Infosec: Internet Of Things ‘Is Out Of Control’

Tom Brewster is TechWeek Europe's Security Correspondent. He has also been named BT Information Security Journalist of the Year in 2012 and 2013.

The Internet of things needs to be put on a leash before it causes major security events, an industry expert warns

The Internet of things, otherwise known as machine to machine (M2M) communication, is “out of control”, opening the door for disasters if someone doesn’t get a leash on it.

That was the opinion of John Hayes, CTO of network authentication provider BlackRidge Technology, who noted that the number of internet-connected things will far surpass the number of people on the planet in the coming years. Whilst there will be an estimated 8 billion people on earth by 2020, there will be many times that amount of web-reliant technologies talking with each other without human intervention.

“They are not all secure and not really to be trusted,” Hayes said during a briefing at InfoSecurity 2012 today. “If you think your neighbours are annoying now, just wait until your neighbours’ autonomous things start messing with your automated things.”

M2M madness

By not thinking about security in the design of M2M systems, in letting them speak with other systems, “huge security risks” are opened up, from spreading malicious code to carrying out non-authorised actions, Hayes explained.

“The challenge is how to manage, simplify and use things to enable them to operate as cohesive groups of heterogeneous things,” he added.

Hayes’ answer is to give each internet-connected technology – whether that be software or hardware –  a clear identity. An identity should not be an IP address or any kind of address at all, he argued.

“An address is not an identity. Addresses can be spoofed, therefore you can’t trust an address on its own. And they can be exposed to everyone, they do not protect privacy,” the CTO added. “The Internet of things needs identity to ensure security.”

He said communications between things must be secure, identities must be communicated and interpreted to have value, as well as protect privacy and maintain efficiency.

Yet actually assigning everything connected to the internet with a secure identity is not something Hayes’ knew how to do, when quizzed by TechWeekEurope. “I can’t answer the question ‘where are these identities going to come from?’ because I don’t have the answer,” he said. “The security industry and the Internet of things movement are going to have to solve these problems.”

There is also the question about multiple identities within one device, where apps or different sections of software need their own identities to talk with the correct external machines. “That is another one of the challenges moving forward,” Hayes said.

M2M is getting plenty of backing in the UK. The government-backed Technology Strategy Board’s Internet of Things (IoT) Convergence initiative recently handed £50,000 of funding to a Cambridge project seeking to improve the nation’s response in times of severe weather. The initiative would see transport and health data shared by wireless connections.

Are you a security guru? Try our quiz!