Lock Your Digital Doors: When IoT Falls Into The Wrong Hands

Our fridges automatically re-order milk. Our fitness trackers prompt us to do more exercise. And our smoke alarm calls us when there’s something wrong. The personalised services wrapped around hardware is thriving in the Internet of Things (IoT) – and with it the rise of subscriptions to these services. However, while IoT data is used to make our lives more convenient, more entertaining and more productive, the glitter surrounding IoT is often dimmed by legitimate security concerns, and it’s not without reason: IoT put into the wrong hands could lead to very undesirable results.

Consider how car break-ins are done in the past and in the future. With a car that is not connected to the internet, the car’s physical security is at risk and customers may bear the loss of a music system or personal valuables. With a connected car, we are talking about a systemic cybersecurity threat with results that could be as severe as remote hijacking with you still in the driver’s seat. This is one example of where a lack of security poses life-threatening dangers. As more and more devices around us are connected to the internet, we become more susceptible to these types of threats.

Recent incidents involving connected cars, such as the Chrysler Jeep Cherokee hack over in the US, pose a threat to customer confidence in IoT technology. Chrysler had to physically recall 1.4 million vehicles. If it had happened to Tesla cars, the fix would be possible with a remote software patch overnight.

Safeguarding the realm of IoT requires applying two basic principles of information security: strong authentication and secure communication. The current leading solution to apply these principles has existed for decades in the form of Public Key Infrastructure (PKI).

PKI is a foundation of trust that enables security by providing strong authentication and encryption services.

Take the connected car from above as an example. Communications between the car and its connected services needs to have strong authentication. The car system must not accept commands from a third party without properly ensuring the commands actually came from an authorised user of the car. One way to mitigate this risk is to perform mutual authentication where the car authenticates the service, and the service authenticates the car.

In addition to strong mutual authentication, devices need a secure channel to communicate with the service to ensure confidentiality and integrity of data. This can be implemented using high-strength encryption protocols between the device and connected services. Digital certificate and asymmetric encryption technology enables such strong encryption when devices and services are configured to leverage them appropriately. The common technology that enables strong authentication and secure communications leverages PKI.

When you use a computer to connect to an internet service such as your email, you would normally input a username, password, and in some cases a token for authentication. Because most IoT devices have a small form factor, they do not possess interfaces such as a keyboard. This is where PKI becomes the solution. With PKI, a device can have a digital certificate installed and managed by a secure service that allows the device to mutually authenticate without further human interaction.

PKI has a number of use cases beyond IoT, including mutual authentication for APIs, endpoint authentication, and secure remote access to production systems. Although PKI has the potential to solve all of the above considerations, it brings about its own unique set of challenges. The Internet of Things is a constantly evolving and growing field. The potential volume of devices presents many scaling challenges never before encountered, from digital certificate provisioning to validation.

Consumer demand is pushing companies to launch innovative, personalised subscription services that rely on data, so there is no longer any doubt that security must join physical safety at the top of every IoT company’s primary consideration. The Jeep Cherokee hack wasn’t just a wake-up call for the automobile industry – it was also a lesson for all companies with devices that connect to the internet.

John Phillips is VP EMEA at Zuora.

What do you know about the Internet of Things? Take our quiz!