Keeping the IoT safe
- By Matt Leonard
- May 09, 2017
Manufacturers and users of internet-of-things devices better start thinking about bugs.
Cerf's 6 IoT considerations
Vint Cerf's take on what's required for implementation of internet-of-things devices:
Reliability: ”I don’t think anyone wants to use these devices if they’re not reliable.” The light switch has worked for years, don’t make it harder.
Ease of use: ”It should actually make your life easier as opposed to harder.”
Safety: ”Nobody would buy and install a device if they didn’t think it was safe.”
Privacy: "Imagine webcams in the house that are accessible remotely by unauthorized parties.”
Autonomy: “You don’t want your house to stop working if it is disconnected from the internet.”
Interoperability: “If we’re going to build ensembles of these devices and expect to manage them in a sensible way, then we have to have standards that allow for interoperability.”
“Who is going to fix the bugs?” Vinton G. Cerf, vice president and chief internet evangelist at Google, asked at a May 9 IoT Tech Summit hosted by the Washington, D.C., Chapter of Armed Forces Communications and Electronics Association. "And for how long are they going to agree to fix the bugs?"
Cerf, often referred to as the “father of the internet” for his work helping to invent TCP/IP, said bugs in IoT devices will likely be fixed the same way bugs in computers or mobile devices are handled: by downloading new software.
Yet that is not as simple as it sounds, he said. These devices must know where the software is coming from and that it was handled with integrity, and the sender of the software must then verify that the device received and installed the software. Such a process will require strong authentication of endpoints.
”The device needs to be able to reject attempts to access it, to provide it with new software, to collect data from it or to control it -- except from parties it can authenticate,” he said.
IoT platforms like Microsoft Azure use tokens to verify identities and grant access to endpoints, but this authentication becomes harder to accomplish as devices proliferate, Cerf said. The number of IoT devices is growing exponentially, increasing by almost 2 billion devices in the past year, according to Gartner estimates, with the potential to reach more than 20 billion devices worldwide by 2020.
As IoT devices mature and start to integrate more machine learning and artificial intelligence, they will not just have to manage authentication of new software, but also new users, Cerf said. Most virtual assistants can’t tell the difference between individual voices right now, he said, but companies are working on it. This will mean that users can set different levels of authorities for different voices.
These authentication considerations can sound innocuous in a consumer setting, but more urgent in a military one, he said. What happens if a commanding officer is killed or injured to the point of not being able to use a particular technology that is critical to completing a mission?
“You don’t want to have a system that is so carefully structured that no one except command authorities can do anything,” Cerf said. “This is a standard problem with access control. Wherever you introduce access control, you introduce a possibility of denial of service.”
The systems must be able to hand over control to different people, he said, and they have to be able to do it quickly.
Matt Leonard is a former reporter for GCN.