Menu visibility control

Video

Events

Startup Surgery

Most Recent

E-commerce

EXCLUSIVE: Suffolk-based SaveMoneyCutCarbon raises £2.2m

Investments

Shipping software provider Shipamax raises $2.5m in Seed funding

FinTech

London-based robo-adviser MortgageGym raises £2m Seed

Press Releases

Okappy announces the launch of its investment pitch on the AngelsDen equity crowdfunding platform
Recruitment disruptor talent.io poised for further growth with €8m investment secured
London tech startup Spoon Guru partners with Tesco to power food searches for consumers with specific dietary needs

The Internet of Things: Life-changing tech or a disaster waiting to happen?

IoT
twitterlinkedinFacebookgoogle_plustwitterlinkedinFacebookgoogle_plus

Cesare Garlati, chief security strategist at the prpl Foundation, an organisation working to make the IoT safer, explains how startups can get IoT security right to avoid being subjected to harm.

The Internet of Things (IoT) is exciting new territory for many startups and innovative companies looking to push boundaries and connect even the smallest devices to attempt to simplify and enhance our lives. But the security of these devices is fundamentally flawed for a number of reasons.

Poor understanding

While there is a whole world of consumer electronics being built with some element of connectivity built-in, the developers making them come from backgrounds that don’t include an adequate understanding of network protocols and even less in network security. They may know how to put together hardware components, but implementing TCP/IP protocols is a rarefied discipline which requires expert knowledge and extensive debug and testing. Weak implementation of network protocols can spell disaster, especially when looking at the most popular wireless standards in IoT like ZigBee that operate in frequency bands that are easily accessible to everyone and ripe for exploitation.

Tech in Birmingham: Great quality of life, but lacking talent

Lazy attitudes

The attitude to securing these devices has typically been lackadaisical and more focused on the data that can be stolen from these devices. Therefore, security efforts have been minimal and devices are shipped with default passwords which can easily be found out by hackers and used to do their nefarious bidding. We’ve seen an example of this kind of IoT takeover with the Mirai IoT malware, where botnet criminals were able to use insecure security cameras and target core internet infrastructure company Dyn with a massive DDoS attack that took down popular internet services including Twitter, Spotify, Netflix and Paypal.

Waking up to the dangers

What the industry needs to wake up to is that it’s not about the data that can be stolen from a refrigerator or a light bulb – it’s about how these can be hijacked in volume and directed at one target. Using the example of a light bulb, while it may not seem like a big deal if a single light bulb is breached in the home – what if a hacker could control every single one of those light bulbs in a specific geographic region and create a power surge which could cause a rolling black out?  Or if a nation state actor could hijack a mass of drones in an area and direct them at a target?

From causing extreme internet service outages to becoming deadly weapons with catastrophic outcomes, the consequence of IoT security not being taken seriously is a very real and tangible problem.  That is why it it now time to start taking measures to secure these devices at the most basic level: the hardware.

Getting it right

In order to overcome the biggest IoT security challenges and engineer security into connected and embedded devices from the ground up, it’s useful for developers and manufacturers to consider the following principals:

Open source – put an end to proprietary security by obscurity and instead choose a 100% “Darwinist” focus on quality, usability and robustness. Code is becoming increasingly complex, so let’s get as many eyes on it as possible. Open standards could overcome the dearth of connectivity expertise in the industry.

Interoperable – vendor-led initiatives can be incredibly time-consuming and costly, yet the results are usually non-portable across homogeneous platforms.But if vendors can come together on a common platform, architecture, APIs and standards, they can benefit from a universal and more secure open source approach leaving them to compete on value-add services, rather than basics such as security.

Secure boot – ensure IoT systems will only boot up if the first piece of software to execute is cryptographically signed by a trusted entity. It needs to match on the other side with a public key or certificate which is hard-coded into the device, anchoring the “Root of Trust” into the hardware to make it tamper proof.

Hardware-assisted virtualisation – this will containerise each software element, keeping critical components safe, secure and isolated from the rest and preventing lateral movement. Secure inter-process communication will allow instructions to travel across this secure separation in a strictly controlled mode. This approach improves on current binary approaches where applications are either trusted or untrusted at a processor level, allowing for as many independent, secure guests as possible.

Moving forward

There is no reason that IoT can’t be the exciting world of possibilities and innovation that it has the potential to achieve. Equally, it has catastrophic potential, so to limit the damage IoT can cause developers need to take responsibility from the very beginning to make sure they are shipping safe and secure products.

It won’t happen overnight, but if we can change the mindset from “it works, now let’s try to secure it” to “it isn’t secure and therefore it doesn’t work” then the industry as a whole will flourish without subjecting users to harm.

Enter your email address to receive updates straight to your inbox

* indicates required
Send me news on...
twitterlinkedinFacebookgoogle_plustwitterlinkedinFacebookgoogle_plus

Editor's picks

savemoneycutcarbon

EXCLUSIVE: Suffolk-based SaveMoneyCutCarbon raises £2.2m
posted 39 mins ago

shipamax

Shipping software provider Shipamax raises $2.5m in Seed funding
posted 5 hours ago

MortgageGym

London-based robo-adviser MortgageGym raises £2m Seed
posted 5 hours ago

tech startup AI

AI and IP: What you need to know
posted on May 21, 2017

Top tech stats

Top tech stats: Entrepreneurial confidence, VR headsets and much more
posted on May 20, 2017

the death of the accelerator

Could tech accelerators soon become a thing of the past?
posted on May 19, 2017