Why Your IoT Devices Need E2E Security
Talking about the era of Internet of Things (IoT), many describe it as the time of hyperconnectivity and interoperation, intended to make our lives effortlessly convenient and customized to personal liking. There are concerns, too; mainly over vulnerable IoT devices that hackers could exploit to spy on users. Now while a valid concern, privacy is not the only matter at stake.
So what is the big issue? In essence, it’s the absence of seamless security. The current status quo of waiting until post-deployment to secure IT environments is not suitable for the rapidly approaching IoT era, with the number of IoT devices predicted to surpass a whopping 80 billion by 2025. What needs to occur is a systematic shift towards an end-to-end (E2E) approach to security design, where devices are secured from the moment they first connect to the Internet.
Messaging apps have end-to-end encryption, but what is end-to-end (E2E) security?
As the name suggests, E2E security philosophy takes a holistic, start-to-finish approach to security design. The idea is to secure all communication from the preliminary source to the end destination using relevant security protocols to eliminate all potential for third party intrusion. To achieve this, security should be built in where applicable, and enhanced via additional layers of security that start protecting communications upon initial establishment. Taking an E2E approach to IoT security can help solve common problems with IoT including data tampering, snooping, and device take-over attacks that often occur in patchy security environments.
It’s not up to the smart lock owner to secure the house
It helps to understand how vast yet interconnected the IoT infrastructures truly are to grasp the essentiality of E2E security. In brief, there are four main layers to IoT that require protection. The first layer consists of the devices that collect user information, such as smart home appliances. The next layer is made up of the various IoT gateways that collect information being sent to servers. The third layer is the servers that manage all types of data gathered from IoT operations. Finally, there is the infrastructure that forms the base of all these systems.
Now, securing all four layers, spread across software, firmware, and hardware domains, is clearly not a task that can be done by one institution, let alone by an individual end user. That is why each provider and developer should assume responsibility over security under mutual standards for IoT security.
From a technical viewpoint, legacy technologies are still highly relevant. IoT security relies on encryption for data integrity, authentication for identity management, and network security for threat management. However, these technologies must be integrated into solutions optimized for the IoT environment. This is the part where most progress and adoption has yet to take place.
So why is E2E security not the standard in IoT?
The best way to start accelerating IoT security standardization would be by first addressing the following three issues.
- The relatively low cost of producing IoT devices without adequate security. Basic sensors and ultra low power microcontrollers (MCUs) allowing data transmission and wireless connection are affordable to integrate, which makes it appealing to apply IoT into any “dumb” device. What manufacturers tend to overlook is an investment into security. Simply equipping cameras, routers, and other smart appliances with unique credentials instead of default passwords would be a great step towards basic security hygiene.
- The lack of compliance regulations. Several government bodies and institutions around the world have issued guidelines to pressure manufacturers into equipping products with built-in security and service providers to secure their operations, but to little avail. Hence, tighter compliance measures will be necessary for any significant progress to occur. For instance, IoT Cybersecurity Improvement Act of 2017 that was introduced to prevent the United States Federal agencies from using inadequately secured IoT devices was a step towards the right direction, but in very limited scope. To be effective, legislation needs to incentivize deploying IoT security for all.
- The low consumer awareness about IoT security. What many consumers forget is that IoT devices rely on constant network access, often enabled by default. Unlike conventional laptops, most of today’s IoT devices must be secured from the moment they are switched on. For this reason, those held primary responsible over communication security should be suppliers, manufacturers, product designers, and service providers–not end users like in conventional IT. Initiating change in mindset will be challenging without higher consumer awareness of how security must be implemented throughout the IoT chain.
From connected cars to app-controlled coffee machines and intelligent grid management, IoT offers a world of opportunities to rethink the way we interact with technology. What we need to remember, however, is that heightened connectivity brings heightened risks. In order to benefit from the new opportunities, we must prioritize the cultivation of trust in IoT environments. This can be achieved by applying the E2E mindset to designing IoT security. Only with reliable participants and seamless security on board can IoT be safely utilized to create sustainable value as we enter a new, bustling era of connectivity.