The Internet of Things (IoT) might seem like a dream come true in many ways, like having a fridge order milk for you when you’re running low, self-driving cars to take you where you want to go, and more comprehensive health-care reports. However, as security professionals, this also could be our worst nightmare.
The IoT has some serious security concerns, especially as we get into more, widely used technologies. In fact, studies show that there will be 24 billion IoT devices installed by 2020. With an eye to solving some of these potential security problems, chip maker Microchip Technology and Amazon Web Services (AWS) have partnered for end-to-end IoT security.
With all of these devices installed, there are exponentially more entry points for cyber criminals to grab our private information. The Federal Trade Commission’s report, “Internet of Things: Privacy & Security in a Connected World,” discovered that “fewer than 10,000 households can generate 150 million discrete data points every day.”
The dramatic fear that some people feel in regard to end-to-end IoT security doesn’t seem like an exaggeration when we consider the hack of Ukraine’s power grid. This attack left more than 230,000 residents and businesses of Ukraine in the dark with no access to light or heat.
This hack was undoubtedly difficult, completed by “skilled and stealthy strategists who carefully planned their assault over many months” and who finally launched “a synchronized assault in a well-choreographed dance,” according to Kim Zetter, an award-winning reporter on cybercrime, privacy, and security.
Robert M. Lee, former cyber warfare operations officer for the U.S. Air Force, says the sophistication of the malware was not the most interesting aspect of this attack. Instead, he believes it was the “logistics and planning and operations.”
Lingering aftereffects
Researchers still aren’t completely sure who carried out this attack. The power was back on rather quickly, but all the computers did not work even months after the attack. Instead, many of the breakers still must be turned on manually.
According to experts, this is actually a better outcome than if the same attack were carried out in the United States because most of our power grid control systems here don’t have manual backup functionality.
If an entire country-state could be assaulted by an attack, what can protect an individual person with their front door controlled by a computerized lock? There are many frightening instances of hacks on end-to-end IoT security that have already occurred.
Hacking cars, guns, and sex toys
For instance, security researchers Charlie Miller and Chris Valasek showed the world that hacking a car is possible, taking over every aspect of a Jeep Cherokee. This includes everything from blasting the air-conditioner to disabling its transmission and brakes.
An equally terrifying event occurred when another pair of security researchers, Runa Sandvik and Michael Auger, were able to take control of a smart-gun. They can “make the rifle inexplicably miss its target, permanently disable the scope’s computer, or even prevent the gun from firing.” They were even able to change the target so the gun would shoot wherever the hackers wanted it to.
Beyond end-to-end IoT security and safety, there’s the simple issue of privacy. There’s currently a lawsuit against Standard Innovation, creator of sex toy We-Vibe, for sharing information like frequency of use, selected vibration setting, the toy’s battery life, and temperature.
Clear to everyone who works in this field, end-to-end IoT security is not something to be ignored. So, what can we do about it?
Possible solution
Amazon Web Services and Microchip Technology have teamed to develop end-to-end Internet of Things security procedures and simplify IoT solutions that operate on AWS, as reported by EETimes.
This solution means more than just a higher level of design encryption, claims Eustance Asanghanwa, Microchip’s product marketing engineer. Instead, “encryption depends on the use of keys, which must themselves be kept safe if the communications are to be trustworthy.” Thus, it is the “generation, sharing, and management (including protection) of these keys that create the challenges for IoT OEMs [original equipment manufacturers]”.
Some issues arise in all the steps necessary for the keys to remain private. First, a unique and secure key must be generated for every individual device. Then, these keys must remain private and protected through its manufacturing.
This helps guarantee that the end user will be able to establish a trustworthy connection to the web server. This key must also be protected throughout the entirety of the device’s operating life.
Asanghanwa explained that the solutions available to the market today involve “costly equipment and logistics, including the installation of expensive hardware, secure modules, use of secure rooms in factories, and conducting periodic factory security audits.”
Microchip Technology’s new product works to simplify this incredibly complex and expensive chain of events. Instead of requiring the OEM to follow this path of private key generation, they instead work with root certification.
Designed to function only with AWS, the technology will ensure the validity and authenticity of each device, protecting users from the possibility of counterfeit or uncertified devices.
Additionally, as a partner with Amazon Web Services, Microchip Technology will provide interested companies with development kits and solutions for test and pilot purposes. According to the two companies, this will help further the position and security of both.
“We understand the often complex nature of implementing AWS mutual authentication in microcontrollers,” said Nuri Dagdeviren, vice president and general manager of secure products at Microchip Technology-owned subsidiary Atmel. “The customer would need to have some understanding of how to secure a software implementation, and this often creates a huge barrier.”
Dagdeviren said that the company is “thrilled to have the opportunity to work with the world’s largest cloud provider to build a solution that helps our customers easily and securely connect to the AWS Cloud.”
This security partnership is not to be underrated. In fact, it could be one of the greatest improvements to the potentially frightening world of the IoT. Stricter security and privacy is something we can’t compromise on as we progress into a world of smart products.
As Marco Argenti, vice president of mobile and IoT at Amazon Web Services explains, “For all companies we work with, embracing security best practices are an essential step in achieving our mutual goal of offering customers the best and most secure IoT platform available. We believe this new solution will be one of the simplest and most cost-effective ways for our customers to comply with our security best practices.”
Photo credits: Freerange Stock, Jeep
