Menu visibility control

Video

Events

Startup Surgery

Most Recent

Need to Know

Here’s how your tech firm can exploit the podcasting revolution

Investments

Cheshire-based mobile app SurveyMy gets £2m

The Week in Tech

A £12m series B, a £57.5m fund for Northern SMEs, a hoverbike and more in The Week in Tech

Press Releases

Software testing leader TestPlant appoints Dr. John Bates as CEO
CreditLadder appoints Proptech Expert Sheraz Dar as new CEO
Hermit: A Startup With New Ideas About Office Space

The Internet of Things: Life-changing tech or a disaster waiting to happen?

IoT
twitterlinkedinFacebookgoogle_plustwitterlinkedinFacebookgoogle_plus

Cesare Garlati, chief security strategist at the prpl Foundation, an organisation working to make the IoT safer, explains how startups can get IoT security right to avoid being subjected to harm.

The Internet of Things (IoT) is exciting new territory for many startups and innovative companies looking to push boundaries and connect even the smallest devices to attempt to simplify and enhance our lives. But the security of these devices is fundamentally flawed for a number of reasons.

Poor understanding

While there is a whole world of consumer electronics being built with some element of connectivity built-in, the developers making them come from backgrounds that don’t include an adequate understanding of network protocols and even less in network security. They may know how to put together hardware components, but implementing TCP/IP protocols is a rarefied discipline which requires expert knowledge and extensive debug and testing. Weak implementation of network protocols can spell disaster, especially when looking at the most popular wireless standards in IoT like ZigBee that operate in frequency bands that are easily accessible to everyone and ripe for exploitation.

Can the Internet of Things make your office more secure?

Lazy attitudes

The attitude to securing these devices has typically been lackadaisical and more focused on the data that can be stolen from these devices. Therefore, security efforts have been minimal and devices are shipped with default passwords which can easily be found out by hackers and used to do their nefarious bidding. We’ve seen an example of this kind of IoT takeover with the Mirai IoT malware, where botnet criminals were able to use insecure security cameras and target core internet infrastructure company Dyn with a massive DDoS attack that took down popular internet services including Twitter, Spotify, Netflix and Paypal.

Waking up to the dangers

What the industry needs to wake up to is that it’s not about the data that can be stolen from a refrigerator or a light bulb – it’s about how these can be hijacked in volume and directed at one target. Using the example of a light bulb, while it may not seem like a big deal if a single light bulb is breached in the home – what if a hacker could control every single one of those light bulbs in a specific geographic region and create a power surge which could cause a rolling black out?  Or if a nation state actor could hijack a mass of drones in an area and direct them at a target?

From causing extreme internet service outages to becoming deadly weapons with catastrophic outcomes, the consequence of IoT security not being taken seriously is a very real and tangible problem.  That is why it it now time to start taking measures to secure these devices at the most basic level: the hardware.

Getting it right

In order to overcome the biggest IoT security challenges and engineer security into connected and embedded devices from the ground up, it’s useful for developers and manufacturers to consider the following principals:

Open source – put an end to proprietary security by obscurity and instead choose a 100% “Darwinist” focus on quality, usability and robustness. Code is becoming increasingly complex, so let’s get as many eyes on it as possible. Open standards could overcome the dearth of connectivity expertise in the industry.

Interoperable – vendor-led initiatives can be incredibly time-consuming and costly, yet the results are usually non-portable across homogeneous platforms.But if vendors can come together on a common platform, architecture, APIs and standards, they can benefit from a universal and more secure open source approach leaving them to compete on value-add services, rather than basics such as security.

Secure boot – ensure IoT systems will only boot up if the first piece of software to execute is cryptographically signed by a trusted entity. It needs to match on the other side with a public key or certificate which is hard-coded into the device, anchoring the “Root of Trust” into the hardware to make it tamper proof.

Hardware-assisted virtualisation – this will containerise each software element, keeping critical components safe, secure and isolated from the rest and preventing lateral movement. Secure inter-process communication will allow instructions to travel across this secure separation in a strictly controlled mode. This approach improves on current binary approaches where applications are either trusted or untrusted at a processor level, allowing for as many independent, secure guests as possible.

Moving forward

There is no reason that IoT can’t be the exciting world of possibilities and innovation that it has the potential to achieve. Equally, it has catastrophic potential, so to limit the damage IoT can cause developers need to take responsibility from the very beginning to make sure they are shipping safe and secure products.

It won’t happen overnight, but if we can change the mindset from “it works, now let’s try to secure it” to “it isn’t secure and therefore it doesn’t work” then the industry as a whole will flourish without subjecting users to harm.

Enter your e-mail address to receive updates straight to your inbox

* indicates required
Send me news on...
twitterlinkedinFacebookgoogle_plustwitterlinkedinFacebookgoogle_plus

Editor's picks

podcasting revolution

Here’s how your tech firm can exploit the podcasting revolution
posted 1 hour ago

Lee Evans - SurveyMe

Cheshire-based mobile app SurveyMy gets £2m
posted 2 hours ago

TWIT - Emily 23.02.17

A £12m series B, a £57.5m fund for Northern SMEs, a hoverbike and more in The Week in Tech
posted 5 hours ago

Team_Monzo

Challenger bank Monzo announces £19.5m investment
posted 24 hours ago

hostmaker

Hostmaker raises £5m Series A from French VC firm Ventech
posted on February 23, 2017

caspar

EXCLUSIVE: AR startup Zappar lands $3.75m Series A
posted on February 23, 2017