Security Matters In The Face Of The Internet Of Things

With great potential also comes great risk. Connected devices are managed differently than enterprise or mobile devices.


There’s much talk about the huge growth potential of the Internet of Things, with estimates citing 30 billion to 50 billion connected devices by 2020.

One billion smartphones were sold in the last five years; an impressive number, no doubt. But did you know we also added 244 million smart grid devices, over 5 billion consumer electronics devices, and over 500 million connected appliances in the same timespan? Our planet gained nearly 10 billion connected “Things” in the last five years, but this is just the tip of the iceberg. The potential of wearable and smart sensor technologies suggest that we’re well on our way to realizing the full impact of the Internet of Things.

iceburg-imageSource: ABI/Cisco/Mocana

It can be difficult to grasp the possibilities, but one has to look no further than our own Human Internet to see the tremendous value of connectivity. Take for example the value of Google; a many-to-one aggregator where users can obtain actionable information from the entire Internet. The converse is the one-to-many Twitter platform, where a single microblog can meaningfully impact the entire world. The Internet of Things adds these capabilities to smart sensors and actuators, enabling new many-to-one and one-to-many applications that incorporate machine-sourced, machine-interpreted, and machine-responding mechanisms.

It would be easy to only point to the positives, wouldn’t it? Unfortunately, with great potential also comes risk. At the recent RSA Conference, I gave a talk on several ways that existing security methods will (or won’t) fare when applied to the Internet of Things.

For starters, connected devices are managed differently than traditional enterprise or mobile devices. “Things” don’t use human passwords and instead rely on cryptographic keys to manage identities and provide connection security. It’s important that these keys stay secure from attackers attempting to extract the keys and compromise the security of the semiconductor. To help protect these keys, our DPA countermeasures ensure that keys won’t be leaked through side channel attacks, a method whereby attackers can uncover secret keys by measuring the device’s power consumption. In fact several industries have already widely adopted DPA countermeasures due to the threat of financial and personal data loss. In total, DPA countermeasures were successfully deployed in over 8 billion devices last year.

Also, as everyday appliances and devices become connected, it’s important to keep in mind that these infrastructure components are minimally maintained yet have long lifespans. This tends to be a problem, given that software approaches to security have historically proven to be complex and wrought with bugs. To address this, enterprises are shifting to store valuable cryptographic keys in secure silicon hardware within device chipsets. This ensures that through the connected devices’ lifespan, critical secret keys stay secure within a hardware root of trust, as opposed to software.

Finally, connected devices have different deployment lifecycles. Infrastructural components often go from factory to field without any formal enrollment or authorization steps (Plus, no user is going to manually pair a milk bottle with their fridge!). “Zero touch” activation requires device credentials to be provisioned at far earlier phases in the supply chain. In our CryptoFirewall hardware cores, we program device identities and keys at chip manufacturing, far before the CPU has even booted for the first time.

Today, our teams have the privilege of working with companies who are charting the future of the Internet of Things. Look how far the Human Internet has come in its 18 years of existence (yes, http is circa 1996). Some amazing things are in store for the Internet of Things, and there’s a lot of security work required to get this done right.

Leave a Reply

(Note: This name will be displayed publicly)