Meet Your New Fingerprint
Your home is evolving. Thanks to the blossoming market for connected and intelligent things, your home life will never be the same.
Your new oven will begin warming the minute your new car’s GPS tells it you’re 20 minutes away. Your state-of-the-art air-conditioning will come on, too, assuring that you step into a perfect 72-degree atmosphere. Without your having to touch a button, the podcast you were listening to during your commute will follow you from your car to your phone to your speaker system, so that you won’t miss a word—even in the shower.
Much of this future is happening now. Devices such as the Nest Thermostat and smart televisions are selling like hotcakes and dropping in price.
But the most promising across-the-board technological evolution in recent history comes with an equally large challenge: making sure these systems do not expose us to security threats. These can be nuisances at the very least, but sometimes they may lead to something much worse.
“If a wireless camera or thermostat in your home gets hacked, it’s not necessarily a big deal, but if one fails in a factory security zone or process monitoring area, it can result in equipment damage, major theft, injury, or even death,” says Bob Groppo, a former OQO senior fellow and current VP of engineering at Flex, creator of the world’s smallest fully functional Windows Vista PC. “This means the approaches to security need to scale with the potential impact of a security breach.”
While there aren’t baddies behind every corner hacking into your smart coffeemaker, device makers need to make sure baby monitors or industrial control systems don’t leak information to unwanted outsiders.
Device manufacturers are looking at novel ways of keeping data where it should be and used only for its intended purpose. Many believe the answer lies in a uniform standard for Internet of Things connectivity or in the integration of hardware and software.
The approaches to security need to scale with the potential impact of a security breach, says Groppo.
“IT organizations will need to partner and collaborate with their IoT vendors to ensure that suitable security standards exist and are thoroughly implemented,” Chris Czub, a security research engineer at Duo Security who has a decade of experience in the field, told INTELLIGENCE last season. “IoT will dramatically change company security priorities in the future as the associated threats will become more complex and have greater consequences.”
But no one has a silver-bullet solution.
“The current state of IoT is very much a Wild West in the technologies and platforms utilized to create these devices,” added Mark Stanislav, senior security consultant at Rapid7, a consulting firm specializing in security data and analytics solutions.
But there are bright spots—companies that have started to solve the challenge of security in the era of intelligent things. Here are four of them:
On the journey from a connected device to a server, data is vulnerable. En route is where Bitglass goes to work, preventing hackers from getting their hands on any information. “Our proprietary technologies get in the middle of the transaction and give data protection in two directions—to the cloud and to the device,” says Rich Campagna, VP of products and marketing.
The security firm started in the highly regulated health care and finance industries before getting involved in the Internet of Things. In order to help these companies avoid extra risk, Bitglass created tracking technologies that would find who interacted with a file, and when. The company’s unique approach to cloud security involves watermarking individual files. Each file on a server is tagged with a special identifier that allows Bitglass to track how it is accessed, the device accessing it, and the context. In order to make sure a file is being used as intended, Bitglass tracks whether it is reached via a connected device, a desktop, or a tablet, along with the user location and time of day. By watermarking files, Bitglass is able to make sure that data from connected devices is sent to servers and new data is received—without hackers intercepting it.
To hear Bluebox Security Cofounder Adam Ely tell it, security for the Internet of Things is a work in progress. “We have to come up with a new methodology,” he says. “We need approaches to everything that build on what we have. Wearables, smart meters, industrial equipment, and grids all present challenges—the biggest of which is that it’s not traditional human-user relations to systems and operating systems. The Internet of Things is very autonomous, with devices talking to each other and humans removed from the equation. Bluebox asks, How do we secure the processes without the user making any decisions in most cases?”
A large part of Bluebox’s solution is a technology called “app wrapping,” which is designed for apps running on devices that are part of a larger corporate or institutional system. App wrapping uses a triple layer of defense for apps, and administrators set security permissions for users. When users download ordinary apps onto their own devices, the administrator’s requested security permissions are then inherent in the app. For connected devices like televisions and home automation systems, this is a game changer.
Bluebox sees the Internet of Things as a successor to the “bring your own device” movement, in which employees use their personal smartphones for work purposes.
Ely says the major question for users is how to best protect data when it bounces between sensors, desktops, local servers, remote servers, and mobile devices. The components might change, but the building blocks remain the same.
Biometric firm Hoyos Labs makes technology for consumers and companies and hopes to eventually replace the password with smart scans of users’ faces. (You can download its 1U consumer app in the App Store now.) The company’s Biometrics Open Protocol Standard (BOPS) has contributed to the Institute of Electrical and Electronics Engineers (IEEE). Founder Hector Hoyos notes that biometrics—which are individual to each user—offer additional security for connected devices.
“In BOPS, identification data stays entirely encrypted on a device and is not on the server,” says Hoyos. “Even if a phone or a device is hacked, only that device is hacked—the larger system remains safe.” BOPS serves as the backend to a larger system called the Digital Identity Assertion Platform, a secure password replacement system that scans a user’s eyes, facial features, and bone structure. The company says that the platform will supersede passwords, tokens, and other authentication systems.
“In three to five years, everything you access, including the Internet of Things, will be controlled by biometrics,” Hoyos says. His company keeps a low profile but is aggressively working to bring biometrics to everything from ATMs to building control systems. Its latest product is a streamlined access control system designed to enable Minority Report-style retinal scanning for entry to doors or rooms.
Security firm Tripwire has an unusual task: securing connected factories and power plants from outside hackers. David Meltzer, the company’s chief research officer, says that industrial control systems often have communications systems that are roughly 20 years behind conventional IT. This can make it easy for anyone—a spy at a rival company, say, or a bored teenager—to monitor communications and understand how proprietary equipment works. “Industrial control environments are two decades behind a conventional IT environment in many ways,” Meltzer says. “They come from an age when there was less worry about people hacking into plants. But a migration to Ethernet and TCP/IP on manufacturing devices means a connected world with the traditional IT environment.”
The company’s flagship product, Tripwire Enterprise, offers security configuration management and records auditing for companies that use a wide array of sensor-enabled devices in industrial environments.