Embedding Security in the Internet of Things

If you haven’t encountered the phrase before, the Internet of Things refers to the expanding network of interconnected, internet-enabled devices. Driven by miniaturisation, the affordability of components such as cheap Bluetooth sensors, and the growing ubiquity of technologies such as Wi-Fi, it is now possible to connect devices in a way that would never have previously been thought possible.

Our increasingly connected lives
To give you an idea of scale, this means that controllers for central heating, lighting, a variety of household appliances from the fridge to your home security system, your satellite TV box, desktop, laptop, mobile and tablet all have the potential to be talking to each other, communicating to a variety of third parties, and to be controlled from a centralised device. This level of Internet connectivity offers a plethora of opportunities to propel us to a more sustainable, energy efficient society as greater control, analysis and insight is presented to consumers and businesses.

It’s an opportunity that some of the biggest names in technology have already jumped upon. Apple recently introduced Homekit, a platform that will co-ordinate various third-party home automation accessories, allowing you to unlock your doors or turn on and off your lights via your iPhone. Google, too, demonstrated its interest by paying £1.9bn earlier this year to buy Nest Labs. Already well known for its connected thermostats and smoke detectors, Nest is currently investigating a slew of other applications related to the home – everything from health tracking to security systems.

A window of opportunity for criminals
While this is great, in theory, it should come with a caveat: the more devices that become internet enabled and the higher the level of connectivity between those devices, the greater the opportunity is for hackers to cause damage and disruption. If we simply start connecting an increasing number of devices to the internet without properly considering the security implications, we could hand hackers the opportunity to cut our electricity, flood our homes and pry deeper into our private lives.

Indeed we have already seen the first reported attack which exploited both ’smart’ household devices and conventional computers. Late last year more than 100,000 consumer devices, including an internet-connected refrigerator, smart TVs and multimedia hubs, were exploited to send more than 750,000 spam and phishing emails.

The majority of the devices used in the attack were not infected by malware, but were simply left open so that attackers were able to use their IP capabilities to relay spam and infected emails. But this incident highlights just how resourceful attackers have become in using unconventional, but effective, attack vectors.

Securing the Internet of Things
Now that attacks against these smart devices have begun, they will only escalate and securing this explosion in device numbers will be critical. It goes without saying that, with the potential threats of interception and attack on devices connected to the Internet of Things, a wider spectrum of manufacturers are going to have to consider providing solutions that both connect and are robustly secure.

However this will not be straightforward due to the limited processing capability and on board memory that many newly connected devices will have. This severely limits the scope for conventional security software, in turn running the risk of leaving newly connected devices in the security dark ages. For instance, as things stand, security will rely upon users changing passwords and other settings away from defaults, and ensuring the devices are not left open – in the same way that people are recommended to protect their home WiFi networks.

Given the increased stakes, relying on such primitive security measures is likely to be futile in the battle against cyber-crime. A new generation of security will be required to protect our connected lives and manufacturers will be tasked with adopting a new generation of protection – embedded security.

Embedded security is the concept of reducing the footprint of robust security software, enabling it to be embedded into the appliance without impacting on the device’s capabilities. This would facilitate the installation of network-based firewalling, web filtering, application control and encryption capabilities within a very small storage and memory usage footprint, enabling secure networking for a wide variety of devices. The upshot of this would be a range of devices operating on distributed but secure environments.

This kind of advanced security technology will enable IT and communication equipment manufacturers to achieve competitive advantage, differentiation and higher margins for their products by embedding security into IP-enabled equipment such as routers, switches, access points, electricity meters, household appliances and vehicles – in fact, into any device that connects to the Internet. Clavister’s advanced solution is an excellent example as it enables vendors to utilize existing spare computing power in devices to apply comprehensive network security, using the minimum of extra processing power and capacity.

Be prepared – or prepare to fail
The possibility that devices in our homes will become increasingly connected and entangled may seem farfetched and the prospect of a criminal using nothing more than a computer to flood a home an idea from science fiction. As outlandish as the concept of ‘the Internet of Things’ may sound it is inevitably going to emerge – as will the increased threat from hackers. It is therefore critical that we integrate security at an early stage in its evolution, to ensure maximum protection against interception, tampering and attacks. Failure to do so might just be catastrophic.