Privacy and authentication in the Internet of Things
Authentication has moved from the everyday secure password to the use of biometrics, and device users have slowly been eased in
Short of time?
From tiny sensors to mammoth machines, the Internet of Things (IoT) is exploding at an enormous rate.
Intel noted that ten years ago there were two billion smart objects connected to the wireless world. With IDC projecting 200 billion connected devices operating amongst us by 2020, the IoT is a digital revolution tipped to eclipse any of those that came before it.
However, as with any metaphysical network, there is the very real threat of data breaches – infringing on personal privacy, security and data.
So how can data be safeguarded in this rapidly expanding network of connected devices, and what can the companies that build these devices do to convince consumers they are safe to use?
From tablets and phones to thermostats and smart metres, the answer lies in building micro-segmented stages of authentication that in turn makes data more secure but also honours consumer’s right to personal privacy.
Secure authentication and authorisation
The introduction of smart devices has created an untold potential both for consumers and businesses, but with it has come the opportunity for hackers to steal valuable information from personal data to the intellectual property that makes a company or product unique.
In the wider context of IoT, this idea of user or device authentication becomes ever more prevalent. For instance, when we go to unlock our connected car with our mobile phone, we want to be reassured that only we, the owners, are authorised to do so – preceded by successful ‘authentication’.
This means ensuring the users of a device (and/or account) are who they say they are and have the authorised credentials to access the information thereafter, helping form the core basis for securing the communication of and with a device within these expansive networks.
However, having only a single user authorised also poses challenges or limitations. For example, what if a defect is detected in a connected device? The supplier will more than likely require access to the device remotely, in order to deliver software updates to solve these issues.
This is evident in iPhone software updates whereby the device receives the software remotely, but is only installed once you accept the terms and conditions and permit the download to commence.
If Apple didn’t have the initial authority to send you the software, you wouldn’t be able to approve the download and maintain the health of your device effectively or efficiently.
Another practical example from the brave new IoT world is the concept of virtual car keys you can “carry around” on your mobile phone but can also share with other family members or service staff at a garage and authorise them (e.g. for a limited time) to use your car (after successful authentication, of course).
This also initiates negotiations, though, between the consumer who purchases the connected device, and the supplier who provides them.
A level of trust needs to be established whereby the public has to be certain that the correspondence has come directly from the named source and not someone who poses a security threat to the network.
With several recent high-profile cyber security attacks, such as the TalkTalk and Ashley Maddison sagas, it is increasingly important for businesses to reassure their customers that these growing networks will be secure and enable the user to take control of their data.
One of the ways companies are tackling this problem of false user authentication is through biometric data – that is, using individual’s unique ‘biology’ to access their data. This includes unique means of identification such as fingerprints and iris scans that are incredibly difficult to replicate.
The use of biometrics and behavioural biometrics (gestures, swipe and pattern predictions) is creating a unique level of user identification – truly attributing the sense of ‘personal’ between the user and a device.
This significantly increases the security credentials of the device and acts as a major barrier between hackers and their access to data. When “things” communicate in the IoT, credentials residing in tamper-resistant secure elements embedded in devices can not only secure network access and communication, but also support secure services such virtual private networks, e.g. for software updates.
Maintaining consumer trust
Gone are the days where data captures simply included a name and address. Increasingly, data collected and transmitted by these smart devices goes beyond personally identifying information and creates a detailed pattern of our everyday lives in real time.
So, how can we these fraudulent acts within the IoT be reduced, and what steps must the manufacturers take when creating these devices?
This is something that is being researched daily as the business case for cyber security has never been more prevalent. Manufacturers have a duty to take measureable steps to ensure people feel safe with the networks their devices are accessing – and more importantly, allowing them to control who is authorised or permitted to do so.
One method to ensuring this is through incorporating end-to-end encryption throughout the data exchanging process. This essentially renders the information useless to anyone without authorised access, preventing cybercriminals from using data as ransom.
Privacy, security and trust cannot be deemed an afterthought for IoT, with such valuable information at hand. With the increased impact of IoT services, “security by design” is essential – right from the start of the development process.
In order for the IoT to truly reach its potential, consumer trust must remain prevalent. Trust in large corporations has diminished in recent years by the apparent mishandling of customers data by previously tried, tenured and trusted brands.
Once that trust goes, it can be extremely hard, if not impossible to get back and this can be damaging, and in some case fatal, for brands.
Best practices for IoT protection
Developers need to understand all the potential vulnerabilities. Evaluation processes should cover privacy, safety, fraud, cyber attacks and IP theft.
Evaluating risk is not easy as cybercriminals are continually working on launching new threats. As there is no one size that fits all, it is advisable to bring in a security expert at this stage.
It is key that device security is duly considered at the development stage. This should include end-to-end points and countermeasures, including tamperproof hardware and software.
Strong authentication, encryption and securely managed encryption keys also need to be included to secure information stored on the device and in motion.
Security is not a one-off process. It is imperative that IoT devices are protected for the lifecycle of the device, be it a stand-alone product or integrated into a car.
Sourced from Manfred Kube, Gemalto