November 25, 2015 By Douglas Bonderud 2 min read

There’s no doubt that the Internet of Things (IoT) is on an upswing. As noted by IT Business, firms like IDC are calling for at least 22 billion connected devices by 2018, with more than 200,000 apps and services being developed for the IoT specifically. But big business and effective security don’t always go hand in hand: According to SC Magazine, a team of researchers has just defeated one of the most widely used IoT encryption solutions, the Algebraic Eraser. What’s more, they’ve done it using parameters provided by the creators of the key itself. Does this make effective security “mission impossible” in a truly connected world?

The Internet of Things: A Disappearing Act

While the Internet of Things links high-performance devices like smartphones, desktops and tablets, the bigger impact is felt by the connections between smaller devices with minimal computing capacity — for example, temperature sensors, RFID tags and mobile payment solutions. To help secure these devices, Connecticut-based firm SecureRF designed the Algebraic Eraser, an encryption algorithm also part of ISO/IEC specification AWI 29167-20 for securing air interface communications devices. Here’s the problem: Researchers have now twice defeated this countermeasure.

The first time, SecureRF argued the results were influenced by weak algorithm parameters chosen by the researchers and created a workaround. Problem solved, right? Not quite. Lead researcher Simon Blackburn and his team weren’t convinced that the Eraser was actually foolproof, so they set out to crack it again with “parameters being used in practice” and provided by SecureRF. Not only did Blackburn and his fellows break the key a second time, but they did so in less than eight hours.

Blow the House Down

So what does this mean for the future of IoT? Are all devices inherently unsafe? Does access to a single device compromise the entire network? An article from RCR Wireless likens the Internet of Things to a house with millions of windows and doors; if attackers smash one window or break down one door, they have access to the network at large and are able to cause widespread chaos. At the recent Federal Building Council event, cyber defense firm M2 Security said its solution to the problem is “just nail down all the doors and windows.”

Sounds like a great idea, unless of course attackers have cracked the code that safeguards these devices from unwanted intrusion. In this scenario, nailed windows and locked doors don’t matter; attackers have the key and can walk in unannounced. While the Algebraic Eraser is mostly used to secure lower-priority devices on corporate networks, the interconnected nature of these technologies means that even breaching a peripheral sensor or payment gateway puts cybercriminals within striking distance of critical data.

Bottom line? IoT adoption isn’t slowing down, but effective security may require more than simply rewriting the same encryption algorithm each time it’s defeated. Per-device security on par with critical IT infrastructure is rapidly becoming a necessity for even the smallest, arm’s-length sensors and monitors. IoT levels the playing field, and to make security possible, companies need to step up their game.

More from

CISA’s cyber incident reporting portal: Progress and future plans

3 min read - On August 29, 2024, CISA announced the launch of a new cyber-incident Reporting Portal, part of the new CISA Services Portal.“The Incident Reporting Portal enables entities and individuals reporting cyber incidents to create unique accounts, save reports and return to submit later, and eliminate the repetitive nature of inputting routine information such as contact information,” says Lauren Boas Hayes, Senior Advisor for Technology & Innovation, at CISA.Shortly after the announcement, Security Intelligence reported on how the portal was designed and…

Apple Intelligence raises stakes in privacy and security

3 min read - Apple’s latest innovation, Apple Intelligence, is redefining what’s possible in consumer technology. Integrated into iOS 18.1, iPadOS 18.1 and macOS Sequoia 15.1, this milestone puts advanced artificial intelligence (AI) tools directly in the hands of millions. Beyond being a breakthrough for personal convenience, it represents an enormous economic opportunity. But the bold step into accessible AI comes with critical questions about security, privacy and the risks of real-time decision-making in users’ most private digital spaces. AI in every pocket Having…

Government cybersecurity in 2025: Former Principal Deputy National Cyber Director weighs in

4 min read - As 2024 comes to an end, it’s time to look ahead to the state of public cybersecurity in 2025.The good news is this: Cybersecurity will be an ongoing concern for the government regardless of the party in power, as many current cybersecurity initiatives are bipartisan. But what will government cybersecurity look like in 2025?Will the country be better off than they are today? What are the positive signs that could signal a good year for national cybersecurity? And what threats should…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today