IOT: Security
Well, I question the place that the Intel Galileo resides in the IOT environment, with a higher price than products from companies like the Arduinos, just why would you pay more for about the same thing? Security is one of the big items that I find compelling with the Intel Galileo.
With the IOT, the process of security generally used right now is dependent on the end user, but with the IOT sensor technology this is going to be different. Mainly because the 980 BILLION! devices predicted will have to users and users are the basis of security today. If we look at the Target security hack, the hack appears to have been through a HVAC Company allowing it’s security credentials to be stolen. Initially it was thought that the POS, Point of Sales, not the other meaning of POS, credit card readers had been hacked, see eWeek article titled: How the Target Breach Happened, but later it was reported that the HVAC subcontractor system had been breached. Either way, these are sensors of a sort, and even the Pumkinuino will be part of requiring security eventually.
In that case the Galileo, Raspberry Pi and other high level systems will be required even for simple systems, and only in very limited situations will the 8-bit processors be allowed to play without having to first go through some sort of firewall. This will add to the level of complexity. Sad.
Let’s see how to best secure your Intel Galileo board, after all it appears that the market for new POS Credit card readers is going to be intense with the Home Depot hack, and no matter what anyone says, this kind of security hack could happen to you.
Where Does it Start?
- Platform protection at the BIOS/firmware level.
- This means that encryption is required, protecting against privileged escalation attacks.
- Software protection at the OS and application level.
- To me this means that an application store similar to the Apple store, Android Store or the Microsoft Store will be required for devices. This does not mean you have to use those stores, rather you would set-up an Intune kind of system on the cloud to distribute your apps. When developers make a change to their software, they would update through a store owned by an individual company or exists as an open source store (which would be a good idea for the open source community IMHO).
- Data Security:
- Patch management, which with the use of the App Store system would part of this security system. What about devices that don’t receive updates, how does that work, after all a sensor might be in a storage mode, in a “faraday” cage, etc. and not receive the update. That needs to be part of the security discussion.
Where are we at today?
According the referenced Intel article, page 5:
“The paucity of information about Big Data security for embedded devices added to the inconvenient truth that today’s security paradigm is inadequate for the Internet of Things add up to a disquieting prospect for companies that design and manufacture embedded devices….”
Late in the article:
“…Design teams should also acknowledge that they cannot solve the problem alone. Everyone in the supply chain should be expected to contribute. If the chipmaker, OS Company, app dev, and connectivity Partners are all working from the same playbook, then the embedded devices’ design team will have a lot of built-in security to leverage….”
“…[I]t will be necessary for the intelligent systems framework to cast a very broad net—to consider every possibility….”
Seriously, this is what the biggest chip builder in the world has to say for the Internet of Things? Wow, looks like lots of opportunity for anyone going into the Internet of Things. So what is a design team suppose to do with no comprehensive solution? Get started worrying dealing with security right now, this means you as an app dev, need to question any design process that doesn’t consider security.
To get started read this PDF: Securing Intelligent Systems from the Ground Up Technology Brief. Kind of lightweight, but if you have to deal with managers, this is the kind of simple speak they like (which is no insult, if you are like me, then people don’t understand the technical stuff you are talking about).