The Internet of Things: Overdue for a Security Upgrade

Lately everyone seems abuzz about the Internet of Things (IoT). And for good reason. A study released Wednesday by Gartner estimates that 4.9 billion "things" will be connected to the Internet of Things this year. The research also predicts that spending on IoT support services will increase from $69.5 billion in 2015 to $263 billion in 2015. With all this potential for growth, it's important that we keep some fundamentals in mind. And nothing is more fundamental than security when it comes to devices that will collect, transmit, and analyze our personal data.

Similarly today, the Internet of Things has generated a degree of excitement that has tended to overlook crucial security concerns. We have allowed convenience and the 'cool factor' to overtake ideas of safety and privacy. Case in point is the healthcare industry. Next week's Bloomberg Business cover story notes that "like the printers, copiers, and office telephones used across all industries, many medical devices today are networked, running standard operating systems and living on the Internet just as laptops and smartphones do."

Billy Rios, a white hat hacker who was hired by the Mayo clinic to examine medical device security and profiled in the Bloomberg piece, found so many vulnerabilities that he was unable to report on them in depth: "Every day, it was like every device on the menu got crushed. It was all bad. Really, really bad. [...]The only barrier is the goodwill of a stranger." While we may associate IoT insecurity with a smart watch that gives the wrong time or a fitness tracker that miscalculates your steps, unfortunately the consequences are nothing short of dire.

A resilient cybersecurity program has many elements. However one of the most overlooked features is identity security, which is about making sure that only the correct person, machine or process has access to particular systems and data. This is a particularly crucial when it comes to the Internet of Things due to the sheet number of "things" requiring unique identities. Juniper Research predicts the number of IoT-enabled devices will increase to 38.5 billion by 2020. Think about that: 38.5 billion devices, all requiring unique identities in order to prohibit unauthorized access to other devices, data, and real-world sensors.

A challenge to cybersecurity and the Internet of Things is that traditional methods of verifying identity simply don't cut it anymore. The vulnerabilities of passwords are too numerous to list here (although you can click here for a summary). Indeed, Rios and his team found that simple password vulnerabilities could not only "jackpot" medication dispensary machines and hijack infusion pumps, but discovered that they could compromise 300 different medical devices manufactures by 40 companies.

What's needed to ensure identity security in the Internet of Things is widespread use of identity tokens, physical devices that prove a user's identity electronically. Identity tokens, such as smart cards, use unique data and cryptographic keys to authenticate users with a high degree of confidence. We not only need to deploy such tokens for humans accessing data and devices on the Internet of Things; we have to start deploying them on the devices themselves. Whether the communication is occurring between two humans, a human and devices, or among the devices themselves, the consequences are just too dangerous to kick the can down the road and leave security concerns to the future.

In an era where everything is connected, it's no longer sufficient to trust an identity and hope for the best. You have to prove it.

Add comment

Security code

Learn How