Without Security, is the Internet of Things Just a Toy?
While some sort of IoT is possible without security, without security it would really just be a toy.
The Internet of Things (IoT) is arguably the most hyped concept since the pre-crash dot-com euphoria. You may recall some of the phrases from back then such as “the new economy,” “new paradigm,” “get large or get lost,” “consumer-driven navigation,” “tailored web experience,” “it’s different now,” among countless other media fabrications.
The IoT is the new media darling. In fact, it has been dubbed everything from the fifth wave of computing, to the third wave of the Internet, to the next big thing, to the next mega-trend, to the largest device market in the world, to the biggest efficiency booster/cost reduction technology. You get the picture.
Now, the question is whether or not the IoT will indeed be more real than just hype, as is the case with any media powered feeding frenzy. Let’s start by looking at the numbers.
IoT: By The Numbers
Respected market researchers and giant networking companies are predicting gigantic numbers of connected devices to the tune of 20 to 50 billion units of installed base by 2020 or 2025, with some estimates even going higher. With numbers like that coming from the world’s most-followed, reputable sources, it won’t be long before high roller investors start placing enormous bets on who will be the winners of the IoT game; a game that will be make Vegas action look like a game of marbles. The IoT casino is now open.
There is really big money at stake because IoT represents a perfect storm of opportunity for venture capitalists and bold corporate acquirers — that is because many believe that half the successful IoT companies don’t even exist yet. Conditions don’t get much more attractive than that when it comes to risk capital.
Who To Bet On
Here’s a hot tip: Only bet on the companies offering systems that articulate a clear strategy that put strong security (especially authentication) as a top priority. This tip is derived from the observations of Dr. Vint Cerf (the acknowledged creator of the Internet) who declared that the IoT will require strong authentication.
And, he’s right.
Note well that the strongest authentication comes from hardware-based cryptographic key storage because hardware key storage beats software-based key storage every time. Inexpensive and easy-to-use integrated circuit devices already exist to do just that. The media should grasp that but don’t seem to get it yet.
The dirty little secret of the constantly-connected era is that without security, the IoT will just be a toy that consumers, governments, and corporations cannot take seriously. What good is a system of billions of interconnected things sensing and sending data (often through the cloud) that can be intercepted, corrupted, and spoofed? Not very much. IoT growth is dependent upon security.
Charting the Growth
The graphs below show estimated unit shipments and the resulting installed base of IoT devices. What has also been called out in each chart are devices with on-board security, mainly hardware-based security, and those that do not have built in hardware security. Most market estimates out there tend to show the growth of the IoT in terms of installed bases, growing to many billions by 2020.
Typically speaking, you will see a chart like the one below, but without the divisions between secure and insecure nodes.This is a case of the devil being in the details, because installed base charts can be very misleading. Data jockeys such as market researchers and statisticians know very well that installed base is a tricky way to present data. Fair warning: Beware of drawing conclusions from installed base charts only.
The IoT case is a perfect example of how to hide the important information, because even if you remove the secure nodes, the chart still looks like there will be enormous growth. However, that masks the fact that growth will plateau without the secure nodes being a part of the picture. It is a an illusion caused by the fact that the early days of the IoT will build a base of significant numbers, but the volume shipments will fall off quickly as users reject insecure solutions precisely because they are insecure.
The installed base IoT chart is analogous to chart of automobiles in the time of Henry Ford showing the installed base of black cars (remember Model Ts came in any color as long as it was black). That would show that black cars were the overwhelming color and it would be impossible from that chart to conclude anything other than they always would be.
Obviously, such a chart would mask the market changes that in fact happened and the inflection points as to when the changes happened. Masking is exactly what the IoT installed base chart does.
It fails to show that the inflection point towards secure nodes that is starting right now, which is a shift that will happen quickly. Reason being, the need for security is becoming clear (just ask Sony, Target, Home Depot, JP Morgan, and Iranian nuclear scientists about that). As aforementioned, inexpensive hardware-based devices are available now that can provide strong security to IoT nodes.
The unit shipment slide is what tells the real story. And, that is that security is becoming a requirement of IoT if growth is to be sustainable. Simply stated: Without real security, the IoT will falter.
Internet of Things Security Maters
Security matters because users must trust that the nodes are who they say they are (i.e. are authentic). Additionally, confidentiality of the data is important to keep unauthorized third parties from getting the data and misusing it. Also, without data integrity mechanisms there is no way to ensure that the data have not been tampered with or corrupted. All three of these matter. A lot.
However, with all the press that the IoT receives and all the tremendous predictions of giga-volumes, you just don’t hear much other than passing comments about security. Security should, in fact, be the prerequisite of any article, discussion, or plan for IoT-based anything. Talking about the Internet of Things without addressing the security question (with specifics) is like talking about scuba diving without mentioning water.
Security gets short shrift even though it is pivotal to the IoT’s existence (and important to literally everyone in the digital universe, including the readers of this article). One main reason is that the meaning of security is not really well understood. As a result, engineers, executives, investors, and researchers alike have been mainly whistling past the graveyard hoping that their digital interests will not be attacked too badly.
However, with the increasing frequency, variety, and creativity of security breaches and especially with the advent of breach-based litigation, the danger is increasing and finally more attention is getting paid.
It is not hard to envision ambulance-chaser legal firms moving from class action suits regarding asbestos, medical devices, and pharmaceuticals to seeking data-breach damage rewards. In actuality, this has already started. You can almost hear the cloying ads already.
Internet of Things Security Defined
There are two important and fundamental questions about security and the IoT:
- What is IoT security?
- How do you implement it now?
To address the first item, the best way to understand it is to break it down into the three pillars of security, which are confidentiality, data integrity, and authentication (ironically referred to as “CIA”). The second inquiry is related directly to the first because implementing security is a function of how well you address the three pillars.
It is critical to address security right now because putting insecure systems into the world is just asking for trouble. There is no time to wait. Assembling a network or product dependent on a network that is filled with vulnerabilities is bad practice. The good news is that thanks to cryptographic engine integrated circuits with hardware-based secure key storage powerful solutions are clear and present.
Crypto engines refer to a dedicated integrated circuit devices that handle crypto functions such as hashing, sign-verify (e.g. ECDSA), key agreement (e.g. ECDH), authentication (symmetric or asymmetric), encryption/decryption, message authentication coding (MAC), run crypto algorithms (e.g. elliptic curve cryptography, AES, SHA), and perform many other functions.
The other critical part of the equation that makes crypto engines so valuable is their ability to store cryptographic keys in ultra-secure hardware. (The CTO of a major home networking company recently described storing cryptographic keys in software being like storing a key in a wet paper bag.)
Providing the exact type of security needed for the IoT to grow is what crypto engines like CryptoAuthentication solutions are all about. They make security both easy and cost effective. The amazing thing is that crypto engine devices were invented before the IoT even existed. Now they are arguably the ideal catalyst to drive IoT growth when they are added to the other fundamental elements of the IoT. So, it should be clear that there are now four elements to a serious IoT node:
- Intelligence (Microprocessors)
- Communications (Wi-Fi, Bluetooth, etc.)
These four items will be the recurring theme of IoT nodes. The story from here will be which communications standards are supported, the level of integration, how security is handled (standards and methods), performance, speed, power, size, etc., not if security is there or not.
Long story short: While some sort of IoT is possible without security, without security it would really just be a toy.