Securing the IoT
Ever since my apartment was burgled last year, I have been thinking a lot about the security not just of my home but more generally of IoT-enabled devices and the data that they transmit.
To protect my property, I have installed a WiFi-connected camera in my flat to monitor any movements when I am away. But I am very conscious that unless the camera is completely secured from outside interference, it could represent not an increase in security but a threat to my security. If a hacker was able to break into the camera and see the flat, he could then use it to survey the apartment and time his entry for when nobody was home.
Needless to say, I have secured my camera to a high level, but how many people who are not technology specialists will be prepared to go through the steps needed to secure their networks? The default setting from many manufacturers of IoT devices is “admin” for the login and “password” for the password. It is far too easy for malicious hackers to gain access to a household device when the barriers are as low as this. And most end-customers do not have either the inclination or the capacity to set up multiple passwords for different devices.
Encrypting data in connected devices
Rather than requiring end-customers to go through the painstaking process of securing each device using a separate login and password for each connected item, I believe that an alternative model is more useful, one that uses a centralized security infrastructure able to deliver and inject digital identities in IoT devices such as electronic certificates and keys. Those elements are dedicated to automatically encrypt the data that IoT devices send to the application through the network. Thus, the communication link can be secured.
At Atos, we have already implemented different security solutions dedicated to IoT devices. One of them is based on the LoRa Alliance protocols that are used for wireless battery-operated devices connected to a dedicated network. The LoRaWAN protocol uses several layers of encryption to ensure security on the network level, the application level and the device level, based on automated key distribution. We deploy a centralized server into the LoRa network which manages connected devices across their lifecycle and creates their digital identities to secure data at all levels.
Using LoRaWAN standards, we can establish a secure network and make sure that only applications that are recognized by the IoT network can read the encrypted data from the devices.
The growing deployment of IoT devices requires scalable solutions with high availability. As the products we deploy are based on technologies already able to support billions of transactions every year in the banking sector, we can manage hundreds of secured transactions per second for IoT devices.
In France, we are protecting the LoRa network that Bouygues Telecom subsidiary Objenious has built for customers such as retailer Carrefour, which is using the network to track its roll containers on the way to supermarkets. Our server distributes the authorized keys not only to the devices but also to network equipment , like gateways or application servers, as well as the network operators. Even if a hacker could connect to the LoRa network, he would not be able to decrypt the data he finds without the key used by the device.
Smart times need smarter security
As the IoT hits the mainstream, we are hearing a lot about use cases, but not so much about security. I believe this to be a mistake: security is the key enabler of these use cases. Without security, many of the business models for IoT will collapse.
For instance, autonomous cars will need secure communications with each other and with smart city infrastructure such as traffic lights. They will need to know when to slow down and when to speed up, and by how much. There have already been cases when cars have been hacked while in autonomous driving mode, with potentially catastrophic consequences.
Without secure digital certificates and identities, many IoT use cases will not be able to get off the ground. Who would get in a car they could not trust? Even more dramatically, who would use a pacemaker that is vulnerable to being hacked?
Digital transformation is on the top of everyone’s agendas. But if new business models are to become a reality, then we will need a new focus on security, and new ways of securing IoT devices and protecting the data and privacy of our end-customers.