The Internet of Things is beginning to really worry me. It's mostly because the vast amounts of data out there can't be controlled well by users.
It's not just a concern that I have. In fact, the industry creating IoT has been behind in addressing a wide range of security issues concerning embedded and smart devices, a recent panel at Mobile World Congress found. So, where are the vulnerabilities? They are right under your nose, most likely in your home.
When some device in your house can be controlled by your smartphone, the device and your phone communicate over the Internet. The manner and way that they communicate between each other determine how much data can be thrown off and then monitored by others.
If the data between the two is sent in cleartext, it's easy to directly monitor. Anyone will be able to listen, and know that you just told your smart thermostat to turn on the air conditioning.
That may sound innocuous, but what if there is a thief sitting in your house taking things and listening for actions that may indicate you are about to come home? Not so innocuous then, is it?
The metadata alone that is associated with IoT systems can also be a useful data source, even if the message used to create the metadata has been protected.
A metadata layer is used to reduce the friction across all stages of data governance by providing a context for that data. The goal of the metadata layer is to capture and incorporate the business context, logic, models, and rules as machine readable, programmable concepts. These will then aid in mimicking how humans process data, analytics, and information.
There are other kinds of IoT vulnerabilities to consider. Ring, a manufacturer of smart doorbells with video cameras, realized not long ago that, by using a home's WiFi, the company was inadvertently giving up the home network's password.
First, the Ring doorbell gets reset, then a specific URL is viewed on a browser.
Voilà, the password.
Of course, Ring issued a firmware update when this was publicized. But why wasn't that caught in some kind of security audit before release? Did the manufacturer even choose to look for that kind of problem?
But let's move away from the abstraction layer here for a minute.
The one privacy/security tool that is available for the IoT device's use now is end-to-end encryption. It offers the hope that the mathematical effort needed to solve for the prime numbers that are the key to the encryption will keep it safe. Currently, the use of encryption is not widespread among those emerging devices that have a low cost of manufacture as part of their DNA.
There are also quantum computers to consider in the IoT mix.
Right now, they are not cracking encryption … yet. Give these machines another five years, and they may be able to do just that.
MIT researchers have announced they have figured out how to build faster quantum computers that are designed to defactor large prime numbers, and are easily scalable as well.
The news is almost equivalent to Carter Mead's announcement of the first silicon foundry in 1967. The process is one of applying technology to building bigger and faster quantum machines that are very good at figuring out crypto keys, instead of trying to figure out the physics necessary to build a quantum computer to do that. They have found a way.
This kind of quantum machine sounds the death knell for RSA-style encryption, the kind so widely used today.
Here is the problem laid bare: Quantum computers will be able to crack RSA-style crypto in a few years. That is the encryption used even when some end-to-end scheme is implemented in IoT. How will IoT privacy be protected at all?
The NSA thinks that it can come up with quantum-proof encryption -- someday. Maybe it will let it out. Maybe it will get used in IoT projects.
In the meantime, we have RSA-style encryption to use -- and that still isn't used all that much. But, beware of IoT devices that cannot be safely upgraded to deflect the growing security threats that will surely evolve over time. Those devices will leak data no matter what you do to stop the problem.Larry Loeb has written for many of the last century's major "dead tree" computer magazines, having been, among other things, a consulting editor for BYTE magazine and senior editor for the launch of WebWeek. He has written a book on the Secure Electronic Transaction Internet ... View Full Bio