Securing the Internet of Things

Joe Luong

Joe Luong is CEO of Crypta Labs

Wearable tech has been described as “representing the next phase of the mobile revolution” and as widely predicted, 2015 saw the start of widespread commercial success of wearable technologies and Internet of Things (IoT) devices.

These internet-connected mobile devices exist to capture and exchange data. Often core functionality relies upon the ability to sync efficiently with other devices. This results in an ecosystem where files can be transferred quickly between devices, travelling around the world nearly instantaneously. Worryingly, however, HP recently conducted a survey that revealed that 90% of all IoT devices do not have encryption, and 70% have no security features at all.


90% of IoT devices do not have encryption according to a recent HP study

What are the risks?
It is estimated that by the end of the decade there could be 50 billion internet-connected ‘things’ in existence. These devices, swiftly integrated into our homes, cars and clothes for example, will undoubtedly bring enormous benefits. However, without adequate security, we are exposing ourselves to potential hacks, which could have costly, even fatal, consequences. The Information Security Forum (ISF) has published several research papers highlighting the security and privacy implications of IoT, specifically relating to:

  • Medical devices: unauthorised access to configuration settings as well as data on location, blood pressure/sugar levels and other bodily functions
  • Buildings and critical infrastructure: malicious damage to power/ production/ generation/distribution, manufacturing and transportation
  • Automobiles: in-car Wi-Fi, remote access, tampering of engine control and braking systems (The recent Jeep, Tesla, VW and OnStar revelations have gained media attention of these risks)
  • Commercial and personal drones: collection of significant personal data by drones; or compromised or personal drones used for kamikaze attacks
  • Home appliances: denial-of-service attacks using unsecure connected devices, such as home entertainment systems and compromised smartphone apps

What are the security and privacy implications of the IoT?

Whose responsibility is it to secure the IoT?
Mobile security begins and ends with better encryption, which is the responsibility of technology manufacturers and mobile operators. They must have an understanding of risks and responsibilities in protecting personal and corporate data as well as functionality within the Internet of Things. This should clearly include:

  • Ensuring that minimal (and only relevant) data is collected
  • Adopting the strongest encryption available
  • Ensuring that staff and consumers understand what data is collected.

So what is the solution?
Fortunately, both businesses and academic institutions have recognised the importance of this issue, specifically the need to improve data encryption. Quantum scientists have been working on solutions to find better seeding for encryption.  In partnership with academics, a security chip which can be installed on all mobile, IoT devices and wearable technologies is being developed, which uses light to count the photons reflected off of real-world objects to generate a true random number, encryption from such a quantum random number generator will, theoretically, be unhackable.

Joe Luong is CEO of mobile security firm Crypta Labs, you can follow them on Twitter @cryptalabs. Don’t forget to follow us too @DigiCatapult.

One Comment on:
“Securing the Internet of Things”

  1. Craig Heath says:

    Thanks for this post, it’s a very welcome contribution to raising awareness of the need for security measures in IoT devices.

    I am wondering about your statement “mobile security begins and ends with better encryption” – it seems to me that encryption is just a building block, and people worry too much about whether they are using the right encryption algorithm or a sufficiently long key, thus neglecting other concerns such as effective key management or strong authentication. I’m sure you didn’t mean that *all* you need is better encryption, perhaps you could clarify?

    I had a look at the HP survey you linked to, and I think there must be a typo in your statement “90% of all IoT devices do not have encryption” – the report actually says “70 percent of IoT devices analyzed did not encrypt communications to the internet and local network”. I also wonder how much of that 70% actually needed to encrypt communications – perhaps they were not transmitting any sensitive data?

    Thanks again for contributing to the discussion!

Leave a comment