Path: EDN Asia >> News Centre >> Consumer Electronics >> Secure the Internet of Things using biological strategies
Consumer Electronics Share print

Secure the Internet of Things using biological strategies

15 Oct 2014  | Bernard Murphy

Share this page with your friends

Challenges unique to the IoT

Why is the IoT not just a larger version of the cyber-universe we already know? Why do we even need to consider new approaches?

First, the IoT has an unusually large attack surface. In the world of computer security, an attack surface is the sum of the points at which an attack can be launched. Every one of those trillion edge-nodes—whether a strain sensor, a pace-maker or a refrigerator—represents a potential point of attack through wireless snooping, subversion or outright replacement by a corrupt device. The CIA, no less, has raised concerns about our ability to defend against attacks in the IoT. In the classical Internet, we have built defences using firewalls and anti-viral screens, but these are cumbersome methods to deploy around edge-nodes that will be ubiquitous, widely distributed, easily accessible and often difficult to physically monitor or protect.

Another concern is cost. To reach these levels of deployment, edge-nodes will need to be very cheap, at least on average. An IoT at this scale will not be economically viable at unit prices we see today for consumer devices. We need to think of $1 per unit, but—at these rates—systems manufacturers will have slim margins and little room to add complex security solutions. If prices could be subsidised by carriers, as phone prices have been, this problem could be mitigated, but many applications have no consumer in the middle to tap for long-term service contracts. Even consumer applications will be bounded by what the consumer can afford. Smartphones and tablets have raised our perception of affordability somewhat, but when it comes to buying yet more devices, our pockets are not arbitrarily deep.

Battery life of electronic apps

Power consumption and battery life (where applicable) in various electronic applications. Many IoT applications will sit in the lower-right hand cornet of this chart.

Finally, the power consumed by IoT devices is a major constraint. Many edge nodes will need to operate for years on a single battery charge. Medical implants and remote strain sensors are clear examples. Power significantly limits what software can run on these nodes. Any known form of anti-virus software is very compute-intensive and guzzles power. It is difficult to see this style of defence ever being viable on power-sipping edge nodes. One common counter-argument is to move checking to a less power-constrained host—the cloud or a gateway node for example. But checking cannot be continuous for the same reasons and—in the meantime—the edge-node is exposed to subversion in any manner of ways.

These new challenges seem ripe for new solutions. Edge-nodes in particular are very exposed and need cost-effective solutions for defence and local solutions to quickly contain attacks. Biological and deceit-based defences are well worth considering in this context.

Strength through diversity

One important defence in biological systems is diversity. Agriculture experts now recognise that monoculture faming, while economically efficient, has an exploitable weakness. If a pest or pathogen can successfully attack any part of a crop, it can propagate quickly throughout the crop resulting in catastrophic failure. A notorious example of monoculture gone wrong was the Irish potato famine in the mid-19th century. Attack by a single pathogen—phytophthora infestans—caused a general failure of the potato crop, which lacked genetic variability.

In diversified farming, even if a pathogen successfully attacks one crop, it is less likely that it will succeed in other crops. There are arguments about the best way to manage this risk while retaining economies of scale, but there is no question that diversity results in systems that are more robust to attacks.

In the case of the IoT, there is an interesting parallel. Since we expect the market to be large, we might expect to see healthy competition and growth of a very heterogeneous system. However, this diversity may be more apparent than real. The core compute engine underlying many of these systems is likely to converge on a limited number of suppliers (or possibly just one). The wireless interface will likely also converge quickly around a small number of suppliers. Similarly, the trend to open-source software (Linux, Java and Android, for example) also reduces variability. Thus, we could see the same monoculture risks as in agriculture unless these suppliers take additional steps to re-impose diversity.

Methods to add diversity, especially to an underlying monoculture, are still evolving. Some automated methods include address space randomisation, randomising source code by adding dummy code and stack layout randomisation. Each of these increases the difficulty of an attack breaking into code, jumping to malicious routines or launching new forms of attack. These methods, to these authors at least, seem especially interesting for edge node defences given their potentially low cost.

Another rather obvious example of enabling diversity is to make sure we use the encryption capabilities built-in to IoT hardware and to use different encryption keys throughout the network. This way, even if one key is compromised, security in the rest of the network will remain intact. Perhaps all of this should be self-evident, but setting up different keys for each node carries a cost. Given our track record in trading off unappreciated risk for convenience, we should be cautious this will not become yet another example.

 First Page Previous Page 1 • 2 • 3 • 4 Next Page Last Page

Want to more of this to be delivered to you for FREE?

Subscribe to EDN Asia alerts and receive the latest design ideas and product news in your inbox.

Got to make sure you're not a robot. Please enter the code displayed on the right.

Time to activate your subscription - it's easy!

We have sent an activate request to your registerd e-email. Simply click on the link to activate your subscription.

We're doing this to protect your privacy and ensure you successfully receive your e-mail alerts.

Add New Comment
Visitor (To avoid code verification, simply login or register with us. It is fast and free!)
*Verify code:
Tech Impact

Regional Roundup
Control this smart glass with the blink of an eye
K-Glass 2 detects users' eye movements to point the cursor to recognise computer icons or objects in the Internet, and uses winks for commands. The researchers call this interface the "i-Mouse."

GlobalFoundries extends grants to Singapore students
ARM, Tencent Games team up to improve mobile gaming

News | Products | Design Features | Regional Roundup | Tech Impact