The Internet of Things is transforming the way companies interact with their customers. Manufacturers are embedding connectivity and computing into their goods to build a direct relationship with the people who buy and use their products. But the recent spate of hacks of connected devices suggests manufacturers aren’t doing enough to ensure their products are secure, according to Jaya Baloo, Chief Information Security Officer (CISO) of KPN, the leading telecoms company in the Netherlands.
“The inherent lack of design of security and privacy in the internet of things has brought us to the place where we are now, where we are worried about hacked barbies,” Baloo said in an interview at the Infosecurity Europe event in London in June. “But I think this is a fixable problem…if you take a look at the Mirai botnet [attack] and how that happened with this global distributed denial of service… the ease with which it occurred and can still occur with the evolution of the Mirai, I think what it points to is a general lack of clue.”
Don’t rely on the end-user
Baloo argues passionately that the makers of products should design security and privacy in the internet of things into their hardware and software from the start, regardless of the target market. For her, the distinction between the consumer and enterprise markets is increasingly blurred and manufacturers should not assume that the end-user will have the knowledge they need to keep their connected devices and data secure and private. “The cameras that were hacked for the Mirai botnet, the vendor said: ‘yeah, but they were never supposed to be sold to consumers, these were only supposed to be behind an enterprise firewall,’ so I think the initial intentions are failing,” she explained in the interview.
As things stand, manufacturers can take advantage of regulatory loopholes to sidestep their security responsibilities, according to Baloo. For example, the EU’s Directive on the security of network and information systems “holds everyone to account across all sectors, except for the hardware and software lobby, and that is inexcusable,” she said. “I am fine with telcos, and healthcare and transport all taking their share of responsibility. However, I think that burden of responsibility should be equally distributed especially to those who created the problem in the first place.”
One way to encourage security and privacy in the internet of things by design would be through a certification process, but achieving compliance can be expensive for small companies. “There is a need for regulation here,” Baloo contended. “We need to get it right from the perspective of having secure design principles built in: That people who make the stuff take their own measures to do very offensive hacking of their own product before they get hacked and I find it inexcusable that KPN has to hack the software and hardware of our vendors before it gets placed on our network.”
Connectivity goes metropolitan
The debate over who is responsible for ensuring security and privacy in the Internet of Things is going to intensify further as the Internet of Things expands with the advent of low cost, low power wide area connectivity (LPWA), which makes is viable to bring everything from waste bins to street lamps and garden sprinklers online. In June 2016, KPN announced it is offering LPWA coverage right across The Netherlands using LoRa technology. Baloo sees LPWA connectivity transforming the way we manage our urban environments. “LoRa comes from a very genuine need to connect metropolitan devices,” she said. “You can place units out there that are going to last a span of four or five years and it will power the lights or work bridges, and flag when the trash needs connecting, so there are a lot of social benefits.”
Of course, the expansion of the Internet of Things into public spaces, such as streets, squares and parks, will be accompanied by security risks – connected monitors can be tampered with and potentially hijacked, or rogue devices could be integrated into the network. KPN is alive to these threats. “What I really like about the way that we did LoRa is the security that is embedded in the design,” Baloo said. “When we initially tried to roll out LoRa, we had our hacking team hack it to smithereens, we broke it completely. So we took our vendors and had a very productive discussion about how to improve security before it went live and the protocol weaknesses that we also found, which we took back the LoRa Alliance, so they can improve as well. So, I have a higher degree of confidence connecting those devices on LoRa than I would have on any other media.”
Although short-range connectivity can also be made secure, WiFi networks, in particular, are widely regarded as vulnerable to hacking. “There are ways to do the implementation successfully, securely over WiFi, but they are not inherently built into the protocol,” noted Baloo. “I think the difference between a WiFi-secured ecosystem versus something with LoRa is that we have very strong demands for provisioning, for authentication, for updates.”
Identifying who you are dealing with
Indeed, as connectivity proliferates, service providers and their customers need to consider how to authenticate and identify devices attempting to connect to the network. “The question is: What are we actually identifying and what is the authentication that is required there?” Baloo asked. “Again with LoRa, there are some very strict and specific requirements for that.”
The mobile telecoms industry has traditionally used physical SIM cards to authenticate devices on its networks, but it is becoming impractical to add SIM cards to every connected device and KPN is looking at alternatives. “There are different types of signature machines that you can embed in the device initially,” Baloo explained. “You can “allow the remote device when it is initially on to authenticate directly with this sort of control unit and that is regardless of what networking protocol you use on top of this, but these are the kind of feature sets that we should be demanding from the community that makes this.”
Although Baloo wants device manufacturers to take more responsibility for security, she also believes that telecoms operators have a major role to play in ensuring that consumers and companies can trust the Internet of Things. “We have a duty of care for our users and this is why we believe it is our mission to make sure KPN is secure and reliable but also trusted by customers, partners, and society,” she stressed. “We take that very seriously. It goes right from the top, from our CEO all the way to our call centers and security and privacy are absolutely part of our corporate mission – it’s part of our value proposition.”