To secure your data you have to secure the device

Security is a big issue when it comes to the internet of things. This isn’t privacy, which is a different but related topic, but merely securing the devices and data they generate so malicious people can’t steal it, see it or otherwise use it for nefarious purposes. Right now, it’s something many people are talking about, but something few people are trying to solve.

That may be partly because, as this New York Times story notes, software and internet companies are more concerned with getting users and revenue than security, but when it comes to connected devices there’s another layer of challenges. Devices have to connect to the web, but they also are incredibly person, either part of the user’s home or on their person at all times. This gives them a lot of “knowledge” that if shared can lead to an actual loss of personal safety or belongings.

There’s a lot of attention paid to this idea of designing a product for security, but not a lot about what that should mean. A story Monday on MIT’s Technology Review shared a project that Intel is working on, called Reliance Point, that lets companies build a secure lockbox for sharing data. The lockbox concept is a poor one however. It sounds more like a secure Russian nesting doll, starting with a secure chip and then heading up the stack with the software checking for security at the layer underneath each time before authenticating and booting up.

From the MIT story:

The project, known as Reliance Point, is a collaboration between Iyengar’s [Sridhar Iyengar is a director of research at Intel’s Security Labs] research group and Intel’s data center group. When the Reliance Point system boots up, a security chip is used to check that the BIOS, the lowest-level software on a computer that starts it up, hasn’t been tampered with. The BIOS then makes its own checks before activating the next level of software, which in turn makes its own checks, a chain-like process that continues until the system is fully operational. All those checks generate data that parties using Reliance Point can use to assure themselves the system can be trusted before they feed in their precious data. “They can have high confidence that the platform has not been tampered with,” says Iyengar.

This ties into a conversation I had last week with Paco Hope, a principal consultant at Cigital, a security firm. He explained that for many connected devices you need to start with physical access to the device and then the airspace around it if it is communicating wirelessly. “You can control anything if you have access to the physical device or access to the airwaves around it,” said Hope.

As with sharing data that might be held on behalf of different companies in different servers (that all apparently contain this trusted area of the chip), figuring out how to secure connected locks or smart meters will rely on authenticating the device and changing how such devices communicate with each other. Today’s radios shout out their information on a regular basis, the digital equivalent of me walking through a shopping mall asking, “Is Jane Doe here? Is my husband Bob Smith here? Is my boss Tom Krazit here?”

If I shouted for enough people it’s possible to know who I am, where I live, where I work and more just by listening. Mobile phones seeking Wi-Fi networks or even paired Bluetooth devices are similar, says Hope. His solution is to train devices to start asking for information only to authenticated devices. The mall equivalent would be me only going up to people I visually verify as being my friend, my husband or my boss.

Intel’s approach for the enterprise might make sense here, and ARM has a program in place to create secured chips for connected devices. One challenge will understand the toll authentication takes on energy consumption and latency — it take processing power to authenticate a device — which means battery life may suffer or it could take longer for your phone to “read” context from a sensor or location.

However, even as users of Snapchat or Tinder seem relaxed about security concerns on behalf of their users, the makers of connected locks, medical devices or things like smart meters have a significant stake in getting things right from the get go. Trust, lives and even the bottom line of a utility are at stake.