Connected homes and smart cities will need a new security model, warns US defence chief
The Internet of Things will not take off without a ‘fundamentally new security model’, according to Dan Kaufman, director of the Information Innovation Office at the US Defense Advanced Research Projects Agency (DARPA).
Whether it’s driverless cars, fridges that tweet you when you run out of milk, or thermostats that detect when you’re on your way home and turn on the heating, interest is growing in the so-called ‘Internet of Things’.
However, this new hyper-connected world is also exposing people to a greater risk than ever before, as not only does it mean a hacker could now access your data, they could also take control of your physical world.
Today, it is normal for PCs and smartphones to start installing security updates and patches from the moment they are switched on. Microsoft, for example, releases a set of security updates on the second Tuesday of each month – known as Patch Tuesday.
However, Kaufman said this model in unfeasible when you are dealing with embedded systems, (the sensors and devices that underpin connected homes and smart cities).
“If we don’t have a fundamentally new security model, then I don’t know how we’re going to enjoy the Internet of Things,” Kaufman said, speaking at Gigaom’s Structure conference in San Francisco on Thursday. “Patch Tuesday for your car or your insulin pump doesn’t make a whole lot of sense.”
He added that DARPA itself is currently trying to develop an ‘unhackable’ operating system for embedded systems. This involves use of ‘homomorphic encryption’ which, unlike standard encryption, allows data to remain encrypted even when it is being used – making it much harder for hackers to get hold of.
Kaufman is not the first person to warn about the security risks associated with the Internet of Things. Researchers at Trustwave decided to investigate these risks last year, after realising that many of the things they had in their own homes were network-connected.
They discovered that home automation gateways, which serve as the nucleus of the connected home, could be used to carry out covert audio and video surveillance, gain physical access to buildings or even inflict personal harm if not properly secured.
“As technology becomes more entwined with the physical world, the consequences of security failure escalate,” said Forrester analyst Andrew Rose in a research report.
“As the Internet of Things becomes embedded in everyday life, reaching through industrial control to personal devices and infrastructure such as transport and power, these scenarios become more complex and have graver consequences.”