By Antoine Rizk, VP of Vertical Markets, Axway
One security issue that’s often missed when we talk about the Internet of Things (IoT) is the fact that many IoT applications do not embrace the concept of time. They don’t have embedded clocks, access to time services, or a mechanism for synchronizing time across the entire “thingfrastructure.”
This is a genuine security issue. Most authentication protocols use number-of-retries limits to safeguard against brute force methods of gaining access; they limit the number of retries to a given time window, in the same way desktops and email accounts do.
But security is not only about preventing or allowing access. It’s about monitoring who accessed what and — more specifically — when. Without time services, security architects must resort to sub-optimal mechanisms for identifying events.
Why do security gaps appear more often within the IoT and less often within the internet?
The answer is simple.
The Internet of Things replaces humans with objects. We know how to secure human-based directories such as LDAP, human-triggered password resets, and — most importantly — human/client-initiated connectivity via http request/response protocols.
But the things in the Internet of Things can’t do any of this. Humans have to invent workarounds, new protocols, and new mechanisms to avoid security failures with dramatic consequences. Your life probably wouldn’t change if your connected refrigerator failed to connect, but think about what would happen if an entire supply chain foundered because of a failure in connected tracking devices. Or if a health program froze because of a failure in mHealth equipment. Or if a traffic regulation program crashed because of a failure in vehicle connectivity.
As this article rightly says, Nest and Google are interested in how people behave inside their houses. This is a data privacy issue, and we may want to accept it in the same way we accept giving Google access to our private emails. But beyond privacy, we are entitled to the full range of security measures, some of which we must not compromise on.
To learn more about security for the Internet of Things, click here to download our joint white paper with Gunnar Peterson of Arctec Group.