The Weakest Point of Security in IoT
- 1. Title: The Weakest Point of Security in IoT Date: September, 11, 2015 Author: Dr. Nagula Sangary, CEO, BitCircle Inc. The risks to security and privacy of personal information is becoming a major issue in the Internet of Things (IoT) market as the hacking of databases is occurring with increasing frequency. As more people and organizations start to use or offer IoT-enabled services, the number of agents with malicious intent will also increase, given that the information found in the databases is a tempting target for those who would seek profit through identity theft or other criminal means. Although there are methods of addressing information security vulnerabilities, many players in the industry are not taking appropriate action to mitigate risks as they may be unaware of the specific flaws and attack points, or the solution to the problem may be at odds with their business model. If one were to investigate recent cybersecurity breaches you would readily determine that they occurred at the storage space of the data and not in the communication links or at the data’s point of origin. In general, most of the internet protocols, the wireless communication systems and the sensors used in the IoT have sufficient security features enabled to deter hackers. However, at the data storage point there are very few security safeguards implemented. The primary reason for this is that the authorized service providers need to view users’ personal data in order to provide the required services; having extraneous security measures in place would adversely impact their access to that data. In addition to the data being exposed at the point of storage, the number of authorized staff in a service provider company who have access to the data can be quite large and difficult to monitor, which is another risk. It would take only one employee with nefarious intentions to release clients’ personal data, or to give access to unauthorized staff, or convey knowledge of the weakest links in security protection to outside hackers. Neither corporate ethics policies nor laws are sufficient protection against acts of this nature. The security of IoT systems will continue to be an issue until gaps such as this are addressed. A solution to combat these threats lies in the following process: every piece of data that enters the specific IoT solution-space should be encrypted at the source and subsequently stored at a separate location rather than at a single repository, and for tight controls to be in place for authorized access to this data. One could draw an analogy between the early days of the computer age and the modern cloud-based services. Initially, computing services and applications provided to the users were based on a centralized client-server model, which was necessary due to the high cost of the main-frame computers. However, this changed over time with innovation in the Personal Computer (PC) industry. The lower cost of processors, memory, and associated components made it affordable for consumers to acquire their own computing power. A similar trend is taking shape in the world of IoT with sensors, devices and mobile computing getting cheaper every month. In addition to affordability, the exponential growth of PCs could also be attributed to the privacy and security it offered to the user. PC users wanted to regain control over the programs they used and the content they created, without the vulnerability of using computing resources over a shared system. Having their own personal computers afforded the users with a sense of comfort and this type of distributed system in essence created a new, better level of security. In the modern era of reliance on cloud services people are facing somewhat of an asymmetric problem. Due to the centralized model of the current cloud services, most cloud applications are offered to the users essentially at no cost. Cloud service providers offer “free” applications and service in exchange for the
- 2. users’ personal information. However, the risk that users face is in the potential theft of their personal information. As a result of this, the central cloud-based solutions should implement information storage methods in a similar fashion as the PC-era method, where the users’ personal data is distributed rather than centralized. Unlike the current system where hackers can break into one system and steal the personal data of thousands of users, in a distributed system the hackers would need to break into thousands of individual systems to achieve the same level of success. In addition, these individual (distributed) systems can be further protected by encrypting every piece of data stored in them. The encryption of users’ personal data with individual keys would provide an added level of protection and peace of mind. However, the presence of this encryption would be in conflict with the business models used by many corporations today. In the current models, in exchange for an individual’s personal information many service providers give free applications for promoting fitness, asset tracking, games and more. This data is then used for profiling people and the information is shared for big data analytics. Even though most corporations obtain this information with permission, the idea of “uninformed consent” is being raised by legal scholars and governments alike and this could become a major issue for these corporations in the future. All of the stated concerns can be addressed with a system that combines distributed storage and individualized encryption schemes. The method for generating individualized encryption keys, managing and protecting them may be complex, however, it can be done with existing technologies. Undoubtedly, development and deployment of such systems would require some expertise. Visionary companies such as BitCircle have recognized this need and are developing solutions to address the issue of privacy and security in the IoT space, and at the same time enabling the current business models of the service providers to exist as the users can authorize access for the service providers. The successful adoption of IoT technologies and resulting business growth will depend on the number of individuals making productive use of IoT-enabled services. In order for people to feel comfortable with the system, the key players in the IoT space must continue to address the privacy issue and provide the most secure environment for the users. Contact information of the author: Nagula T. Sangary PhD, MBA Chief Executive Officer, BitCircle Inc., 22 King St. South, Waterloo, Ontario, N2J 1N8 www.bitcircle.com Office #: (5190 725-2247 Email: nagula@bitcircle.com Adjunct Professor Department of Electrical & Computer Engineering University of Waterloo, Waterloo, Ontario, Canada McMaster University, Hamilton, Ontario, Canada Central South University, Changsha, China Email: nsangary@uwaterloo.ca