The massive and unprecedented utility and opportunities provided by the Internet of Things (IoT) have been shadowed by grievous security and privacy tradeoffs, which have become a focal point of attention for the tech industry in the recent months.
Discoveries like hacked baby monitors and remotely hijacked cars have given rise to new efforts and new initiatives, including the establishment of a foundation dedicated to defining standards property management video and security practices for the IoT industry; a government-led solicitation project designed to encourage startups to address IoT security issues; and an educational book for children.
While IoT can borrow many lessons and tactics from security protocols and technologies that have been tested in other domains, there are some glaring differences between IoT devices and traditional computing systems.
The tech industry is taking strides to overcome the complexities these new devices introduce in order to make sure the future of IoT is not clouded by security shortcomings.
Differences in session lengths
Current security protocols have been designed to control and protect the flow of data between computers in short-lived, intermittent sessions.
“In the IoT space however,” says Ken Tola, CEO of IoT security startup Phantom, “devices are connected for long periods of time, and using the exact same protection throughout these long-running sessions is no longer viable. Many of the successful exploits have occurred by recording encrypted communications and replaying those back into a system at a later date.”
Phantom is promising to mitigate the risk of replay attacks with an eponymous security software designed to securely authenticate a wide range of devices at any level of IoT systems and ensure protection in always-connected environments.
Phantom addresses the issue of long-running sessions by adding randomness and constantly changing how data is protected over time. “By switching algorithms at random intervals during sessions, Phantom prevents hackers from figuring out communications and by authenticating devices, Phantom keeps unwanted intruders out,” says Tola.
Phantom also addresses another IoT challenge, which is the scarcity of system resources. “Almost all modern protection relies on high-end operating systems and use massive amounts of resources,” says Tola. “None of these features are viable for the IoT.”
That is why Phantom has been designed to be extremely light-weight and operate at a very low level, which enables it to remain efficient on almost all devices.
Phantom is being tested in several IoT environments, including CANs (Controller Area Networks), which have been the main attack vector for major car hacks.