The evolution of IoT is now at a point that it will require a comprehensively redesigned approach to security threats in order to ensure its continuous growth and expansion.
The relentless flow of new product introductions keeps fueling the gargantuan estimates of billions of connected communicating computing devices which is projected to imminently make the Internet of Things ubiquitous within every facet of our lives. The IoT has been portrayed as the key enabler of a smarter world with compelling use cases that cut across a wide array of both personal and industrial ecosystems.
A great description is that the IoT is the global nervous system. This could be a pun, as IoT is increasingly producing troubling headlines. Stories abound, detailing security breaches that sound as if they were taken from a sci-fi movie, from hacked security cameras to a spamming refrigerator.
Figure 1 (Source: re-workblog.tumblr.com)
The explosive growth of the IoT coincides with an alarming increase in reported rates of identity theft and hacker attacks on everyday gadgets and appliances. Security researchers have easily established the feasibility of attacks against TVs, cars, security cameras, and medical equipment. There is much more than stolen money on the line if these types of attacks are carried out. The evidence demonstrates that existing security mechanisms are insufficient or ill-suited to address the risks inherent with the ubiquitous deployment of the IoT.
The need for a new original approach
The traditional approach to security, applied to both consumer and business domains, is one of separation – preventing those who are considered bad actors from accessing devices and networks. However, the dynamic topology of the network environments in which IoT applications are deployed largely invalidates the separation approach, making it both impractical and overly rigid. For example, with BYOD (bring-your-own-device), enterprises struggle to apply traditional security schemes to devices that may have been compromised while outside the perimeter firewall.
Many IoT devices self-configure and run autonomously. User interaction is limited to the devices’ operations, and there are no means to change security parameters. These devices rely on the manufacturer to implement security, both in the hardware and the software.
Moreover, manufacturers have to consider the broader ecosystem, not just their own products. For example, recent research has revealed inherent security flaws in USB memory stick controller hardware and firmware. Users must be concerned not only about the safety of the data on the memory stick, but if the memory stick controller itself has somehow been compromised.
To thwart similar issues, IoT device vendors are rushing to upgrade their product portfolios to low-power, high-performance microcontrollers that include firmware upgrade and data encryption mechanisms.
Figure 2 (Source: Atmel’s White Paper: Integrating the Internet of Things)
In the hyper-connected world of IoT, security breaches will gravitate towards the weakest link in the chain. It will become very hard to maintain the confidence that any particular device, user, application or service maintains its integrity; instead, the assumption will be that things will occasionally break for a variety of reasons, over which there is little control and no method for fixing. As a result, IoT will force the adoption of new concepts for the establishment of trust.
A smarter network combined
In the loosely coupled world of IoT, security issues are driving a need for greater collaboration among the vendors participating in the ecosystem, recognizing their respective core competencies. Hardware vendors make devices smarter. Software developers make applications and services smarter. The connective tissue, the global Internet with its myriad of communication transports and protocols, is tasked with carrying the data that powers IoT. This begs the question – can the network be made an enabler of IoT security by becoming smarter in its own right?
Context is essential for identifying and handling security threats and is best understood at the application level, where the intent of information is processed. This points towards a higher-level communication framework for IoT – the Internet of Data Streams. This framework enables apps and services to view things as consumers and producers of data. It allows for descriptive representations of devices’ operational status and real-time detection of their presence or absence.
Elevating the functional value of the Internet, from a medium of communication to a network of data streams for IoT, would be highly beneficial to ease collaboration among the IoT ecosystem participants. The smarter network can provide apps and services with the ability to implement logic that detects things that break or misbehave, flagging them as suspect while ensuring graceful and consistent operation using the redundant resources.
For example, a smarter network can detect that a connected sensor stopped functioning (e.g. due to a denial of power attack, possibly triggered through some obscure security loophole) and allow the apps that depend on the sensor to provide uninterrupted service to users. Additionally, a network of data streams can foster a global industry of security-as-a-service solutions, which can, as an example, send real-time security alerts to app administrators and device manufacturers.
The evolution of IoT is now at a point that it will require a comprehensively redesigned approach to security threats in order to ensure its continuous growth and expansion. Addressing the surfaced issues from an ecosystem standpoint calls for apps, services and “things” to explicitly handle communication via a smarter data network, which has the promise of placing IoT in safer hands, courtesy of the Internet of Streams.
Atmel | Bits & Pieces 