memory but prefer fingerprint identification and/or facial recognition.

We must not discount the small-form-factor of IoT devices to be any less of a threat – any device that can connect to the Internet represents a potential security breach, especially if it has some level of computing power. We’ve seen how smart thermostats could be co-opted to cause damage to computers and baby cameras with limited security could be tapped by unwanted viewers. We’ve seen how many devices with limited computing power could be combined to generate DDoS attacks and how connected vehicles could be hijacked remotely while in motion.

Security is paramount in all IoT device designs and deployments.

We address this issue with a multi-tiered security mechanism, not unlike a web browser, but with added measures:

• Smartphones, scanning devices, and other communications nodes that can access our devices using the latest SSL encryption techniques to communicate with our servers.

• Users have some read-only access to the devices without entering credentials, but all sensitive and write access requires identification.

• All devices that can interact with the IoT devices must use our Certified Security Module, with embedded credentials assigned to the registered software developer of those applications.

• All sensitive data, including the digital birth certificate assigned to each individual IoT chip, is encrypted using our product certificate authority. This is currently an in-house mechanism for maintaining the cryptographic keys used to encrypt this data. However, we will soon announce a more formal partnership that will allow third-party organizations to obtain their own certificates.

• In the future, we will be using a patented process to physically write encrypted identification onto the chips themselves in a way that can be used as yet another tier of protection.

What are the most important elements of IoT security?

The security of IoT devices must be part of the architecture of the overall implementation plan, something considered from the beginning. At the same time, it must be an adaptable solution, which becomes a challenge in itself. Updating firmware or security credentials on a hundred or so devices is one thing, hundreds of thousands or millions of devices is another. Additionally, the update process itself needs to be securely implemented, since this is yet another potential security weakness.

How has the security of IoT devices changed and what are the most common issues you see with IoT security?

How it has changed – there are dozens of different proprietary IoT security architectures from each of the major vendors. We don’t see these vendors designing structures made for interoperability. In the world of IoT, many of these devices have little to no security. LocatorX is designing a security architecture that is both open and secure and uses an industry-standard certificate authority that enables interoperability. LocatorX technologies can be scanned securely by any person in possession of the device or product. Certificate authorities created the foundation of trust for web pages. By creating product certificate authorities, we are creating a foundation of trust for products in the IoT.

What are some real-world problems you, or your clients, are solving by securing IoT devices?

The real-world use is being able to track an individual item, case, or pallet throughout its lifecycle. Anyone who comes into contact with the product can scan the item using their smartphone and authenticate it, so you can trust the information coming from that product. This information is authenticated by an individual product certificate authority.

Do you have any concerns regarding the current state of IoT security

Constantly. The best practices of today can be considered potential weaknesses tomorrow. If you follow the churn of TLS versions and ciphers, for instance, you realize just how temporal any fix can be. SSL was the standard in the beginning until vulnerabilities were discovered/exploited. Then, TLS 1.0, 1.1, 1.2 and now 1.3 will soon be the standard. The internet itself is part of the reason for this escalation. Any successful breach or methodology to infiltrate systems can be shared across the world in minutes. The other reason is that access to powerful computing platforms continues to decrease in cost and increase in availability. TLS ciphers and methods are just complex mathematical algorithms, so the tools for brute force means to crack those algorithms are easier to access.

The other challenge is preventing “Trojan Horse” attacks, where a piece of hardware or software is installed inside your security sphere. This is less of an issue with IoT devices but can be another source of gaining access to sensitive data that might be used in IoT attacks outside.

The only constant is there are hordes of attackers trying to get through the security walls – and the more sensitive or valuable the assets you are trying to protect are, the more frequent the attempts to gain control or access will be.

What’s the future for IoT security from your point of view — where do the greatest opportunities lie?

From our perspective, security is only positive if it can be demonstrated to people using our products over time. Once trust and comfort are developed, use is encouraged. We’ve seen this with Amazon and the eCommerce industry – the full potential of any IoT solution can only be realized when security is not an issue.