Nowadays security in IoT is a hot topic. It was fun to see how the phrase “The S in IoT stands for security” received a lot of repercussions and was spread across multiple blog posts and social networks.
But it is true if you can think of some of the design challenges of IoT products and solutions, there has been a lot of focus on things like power consumption, bandwidth, scalability or topology, but relatively little progress on security.
Historically this has been the case, security goes far beyond innovation, mainly because of its complexity and priority over other requirements. Think in HTTP, invented back in 1999, nowadays only 43.1% of the main sites on the internet can proudly hold the S of “HTTPS”.
This lack of security solutions, awareness, and standardization in IoT have recently caused renowned issues, such as the one which turned down Internet access in a large part of the world in October 2016. In that case, hackers were able to cause a DDoS attack by using software running in thousands of VBR and Cameras by exploiting weaknesses on their update and password configuration systems. Or the recommendation of the German government to not use “The Bright-Eyed Talking Doll Cayla” because of the risks of it being hacked.
After such big events, many industries raised recommendations for IoT security. Having encrypted channels, monitor communications or mutual authentication with endpoints were among the recommendations of many of them.
What many people do not understand is the challenge that IoT presents today for security experts, so we are going to try to explain it in a simple image:
There has been tremendous work carried out in the IoT arena to create protocols and architectures which lead to small data rates and low power consumptions. IoT devices require to transmit low data because there are millions and they would collapse the network, and consume low power since they are not generally connected to energy sources.
However, in the security world, the more secure the protocol is or method used, the more computation and data is required by the node. For example:
- Security relies on data encryption, and for instance, the encryption of a single integer number (32 bits), requires 9 milliseconds on a desktop machine, but about 1.6 seconds on an average IoT microcontroller. This is a thousand times more with the corresponding energy consumption.
- An IPSec Tunnel for a VPN will add typically up to 100 bytes to an Ethernet frame. For high throughput WLAN networks this is not noticeable at all, but consider the impact in a Sigfox network, where uplink messages are limited to 15 bytes of traffic at a time, and a single device is allowed to send only up to 140 messages per day.
So not surprisingly: current security is not a design for IoT, or IoT is not a design for current security.
In that direction, the NIST (National Institute of Standards and Technology) initiated the lightweight cryptography project, to study the performance of the existing NIST-approved cryptographic standards on IoT resource constrained devices.
The lightweight cryptography initiative is studying the performance of the existing cryptographic standards on IoT resource-constrained devices. There will be results and proposals for standardization in 2018.
A report published in October 2016 summarizes the findings of the NIST’s lightweight cryptography project and outlines NIST’s plans for the standardization of lightweight protocols. According to this report, NIST will publish a call for submissions that will be reviewed in late 2017. Finally, NIST will hold the third Lightweight Cryptography Workshop in early 2018 to discuss proposals and plans for standardization.
So let us not over promise: It will take some time until we see a real standardized IoT-S (IoT Secure). In the meantime, companies will have to keep putting efforts on non-standard ad-hoc solutions, and smart designs, to secure their IoT products and services. TipTap Labs is a secure firmware development company for IoT. Do not hesitate to contact us for any exciting project!
Article written by David Purón, Founder and Chief Executive Officer at Barbara IoT.