IoT devices should not be singing like a bird

Birds are what come to mind as I consider the challenges facing the emerging explosion of smart devices and internet-connected equipment and systems.

More specifically, I’m thinking of the expression “he sang like a bird”, referring to the criminal who confesses all about his or her accomplices. Also, consider a mimicking parrot that will repeat whatever you say to whoever is in the room.

This concern about smart devices is only heightened by smart speaker Alexa's accidental recording of a private conversation and subsequent email of the audio file to someone on the owner’s contact list.

In 2015, there were about 15.4 billion connected devices. In the future, this will grow to as much as 30 billion by 2020*. Those IoT applications will be generating a lot of data, as much as 847 zettabytes (847 trillion gigabytes) by 2021**.

In a world where data is increasingly the new ‘black gold’, these zettabytes of data are extremely valuable. For individuals, it represents information about your behaviour at home, it’s the security of your smart car or encompasses details of your financial life.

For business and government, its intellectual property and decision-making secrets, it’s privileged conversations and access to reams of data on everything from how well a factory is running, how the power grid is functioning, the location of every delivery vehicle in a corporate fleet, or how busy a street or neighbourhood is at any hour of the day or night.

We discussed the challenges of securing IoT in our "Cyber Resilience and Trust Report" issued in February. In that report, we identified a particular risk around IoT:

“There is a twofold level of vulnerability: points of access, and their by-product, the data generated. The gravity of the latter cannot be understated, as it is likely the greater vulnerability.”

Our concern is that today, in as much as IoT device security is discussed, the focus is on the point of access itself. This has been amplified by several high-profile DDoS (distributed denial of service) attacks that overwhelmed targeted infrastructure by commandeering millions of smart IoT devices. Ensuring you have strong (cryptographic) binding of the physical identity of a “thing” to its trusted digital identity is a key mitigating control to address this issue – this is something we at DarkMatter recommend in all platforms that have this capability.

What we’re also urging is that beginning now, CISOs, CIOs, and other security professionals approach IoT devices and sensors with both challenges identified above in mind.

At DarkMatter, we’re helping clients address this through trust services such as public key infrastructure (PKI) to lock down communication and data flows to and from IoT devices; big data, artificial intelligence and neural network powered analytics that can monitor these volumes of data to spot anomalies, and managed services to provide a different approach to the logging of IoT anomalies.

The speed and scale at which we can tap the opportunities presented by IoT, without giving up many of those gains through costs associated with data leakage, will depend on our commitment beginning now.

Let’s also focus on securing the data being generated by these IoT access points, thereby ensuring they are “singing” only to their authorised audience.

* “13 Stunning Stats on the IoT,” Vision Critical, April 2017

** “Cisco Global Cloud Index: 2016–2021”, Cisco, February 2018

About the author

Scott Rea is SVP (Trust Services) at DarkMatter. Click here to connect with Scott on LinkedIn

To know more or to meet our team visit us at Hack In the Box Dubai from 25-28th November 2018.