An inconvenient truth about IoT security
The current political events in Barcelona provide us with a barely-needed reminder that we live in changing times, writes Rob Dyke, the field applications engineering manager at Trustonic. I was in the city as part of the Trustonic team exhibiting at IoT Solutions World Congress last week and took some time to speak with fellow vendors. I soon saw some fantastic product demonstrations that drew my attention – I wanted to learn more. Frequently though, the response to: “This looks great – how is it secured? How do we know the data is trustworthy?” was a puzzled look and a “It uses our cloud and we secure that” or “It runs on a secure OS”. Sometimes the response was worse: “It’s a closed network. You couldn’t attack it”.
It didn’t fill me with confidence. Everyone has a secure solution, it seems. But how do we know that it’s secure? Who has validated it? The questions and the perplexed looks continued. I slept uneasily.
I don’t want to criticise the IoT solutions that I saw – they were interesting and point to an exciting future for us all. Unfortunately, securing these solutions isn’t exciting and probably won’t draw a crowd to your stand. It’s rare to see ground-breaking security solutions making the news – consumers just expect it these days. Of course, you can expect a media frenzy if you’re breached. There have been some horrifying examples already and we are still in the early days of this industry. IoT solutions need to be secure by design – or, to put it another way, the components of the solution must already be secure when they are deployed. With the headache (and tedium) of security taken care of, the industry would be free to innovate and dream up even more exciting products.
I was showing an IoT security demo built on a Samsung ARTIK board, which already has Trustonic TEE technology embedded. It showed an IoT device connecting to Amazon Web Services (AWS), cryptographically proving itself to be secure and having a trusted identity, thus enabling it to become automatically registered on the system. Perhaps not as exciting as an IoT boat or sports bike sharing data in real time, but it demonstrated that, by embedding a truly secure OS (one that’s Common Criteria certified and FIPS-140-2 approved) combined with a Root of Trust installed in the factory (think of this like a digital birthmark), an IoT device can be trusted pretty much automatically. Once you have an inherently trusted device, you can be confident that data from its sensors is also trustworthy.
Shakespeare wrote “Love all, trust a few”. So, love all the cool and exciting IoT products – but only trust the few which are truly secure.