Let’s consider some of the security concerns presented by today’s connected embedded devices and “Internet of Things” networks. Where does security potentially fall down with these kinds of systems, and what can be done to keep systems secure?
Internet-of-things networks and Internet-enabled hardware appliances bring with them all the established security concerns associated with computer networks and electronic technology – for example, if users are not forced to set strong passwords, or educated in choosing good passwords, then poor passwords can be chosen. RFID access tokens can be lost by authorised personnel, as can mechanical keys.
Where security depends on a computer or electronic hardware system, an attacker with physical access to the hardware can do just about anything without restriction. Transport layer security should be used to help increase (but not make foolproof) the security of TCP/IP communications over the Internet. Wi-Fi access points shouldn’t be transmitting at excessive power levels, allowing easy abuse by people outside the intended working range of the Wi-Fi network.
All these traditional concerns about network security and physical security are maintained in an Internet-of-Things environment, but new threats and challenges are potentially emerging with the growth in connected, embedded technology. What if attackers can potentially unlock the door to your house, or maybe even set fire to your house, by exploiting vulnerabilities in a web server and manipulating Internet-connected physical devices?
Devices such as the Lockitron, a crowd-funded gadget that fits over a standard deadbolt and allows you to lock or unlock your home from a smartphone app, may be convenient to use, but is the risk of connecting Internet-based attacks and vulnerabilities with the physical environment around your home or workplace worth this convenience? Even if a server responsible for providing Internet services for Internet-of-Things deadbolts is relatively secure and hard to attack, what if breaking into a single server means you can then burgle 100, or 1000 or 10,000 homes with their doors unlocked on demand?
Furthermore, with relatively good (but never invulnerable) server-side security, this sort of attack may still be considered worthwhile by organised attackers. Where the stakes are potentially high, strong end-to-end security from the physical hardware right through to communications, Internet services, servers and mobile apps is important.
As we have an increasing level of connectivity reaching into devices that interact with the physical world the consequences of security failures escalate, as do privacy concerns. Possible remote security attacks on a car’s engine systems – because the designers decided that the car’s entertainment system should be connected to Bluetooth and Wi-Fi to allow easy upload of music and media, but that the entertainment system should also be connected to the engine management unit for some bizarre reason – could potentially be life threatening, for example.
Similarly, attacks on life-critical implanted medical devices such as insulin pumps or pacemakers are an area where serious attention is justified, given the potential for an electronic attack to mean mortal harm.
There are also privacy concerns in an environment where Internet-of-Things sensors, wireless sensor networks and machine-to-machine sensor data collection become more ubiquitous in the home. The large amount of data being collected from smart lighting, home automation appliances, smart energy management and control appliances and other sensor networks around your home could reveal a lot of information – what time you’re home, what time you’re not home, what time you sleep, how often you exercise or how often you cook, for example.
What if the information from smart energy metering appliances could be compromised by a potential burglar, who would then know what time your home is not occupied? What if data could be mined about your personal exercise or cooking habits from the fusion of information from smart appliances in your home?
Could that information be used for commercial benefit, for example by advertising or marketing agencies or health insurance providers? If your refrigerator keeps track of every food item you buy, there is obviously going to be interest – ethical or not – from market research companies, or health insurance companies, in looking to get access to this sort of information from the network.
We generally understand that information that people have generated is personal information – your information is your information, you own it and you control it, and there are expectations of privacy. But that understanding is not so clear when the information is generated by the machines around you, autonomously, without human control.
Is the information generated by your refrigerator, your lighting, your home automation appliances, exercise appliances or your car really “your” personal information which you expect privacy around? Do you “own” and control the privacy and security of that information? And is that a question that the general public is thinking about?
If all our collected data, data which may be considered personal or sensitive, is stored in the “cloud” because the cloud provides scalability, then our information is only as secure as the cloud service we use and we have no direct control over the security. So can we trust any given cloud service provider? How secure is it, really? And does a particular proprietary hardware product give us any choice in the servers or Internet services it uses?
If we unlock and lock our house with a gadget that only connects to its manufacturer’s web service on a server in a foreign country, for example, does that mean that the government of that country can legally compel that provider to provide that data on every time you arrive or leave home, no matter where in the world you live?
As you can see, integrating security into any Internet-of-things product should be a prime concern – from both a physical and software perspective. Furthermore educating the end-user through appropirate documentation is also paramount. Overall the consequences of poor security should not scare you, as these challenges can be met with the appropriate level of design.
Here at the LX Group we can help you in all stages of IoT product development, ensuring a level of security to meet your needs is included – along with every other stage of design to manufacturing. To get started, join us for a confidential discussion about your ideas and how we can help bring them to life – click here to contact us, or telephone 1800 810 124.
LX is an award-winning electronics design company based in Sydney, Australia. LX services include full turnkey design, electronics, hardware, software and firmware design. LX specialises in embedded systems and wireless technologies design.
Published by LX Pty Ltd for itself and the LX Group of companies, including LX Design House, LX Solutions and LX Consulting, LX Innovations.