An increasing number of IOT devices are being installed for controlling and maintaining homes as well as for increasing comfort of living and security. These devices are controlled and information from them is retreived through cloud services and smart phone applications. Data from these devices ranging from temperature and humidity measurements to motion sensor information and camera images is stored into cloud servers and their databases. The commands and the data are transfer through public internet.
No wonder that the information security of these new inhabitants of home is a hot topic. Consumer is wondering if the information related to her home is safe? Could someone get access to control the heating and cooling systems of my home? Would it possible for someone to harness the motion sensors and surveillance camera at my home to find out whether I'm in our out? It is easy to paint different kinds of threats.
Companies providing IOT-devices and services must take these concerns seriously and provide working solutions to address them. Information security is not about some single magic trick, but it requires companies to consider security on all levels of their operations from development to services.
Information security is both about technology and processes. Consider for example the commands an IOT device is receiving from the cloud. How can it be made sure that they haven't been tampered and that they are coming from the right source. On first hand the technology selections of the IOT-device must back this up. It needs to support cryptographic techniques that allow messages to the device be properly signed in the cloud and the device to verify the signatures properly. On the other hand the tools and processes have to be put in place in order for a company to distribute keys safely in international operating environment.
What should be done to ensure that the data and messages an IOT-device is sending to cloud are correct and that a third party would be able to hi-jack an IOT-device under his control. Once again we fall back to technology selections and processes. The IOT-device should sign the messages it sends with a device specific secret key that never leaves the device and on top of that the disribution of device specific public keys need to happen safely.
Just signatures and proper key management are not enough. Some IOT devices - like IOT security cameras - send data that has to be encrypted to ensure that its content cannot be viewed by outsiders. For this purpose the platforms that are used for IOT devices should support well understood encryption protocols like SSL. Once again that technology selections a company does should support this.
A cruel fact is that there is always things to improve in information safety. We are used to the fact that our computers and phones get regular software updates that contains improvements in security and functionality. Also IOT-devices are computers. Updateablity is thus as important in an IOT device as in a smart phone. Updates are needed whether its about new features or maintaining security.
A responsible company considers information security at all levels of its operations.