The New World of Internet of Things (IoT) Devices: The Invisible Threat to Privacy
As technology gets better, our lives are becoming more and more convenient. Eventually, technology won’t be a novelty. Convenience will be expected.
At CES 2015, “smart” devices and wearables were everywhere. Companies were eager to show off the latest cameras and media devices. Everyone was excited to try them.
Many of these devices will allow you to reach and control systems inside your home or your car. Other “smart” devices will send data to the cloud for processing and analysis, and some of these “smart” devices will be controlled as well. It won’t matter where you are in the world, as long as there’s an Internet connection.
As we get used to this control, the Internet of Things (IoT) will become real to us. Will we notice the long-term effects?
Convenience and availability – but at what price?
There are obvious and pressing challenges that come with convenience:
- Are the devices secure?
- What about privacy? Can wearable devices be traced to me when I or my children use them?
Is a loss of privacy and having your actions traced the high price you’ll have to pay to enjoy the cool and convenience-filled features of the latest IoT devices? At TrustPoint, we don’t think so.
We’re working hard to provide vendors ways to satisfy privacy and security requirements for the IoT devices.
Protecting privacy
Most people don’t realize that the IoT devices have some type of identifier that are often transmitted in the clear (or as a plaintext in cryptography) while the device is communicating, so that the device can be identified and authenticated, in order to communicate with it securely (at least initially while establishing a secure session with the device, either from another device or the infrastructure). As an example, this identifier can be a physical address (e.g. MAC address in WiFi) or statically assigned device ID during manufacturing.
In this case, privacy is at risk. It’s possible – and, in fact, easy – to trace the device, and ultimately the device owner.
There are two typical communication types for IoT devices:
- Communications between IoT devices directly
- Communications between IoT devices and infrastructure
It’s important that the IoT devices can mutually authenticate each other to communicate securely (“proven trust” concept).
The best way to do this is to use some form of device identifying information digitally signed by the entity (or entities), i.e. Certificate Authority (CA), that all the communicating devices trust.
Traditionally, this would be some type of Public Key Infrastructure (PKI). It doesn’t need to be very complex, but it does need to be very efficient to “play nicely” in the IoT space:
- The certificates need to be small (tiny if possible, M2M certificates is a very good fit for the IoT devices).
- The algorithms need to be fast (ECC-based crypto algorithms) on devices with limited resources.
Within traditional PKI, the device identity can usually be traced, which is not a desirable “feature” for the IoT devices. Some techniques do exist to provide authentication without revealing the device identity.
A very good existing and working example of the privacy preserving PKI with non-traceable identities is the V2V certificates.
In my next blog post, I’ll look at the typical IoT challenges the device vendors are facing.