Why IoT data security matters for businesses

Internet of Things is eating the world. Estimates on the number of connected devices by 2020 ranges from conservative 20,4 billion to exuberant 200 billion.

Estimated number of IoT devices
Estimated from Gartner, IDC and Intel.

Does this mean that the explosion of the number of connected devices makes our businesses mode vulnerable? Possibly. Maybe. It all depends on how the businesses, vendors, and developers solve the security issues.

Philosophies and approaches vary company by company. When asked about the subject from known industry experts many issues and points of view are raised to the conversation:

Ian McClarty, President, PhoenixNAP Global IT Services

@phoenixnap

“The fundamental security weakness of the Internet of Things is that it increases the number of devices behind your network’s firewall.

Securing IoT devices requires more than securing the actual devices themselves. We have to build incorporate security into software applications and network connections that link to those devices.

Ten years ago, most of us had to only worry about protecting our computers. Next, we had to worry about protecting our smartphones. Now we have to be concerned with protecting our car, our home appliances, our wearables, and many other IoT devices. Because there are so many devices that can be hacked, it is a constant security challenge.”

TJ Kan, CEO, Insignary

“The IoT Security First Line of Defense Should Be Examining Firmware for Known Vulnerabilities:

The vast majority of IoT devices leverage open source software and software components within their firmware. In a perfect world, the firmware vendors would make sure that the code they send to customers and OEMs is free of all known security vulnerabilities – for which there are almost 100,000. However, scanning and patching for vulnerabilities do not happen very often – due to the code being shipped in binary format – up and down the software supply chain. This provides hackers with numerous entry points into IoT devices and networks.”

Danie Marais, Director of Product Management, Redstor Ltd

“IoT is tipped to be the next big innovation for consumer-focused industries and has shown a great deal of promise, smart cars, and connected homes are always making headlines. However, for organizations of all sizes, IoT can mean something slightly different; network connected devices such as printers, CCTV, webcams and Wi-Fi routers represent the IoT landscape as it currently stands for businesses. IoT has built a bad name for itself when it comes to security and has become known for poor levels of it. Hackers have quickly worked out how to turn your connect devices into botnets that can be used to launch large scale attacks on other organisations and networks, often without your knowledge. In 2016, hackers were able to turn over 150,000 IoT devices into botnets and initiate an attack with global repercussions. The problem stems from poor credential management. The Mirai strain of malware used, took advantage of default passwords and account settings and with relative ease was able access the devices. Secure credential management is best practice across all aspects of business, many organisations will have staff update passwords regularly and ensure that ‘password1’ is not being used. For IoT devices this is often forgotten but it is the most important aspect of securing devices.”

Michael R. Durante, President of Tie National, LLC

@tienational

“The most crucial aspect of IoT security for our business and for the business of our clients as well is to design and constantly re-evaluate all elements of our IT Security Plan to meet the evolving changes to the threat landscape. This plan is made up of multiple policies which address everything from security patches and frequency of cyber security training with our staff. Specifically in the case of IoT for example, our IT Security Plan states that all non-essential devices (those which do not require immediate access to our secure network) are to connect using a Guest network with Universal Plug and Play (UPnP) options disabled where possible. By using a guest network, we ensure no connection points are left vulnerable for malware looking to hop from the IoT connection into our main server.”

Derick Jose, Co-Founder and Chief Data Scientist, Flutura Decision Sciences and Analytics

@fluturads

“In an industrial context, the single most important aspect of IoT security is to have “complete air gap between the closed loop operational systems network and the rest of business operations network”.

The rationale:

– Closed loop operational systems are sensing and responding to operational conditions. For example, Valve is automatically opened/closed in chemical reactor in response to process conditions

– This network should be “air gapped” or completely isolated from business networks which are much more vulnerable

– If a hacker enters the business network and because of lack of “Air gap” enters into the operational network it can be catastrophic

– He can interfere with the valve open/close process, this results in the reactor having dangerous levels of certain chemicals which the valve did not control

– It can result in toxic or explosive outcomes and potentially cause Health Safety Environment issues ( HSE)”

Sam Shawki, CEO and co-founder of MagicCube

@sshawki

“When it comes to IoT data security, many organizations look to the cloud for securing IoT device data, however this approach is partial at best. Here’s why: Once an IoT device has data on it worth protecting, that data is stealable, because when the device is offline it can easily be breached, enabling access to its data. While cloud technology can monitor and assess security risks, it can’t physically interfere or deterministically protect. In the case of mobile IoT data this is precisely why security chips and SIM cards still exist, because the only way to protect valuable IoT device data is via physical security.

Because IoT devices are primarily mobile, it’s extremely difficult to prevent malicious entities from taking over and talking to them. The key is to secure the device identity within a trusted space. Then, you can define who can talk to the device by tying a device identity to secure credentials (e.g. a biometric or password). These credentials can either belong to an entity or a person. For instance, to make sure only you can use your smartphone, Verizon and AT&T store your device identity on a SIM card.

Here’s where things get tricky. With the IoT, it’s absurd to think that each and every IoT device — made by thousands of different manufacturers — could have a chip (let alone a standardized one) or the ability to store a unique device identity. This is why we need to virtualize the concept of security chips to scale along with the IoT. In other words, we need to leverage software that can prevent unauthorized identities from connecting to and hijacking the control of IoT devices.”

Alan Grau, President & Founder, Icon Labs

@floodgate101

“The most critical aspect of IoT security is identity management all of the devices in the system. The number of connected devices is exploding and unless each device has an identity that can be used to authenticate the device, securing the IoT and IoT devices will be impossible. The purpose of the device identity is to ensure that counterfeit devices are not introduced and to prevent bad actors from masquerading as authentic devices. Strong identity and strong authentication based on this identity provides a foundation of trusted devices on which additional security elements can be added.”

Douglas Humphrey, expert instructor for IoT Cyber Security for Experfy

“The recent proliferation of IoT sensors and the need to push computing power to the edge of the network to make profit, achieve ROI and see breakthrough performance have massively increased cyber attack surfaces and attendant cyber security risk. In this brave new world of IoT, while a hacker needs to find just a single way in to the network in order to have access to all of it (“hack one, break them all”), a company must now protect so much more.”

Joni Kautto, CEO of Accolade

@jonikautto

“When it comes to IoT and security, main thing that really needs to change is mindset. While many of us are coming round to the idea that online banking passwords shouldn’t be easy to guess, we somehow fail to take the same precautions with connected devices.

It doesn’t help that manufacturers of consumer level devices regularly ship them with weak default passwords or security settings. These are obviously meant to be changed, but whether it’s done is entirely up to the consumers themselves – many of whom are just not used to the idea of setting strong passwords for TVs (and this is how botnets of millions of connected devices are born – all you need is telnet and a dictionary of factory-default credentials).

If this lack of awareness makes consumers vote for cheaper devices with their wallets, it may force manufacturers to cut corners and sacrifice strong security for more desirable features.
Then again, better consumer education is just one of many variables; UI/UX design for security, strong security policy implementation and frequent user friendly security updates are all issues that need to be solved before we will live in safe and secure connected future.”

bttn and IoT data security

bttn philosophy has been very straightforward from the start: It is the IoT solution that doesn’t compromise your data security.

bttn was designed and built to be inherently secure and fit for business use. The system does not store or transmit any critical data where it could be compromised.

<img alt=“bttn’s secure end-to-end architecture”>

As an example, bttn device contains no information about its user or owner or any access keys to customer systems. The memory holds only very long random key material for secure authentication with the server.

bttn devices communicate over HTTP with two-way message authentication. Communication is always initiated by the device. Random keys are generated on-demand per transaction to prevent device spoofing and message replay.

You can download a white paper about bttn and IoT data security.

Later on there were specific requirements of IoT security – or actually security from a broader perspective – set by eCommerce.

That drove the development of the bttn for commerce API that allows secure linking of bttns with your online ordering system to provide your customers a one-press ordering experience. It has the two main benefits to merchants and their customers:

  1. Easy deployment with customer self-provisioning: You can distribute thousands of bttns to your customers without having to pre-configure them. Your customers just fill in a simple form to claim a device.
  2. Secure transactions: When a bttn is pressed, bt.tn cloud server passes a purchase request to your ordering system without sending any private customer data.

There is a downloadable white paper about bttn for commerce API.

When it comes to bttn for Commerce API, it is protected with a US patent that is linked to bttn’s main patent that has to with, well, bttns and remotely triggering things in general. But that’s a topic in and of itself.

Written by Will Nash, Head of Marketing at Bttn