The internet of things (IoT) has a market value of $662 billion (€605.73 billion) today. By 2030, it is expected to grow to $3.35 trillion (€3.07 trillion). The seamless, connected experience that IoT devices offer is clearly attractive to consumers, but it also presents an increasingly attractive market that bad actors are only too willing to exploit, says Johannes Lintzen, managing director, Cryptomathic.
IoT providers have largely been laser-focused on their devices delivering frictionless experiences. It is what consumers buy into: a connected device that makes their life easier. But it is a fact of modern life that every device connected to the internet is vulnerable to some degree.
In 2022, the number of IoT cyberattack cases was estimated at over 112 million, double the previous year. As more devices and services become interconnected, cyberattacks will only continue to rise if no action is taken.
The United States government recently announced its Cyber Trust Mark programme. It aims to help citizens know whether the IoT devices they buy and use come with strong cybersecurity protections. The initiative launches in 2024 and devices will be awarded the “U.S. Cyber Trust Mark” if they meet certain security criteria. But is the programme needed and what security implications does it have for IoT manufacturers?
The challenge of building trust in IoT
IoT devices integrate technologies that connect and exchange data over communications networks, such as the internet or other IP-based networks. This offers new and exciting technology use cases, but it also means cybercriminals have a significantly larger attack surface to target.
Consumer trust in IoT security is low. High profile IoT attack cases such as the 2016 Mirai Botnet attack risk undermining the IoT market unless sufficient protections are put in place. A study by the University of Warwick reflected this, showing that UK consumers are not convinced that they can trust the privacy and security of IoT devices.
Consumers need complete assurance from device manufacturers and service providers that a high level of security has been implemented and maintained. For industry players already adhering to good security practices (of which there are many!), this can be frustrating. Currently there is no easily accessible way for consumers to understand the level of security in the IoT devices throughout their homes. This is the driving force behind the Cyber Trust Mark programme.
Securing resource-constrained devices
The Cyber Trust Mark puts IoT security under the spotlight. While the programme will be voluntary, it is in the interests of manufacturers to sign up, positioning the security of their devices as another selling point for consumers. But there are currently no specific repercussions for those that decide not to take part.
The challenge is that we cannot hold all IoT devices to the same standard. There are an inconceivable number of different IoT devices and services, performing a huge variety of tasks. These products and services therefore vary massively in terms of complexity and the computing power they possess.
Many IoT devices are resource-constrained, meaning they do not have the capacity to execute complex cryptographic operations. A smart light bulb, for example, has extremely limited computing power in comparison to, say, a smart meter. Likewise, the risks exposed by bad actors controlling a connected light bulb are far less severe than controlling a device connected to the energy grid. Therefore, it would be unfair to hold the light bulb to the same security standards as the smart meter.
Resource-constrained device manufacturers are increasingly considering secure enclave technology to support data protection. As smaller, simpler IoT devices, such as for example smoke alarms and doorbells, do not have the computing power to host high-level cryptographically secure keys, manufacturers can link devices to the cloud and securely execute cryptographic operations in a protected environment. This offers an innovative approach to bring higher levels of security assurance into reach for most IoT device manufacturers.
Protecting data and software updates
The U.S. Cyber Trust Mark programme highlights the need for enhanced security to protect data and enable secure software updates. For manufacturers looking to be proactive in addressing these concerns, there are more ways they can prepare ahead of the programme’s projected launch in 2024.
Secure procedures and processes must be established as early as during the manufacturing stage. Enabling the storage and handling of cryptographic keys and certificates is critical. But, as already established, there is not a ‘one size fits all’ solution. Larger, more complex IoT devices may be able to leverage Elliptic Curve Cryptography (ECC), but resource-constrained device manufacturers should seek enclave solutions or use alternative cryptographic algorithms; just a few months ago, NIST concluded its “lightweight cryptography” selection process and chose the Ascon family of algorithms as a future standard data encryption method within the internet of things. Though it is worth noting that Ascon’s lightweight algorithms are symmetric and do not address the issue of IoT device certificates.
Looking further down the production line, most connected devices require software updates after the device has been purchased. This may be to enhance the functionality of the device or service, or to fill identified security gaps. The security of an IoT device is not ‘complete’ at purchase but rather must be maintained throughout the product’s lifecycle.
As IoT devices become even smarter, more data will need storing on the devices, meaning there is more data to protect. Software updates will become even more important, due to the increased level of sensitive data being stored, and high levels of security will need to be maintained throughout the device lifecycle. By leveraging the latest data protection technology for the cloud, software updates can be remotely installed in a secure manner.
As the IoT continues its upward trajectory, user experience must not come at the expense of security. Manufacturers must stay ahead of their criminal counterparts to ensure all IoT devices protect data and can be updated securely as required.
The elephant in the room
The longevity of many IoT devices means that a large portion will still be in use when quantum computers become a reality. The Cyber Trust Mark programme does not yet attempt to address post-quantum security, but it should make device manufacturers aware of the risks and encourage proactive action. Because post-quantum cryptography certificates will be even more complex than current certificates, the IoT industry in particular will face additional challenges. As the programme is being created in cooperation with NIST, I expect (and hope) that the finalised programme will help the IoT world prepare for post-quantum cryptography.
There are several ways organisations can begin preparing for post-quantum now, though, and the road to cryptographic agility begins with a thorough analysis of your organisation’s environment. Determine exactly what you’re working with, where the gaps are, and what needs to be done next.
IoT device data that is currently encrypted by methods based on classical cryptography can be accessed and stored by bad actors until they obtain quantum technology, known as a “Store now, decrypt later” (SNDL) attack. This means that IoT manufacturers whose devices/services store data with a long shelf life, such as smart home systems, must be particularly aware of this threat, and make plans that prioritise valuable data with a long shelf life.
Creating and adopting a cryptographically agile approach allows IoT organisations to future-proof their security strategy by providing the mechanism to address potential threats quickly and effectively as they appear.
While convenience is king in the IoT industry, stakeholders should remain aware that there is nothing more distressing for users, nor damaging for brands, than avoidable cyberattacks.
The bottom line is: it’s never too early to prepare.
The author is Johannes Lintzen, managing director, Cryptomathic.