For the last several years, Internet of Things security has been one of the most hotly debated topics at Mobile World Congress. This year, however, IoT security took on a new sense of urgency as more devices are being connected and the technology turns mainstream.
For the past several years, the Internet of Things has been one of the most hotly debated topics at Mobile World Congress. However, looking back on this year’s expo, the discussion moved from the lack of standards to a subject that industry is only now starting to debate: the security implications of having everything connected.
What caused this sudden concern? Certainly some of the headlines form the last year helped.
In 2015, news of hackers remotely killing a Jeep on the highway, which in turn triggered a recall of 1.4 million vehicles to upgrade their software, and the possibility of tampering with one of the most popular models of smart meters, demonstrated by two Spanish researchers, woke the industry up to the potential disasters and liabilities of IoT.
In turn, those keeping an eye on IoT became more proactive than reactive on security issues.
Healthcare connected devices, for example, are one of the most dangerous targets.
In April 2014, Scott Erven and his team of security researchers released the results of a two-year study on the vulnerability of medical devices. They found that they could remotely manipulate devices, including those that controlled dosage levels for drug infusion pumps and connected defibrillators. He argued at a recent DefCon conference that “healthcare is 10 years behind other industries in addressing security.”
The challenges of securing connectivity are also significant.
While most industrial connected devices have been using carrier-based machine-to-machine (M2M) technology based on either 2G or 3G cellular services, the security of these machines is being challenged by a switch to low-power wireless WAN technologies operating on unlicensed spectrum. These include standards such as Zigbee and WiFi 802.11ah.
While these new standards offer the possibility of connecting many more devices at lower cost, they pose bigger security challenges since anyone can access and exploit a device operating in these frequency bands.
I had the opportunity to talk with security experts from Gemalto, BlackBerry, and NXP about the present and future of securing the IoT. Most of them agree that “software cannot secure hardware” and that securing the supply chain is as critical as the final security of the device.
At MWC 2016, Gemalto, the Dutch digital security firm, announced a partnership with Jasper, a global IoT platform provider, to offer secure connections for IoT devices using Jasper’s cloud-based technology. This offering will use Gemalto’s advanced cryptographic software to support robust and scalable back-office platforms for authentication, encryption, and digital credential management.
In the past month, BlackBerry, which is now mostly focusing on security offerings, acquired UK firm Encription Limited, which will become part of its new Professional CyberSecurity Services practice — a new business unit that will offer organizations consulting services, tools, and best practices.
Derek Kuhn, vice president of sales for BlackBerry IoT Division, said during a roundtable at MWC, that his company’s IoT security offerings are present in over 60 million vehicles worldwide, which include everything from secured components to entire communication systems.
The automotive industry forecasts there will be 44 million automated vehicles on the roads by 2030. Many more vehicles already have some form of Internet connectivity.
NXP, the Dutch semiconductor company that helped develop NFC, demonstrated at the show the capabilities of its security technology for IoT.
This included the NFC Ring, which can be used for payment applications, secure identification, and transit applications. In addition, NXP is offering the i.MX 6Dual and i.MX 6Quad single-chip system module (SCM), which it calls the world’s smallest integrated single-chip system for IoT.
There is no doubt among the experts that “the machines are coming,” and we’ll have tens of billions of connected devices at the beginning of the next decade. In a few years, most of the things we have and do today will be automated, measured, and controlled by the IoT ecosystem, and there is nothing we can do to stop it.
However, we do need to secure them all.
As NXP CEO Rick Clemmer told me at the show: “It is about how we take that technology and computing, and the security, to be able to make all of our lives easier, but also make it safe.”