Securing the Internet of Things
When a device comes knocking on the front door, how do you know when to let it in?
We’ve all seen the incredible growth stats for IoT. And the market is already flooded with solutions to address all kinds of challenges that accompany these types of devices, but are we all talking about the same thing?
In a Forbes article from late last year, which summarized IoT studies, respondents believed “the IoT is associated with ever-greater levels of connectivity; more intelligence built into devices, objects, and systems; and a strong data and applied learning orientation.” This same article also stated that across different surveys, respondents that felt they were well prepared for the security implications of the IoT varied between 30 percent and 57 percent.
That’s a pretty wide margin and low by security standards. Each of these devices are connected to the Internet, and therefore, susceptible to being hacked.
I was recently visiting a friend who had the Amazon Echo. I had seen this advertised, but never gave it much thought until I played with it for 5 minutes. Now I have to have one. It’s a very cool and useful device for the tech-savvy homeowner, but also a liability, because it expands the attack surface with all its connectivity.
The biggest security issue with the IoT is authentication. Before the device performs a requested function, how does it know that the request is from the owner of the device, and not from a hacker? The device needs some way to identify the user.
In the example of the car, there may be an interface (the navigation screen), where you could prompt the user to authentication, but in the case of devices like Echo, there is no interface; it is voice-activated. The obvious answer is to leverage an out-of-band or push notification mechanism to the user’s mobile device. The question then becomes how often do you use this mechanism? Too much, it becomes annoying; too little, it doesn’t protect the user.
User behavior is a strong indicator of an individual’s identity, and it can be used to detect when a user’s behavior differs from normal patterns. For example, a user normally requests news and weather every morning before requesting that Echo open the garage door. The user rarely uses Echo to open the door in the evenings, so a request to open the garage door at 3am would be out-of-pattern.
This may be viewed as a risky request, so Echo initiates an out-of-band authentication request. On the other hand, a different user may work the late shift. For this user, opening the garage door late in the evening would be quite normal. A behavior model learns the patterns for each user, and gauges risk based on that user’s unique patterns.
In addition, simply adding risk analysis provides greater assurance that the user is who they claim to be, and because this is transparent to the end user, there is no impact unless the transaction is deemed too risky. And this allows you to enhance security without introducing significant friction.
How are you securing your IoT devices?