Panelists at the NXP/FTF Technology Forum 2016 describe the hurdles that need to be surmounted in order to bring security to the Internet of Things.
The dawn of the age of the Internet of Things (IoT) is upon us, but just how secure is it? The panel of experts explored the subject at the NXP/FTF Technology Forum 2016 (May 17–19) in Texas, US and was unanimous with a short answer, a resounding "no."
"Cybersecurity is one of the foremost concerns of our age," said Greg Kahn, chief executive officer (CEO) and president at the Internet of Things Consortium. "Attacks have skyrocketed since 2014, costing companies up to $1 trillion per year to defend against them. What's worse is that the hackers are getting smarter. Seemingly secure information is streaming back to criminal organisations and malicious foreign governments."
Figure 1: Host Greg Kahn, CEO IOT Consortium; Damon Kachur, Global Business Development, Symantec Corporation; Michael Kaiser, executive director, National Cyber Security Alliance (NCSA); professor Edward Lee at University of California; Said Nassar, vice president of cybersecurity solutions at NXP; and professor Brent Waters, University of Texas (Source: EE Times/Colin Johnson)
Damon Kachur is Global Business Development manager at Symantec Corporation added that software is no longer enough, each new internet of things (IOT) device needs to have specialised hardware inside. “To do it right, it has to be done at the hardware level—after that its too late.” He also added that a massive education processes needs to be put in to place compelling security providers to educate consumers on how to operate their devices securely.
Plus the information needs to be communicated in a easy-to-understand manner—like the labels on clothing, such as “The Five Things Your Need to Know.” The information also needs to be standardised—again like food labels—so that consumer can immediately see what they are getting into and how to handle it.
One of the biggest problems, according to Kachur, is authentication. “Once you are authenticated you are in, but there are no standardised ways of getting security certificates to devices making it easy to generate false ones.”
“Authentication is on the 15 billion devices to date—at both the server and the device end—but they need to be improved such as periodically polling devices/components to make sure they are what they are expected to be," Kahn said.
Michael Kaiser, executive director for National Cyber Security Alliance (NCSA), said we need security that can spot things people which are unusual rather than wait for breeches to occur.
"We need to work together to educate people about what is actionable not just the need for better security, you have to teach them about what they should be looking for when buying and how to maintain it over the lifetime of the device," said Kaiser. "You need to really show people how to do it, inform them about what information is being collected, where is risks are coming from and who your data is being shared with."
Edward Lee, University of California professor said that strong pass words are not the answer. "We need solutions that are different from passwords," he said. "Privacy is a pure form of anonymity, which is actually a new concept compared to small towns in the old days when everybody knew everybody else."
For instance, in the old days you had a presumption of privacy when you drew your curtain, but today we don't have such things in cyberspace and conventions that tell us when we are protecting our privacy," said Lee. "Who actually reads the privacy notices you are constantly asked to accept?" Nobody raised their hand.
"This is not going to work—disclosure is not the answer, we need something else," Lee said.
Greg Nassar, vice president at cybersecurity solutions, NXP, added that we need to adopt designs that interplay with the metrics that are already proven to be much more secure. Security has to be in the head source—it needs to be designed in from the beginning…we need something like a schematic checklist about whether data is being shared and how. Vendors fill them out and provide the to consumers i an easy to understand format.
Professor Brent Waters at the University of Texas said that companies are building things, like cars, that are wide open to security breaches and the manufacturers know it.
"The manufacturers of all IoT all devices need to hire hackers to try to break their security before manufacture. You can't just choose a 'better' encryption method and think you are safe, you need to test test test to make sure the implementation is adequate," Waters said.
Cryptography is very important, according to Waters, but we need new concepts that were invented in the 21st century to work against modern day hackers "and these all solutions won't fit every app. Also you need to label and encrypt using keys that are naturally changing like three times a day routinely."
A lots of this knowledge has been around for 10 years, but manufacturers are still not implementing it in the marketplace, Waters concluded.