There’s no doubt that the Internet of Things (IoT) is on an upswing. As noted by IT Business, firms like IDC are calling for at least 22 billion connected devices by 2018, with more than 200,000 apps and services being developed for the IoT specifically. But big business and effective security don’t always go hand in hand: According to SC Magazine, a team of researchers has just defeated one of the most widely used IoT encryption solutions, the Algebraic Eraser. What’s more, they’ve done it using parameters provided by the creators of the key itself. Does this make effective security “mission impossible” in a truly connected world?
The Internet of Things: A Disappearing Act
While the Internet of Things links high-performance devices like smartphones, desktops and tablets, the bigger impact is felt by the connections between smaller devices with minimal computing capacity — for example, temperature sensors, RFID tags and mobile payment solutions. To help secure these devices, Connecticut-based firm SecureRF designed the Algebraic Eraser, an encryption algorithm also part of ISO/IEC specification AWI 29167-20 for securing air interface communications devices. Here’s the problem: Researchers have now twice defeated this countermeasure.
The first time, SecureRF argued the results were influenced by weak algorithm parameters chosen by the researchers and created a workaround. Problem solved, right? Not quite. Lead researcher Simon Blackburn and his team weren’t convinced that the Eraser was actually foolproof, so they set out to crack it again with “parameters being used in practice” and provided by SecureRF. Not only did Blackburn and his fellows break the key a second time, but they did so in less than eight hours.
Blow the House Down
So what does this mean for the future of IoT? Are all devices inherently unsafe? Does access to a single device compromise the entire network? An article from RCR Wireless likens the Internet of Things to a house with millions of windows and doors; if attackers smash one window or break down one door, they have access to the network at large and are able to cause widespread chaos. At the recent Federal Building Council event, cyber defense firm M2 Security said its solution to the problem is “just nail down all the doors and windows.”
Sounds like a great idea, unless of course attackers have cracked the code that safeguards these devices from unwanted intrusion. In this scenario, nailed windows and locked doors don’t matter; attackers have the key and can walk in unannounced. While the Algebraic Eraser is mostly used to secure lower-priority devices on corporate networks, the interconnected nature of these technologies means that even breaching a peripheral sensor or payment gateway puts cybercriminals within striking distance of critical data.
Bottom line? IoT adoption isn’t slowing down, but effective security may require more than simply rewriting the same encryption algorithm each time it’s defeated. Per-device security on par with critical IT infrastructure is rapidly becoming a necessity for even the smallest, arm’s-length sensors and monitors. IoT levels the playing field, and to make security possible, companies need to step up their game.