The Value of Data Protection in the Internet of Things

The IoT is made up of billions of devices that collect and share data. If this data is not properly secured, it puts both end-users and manufacturers at risk for all sorts of disastrous consequences.

For example, the data collected by a smart thermostat can reveal when someone is home based on their heating and cooling settings. If this information is not adequately protected, thieves can use it to determine when to break into houses. Similarly, if the data from a sensor monitoring a factory assembly line is not secured, it can be accessed and used by a competitor to steal inventory information. Even seemingly innocuous information can be combined from multiple devices to build detailed pictures of a person’s lifestyle or buying behavior.

Breaches can have equally devastating consequences for the companies that failed to adequately secure the devices in the first place. Security breaches, particularly high-profile ones, can cause irreversible brand damage, revenue loss, drops in stock price, and other significant negative ramifications.

According to Cisco, the billions of devices comprising the Internet of Things will generate trillions of gigabytes of data by 2018 – some 400 zettabytes a year to be more precise – and all that data needs to be safeguarded from hackers to protect consumers and manufacturers.

Effectively securing data in the IoT requires identification, authentication, and encryption, which produces integrity and confidentiality.

Identification and Authentication of IoT Data

Identification and authentication are related – they are cryptographic functions that provide a provable identity. They are necessary to ensure information is being communicated to the correct device and that the source can be trusted. Without authentication, for example, a hacker could communicate directly with your front door and alarm system, and gain access into your home by causing the door to unlock and the alarm to disarm.

In the real world, we have trusted agencies that produce documents (e.g. a driver’s license) that can be presented to assert an identity. In the digital realm, there are cryptographic methods for performing a similar action with a digital certificate. Here is how it would work on a typical IoT device:

• The device carries a digital certificate signed by a trusted third-party (a Certification Authority, or CA) that binds its identity to a key using a digital signature such as WalnutDSA^TM
• The device then presents this certificate to a verifier that validates the certificate to learn the asserted identity of the device. The mathematics prove that only the CA could have produced the certificate via a “digital handwriting analysis” that anyone can perform.
• The verifier uses a proof-of-possession of the bound key with a technology like Ironwood^TM KAP to authenticate the device This is a mathematical proof that asks the device to generate data that only it can produce, because only that device knows the correct answer to the question.

Although identification and authentication are necessary, they do not adequately protect IoT data. In addition to ensuring the correct devices are talking to each other, you need to be certain someone eavesdropping on the conversation cannot overhear anything important or manipulate the conversation.

Protecting Data Through Encryption – In Motion and at Rest

The next layer of data protection in the IoT is encryption. First and foremost, when sensitive data is moving from device-to-device (data in motion), it should be encrypted. Imagine an enemy listening in when a general commands his troops to attack. Encryption using a cipher like AES can provide confidentiality, making the data incomprehensible to eavesdroppers.

Next, imagine an attacker intercepting a digital message from your payment device to your bank and changing your $10 transaction to a $1,000 transaction. Additional cryptographic protocols must be layered on to ensure integrity (a state where the files have not been altered in any way) so the data isn’t manipulated en route to the bank.

However, protecting your IoT data is not just about protecting data in motion. You also need to protect the data that resides on your IoT devices, which is data at rest. This includes the device’s identity information, configuration, running state, and programming, as well as audit and log files. Tools providing integrity and confidentiality for these files can protect your IoT data from being breached. Integrity ensures that the data was not modified by an unauthorized intruder, and confidentiality (accomplished by encryption) ensures that the data cannot be read or understood by anyone without the proper keys.

Finally, devices may change hands over time. Study after study has shown the tremendous amount of data leakage that can occur when devices such as smartphones get a new owner. However, if the data on the IoT device has been encrypted, a simple “key wipe” will prevent a new device owner from accessing the previous owner’s data.  If you destroy the keys, then all data encrypted by that key is forever lost.

For more information on how to start providing authentication and data protection for your IoT devices, view our on-demand webinar, “Jumpstart Your IoT Security Project with the Latest Tools in Authentication and Data Protection.”