November 25, 2015 By Douglas Bonderud 2 min read

There’s no doubt that the Internet of Things (IoT) is on an upswing. As noted by IT Business, firms like IDC are calling for at least 22 billion connected devices by 2018, with more than 200,000 apps and services being developed for the IoT specifically. But big business and effective security don’t always go hand in hand: According to SC Magazine, a team of researchers has just defeated one of the most widely used IoT encryption solutions, the Algebraic Eraser. What’s more, they’ve done it using parameters provided by the creators of the key itself. Does this make effective security “mission impossible” in a truly connected world?

The Internet of Things: A Disappearing Act

While the Internet of Things links high-performance devices like smartphones, desktops and tablets, the bigger impact is felt by the connections between smaller devices with minimal computing capacity — for example, temperature sensors, RFID tags and mobile payment solutions. To help secure these devices, Connecticut-based firm SecureRF designed the Algebraic Eraser, an encryption algorithm also part of ISO/IEC specification AWI 29167-20 for securing air interface communications devices. Here’s the problem: Researchers have now twice defeated this countermeasure.

The first time, SecureRF argued the results were influenced by weak algorithm parameters chosen by the researchers and created a workaround. Problem solved, right? Not quite. Lead researcher Simon Blackburn and his team weren’t convinced that the Eraser was actually foolproof, so they set out to crack it again with “parameters being used in practice” and provided by SecureRF. Not only did Blackburn and his fellows break the key a second time, but they did so in less than eight hours.

Blow the House Down

So what does this mean for the future of IoT? Are all devices inherently unsafe? Does access to a single device compromise the entire network? An article from RCR Wireless likens the Internet of Things to a house with millions of windows and doors; if attackers smash one window or break down one door, they have access to the network at large and are able to cause widespread chaos. At the recent Federal Building Council event, cyber defense firm M2 Security said its solution to the problem is “just nail down all the doors and windows.”

Sounds like a great idea, unless of course attackers have cracked the code that safeguards these devices from unwanted intrusion. In this scenario, nailed windows and locked doors don’t matter; attackers have the key and can walk in unannounced. While the Algebraic Eraser is mostly used to secure lower-priority devices on corporate networks, the interconnected nature of these technologies means that even breaching a peripheral sensor or payment gateway puts cybercriminals within striking distance of critical data.

Bottom line? IoT adoption isn’t slowing down, but effective security may require more than simply rewriting the same encryption algorithm each time it’s defeated. Per-device security on par with critical IT infrastructure is rapidly becoming a necessity for even the smallest, arm’s-length sensors and monitors. IoT levels the playing field, and to make security possible, companies need to step up their game.

More from

CISO vs. CEO: Making a case for cybersecurity investments

4 min read - Ask CISOs why they think there is a cyber skills shortage in their organization, what keeps them up at night or what the most important issue facing the industry is — at some point, even if not the first response, they will bring up budgets.For example, at RSA Conference 2024, a roundtable discussion about issues facing the cybersecurity industry, one CISO stated bluntly that budgets — or lack thereof — are the biggest problem. At a time when everything is…

DHS: Guidance for AI in critical infrastructure

3 min read - At the end of 2024, we've reached a moment in artificial intelligence (AI) development where government involvement can help shape the trajectory of this extremely pervasive technology.In the most recent example, the Department of Homeland Security (DHS) has released what it calls a "first-of-its-kind" framework designed to ensure the safe and secure deployment of AI across critical infrastructure sectors. The framework could be the catalyst for what could become a comprehensive set of regulatory measures, as it brings into focus…

CISA’s cyber incident reporting portal: Progress and future plans

3 min read - On August 29, 2024, CISA announced the launch of a new cyber-incident Reporting Portal, part of the new CISA Services Portal.“The Incident Reporting Portal enables entities and individuals reporting cyber incidents to create unique accounts, save reports and return to submit later, and eliminate the repetitive nature of inputting routine information such as contact information,” says Lauren Boas Hayes, Senior Advisor for Technology & Innovation, at CISA.Shortly after the announcement, Security Intelligence reported on how the portal was designed and…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today