Internet For Everything
“The hypothesis that a new Internet-for-everything society will come, as it is desired by the fundamentalists, is in fact very weak, not to say improbable” —Philippe Breton
Despite what Breton wrote in 2011, small devices across the globe are increasingly capable of fully qualified networking. This technological advancement of small, autonomous devices equipped with adequate sensors builds up the foundation for the Internet of Things. What Breton was pointing out is that this development is like a Trojan horse, incurring massive social implications. His key message was that this transformation of society is largely unquestioned. Under the populistic notion of practicality, the issue is presented as inevitable, despite the challenges it poses to the core values of his society as he expresses them: the Law, Speech and the Individual.
Clearly, with its close connection to contemporary globalization, the increasing number of tiny, autonomous devices operating throughout society will also raise concerns and research questions about security, privacy and ethical matters. Consequently, there is more and more research published on the technical security of these devices, the networking between them, and their backend systems. Take for example what Hossain, Fotouhi and Hasan contributed in their recent paper for IEEE World Congress. While technical solutions essentially and comprehensively identify and classify the parts and their interconnected links, they leave out the important questions of “who governs” and “whose security”.
Furthermore, technical maneuvers rarely bring about direct financial advantages for businesses.
Backdoor in the refrigerator
The technical vulnerabilities of interconnected devices are often explained using rather abstract, if not surreal, scenarios. Yet the fact is that networked small devices often provide new injection points for various rogue actors, and also generate new business for security appliance providers.
These fictional examples are often reinforced by referring to more severe environments like healthcare, industrial or military appliances where a backdoor in one small device could compromise the whole system. Many nations are presenting these threats as real, and investing in research both to identify them and sometimes also to gain offensive capabilities. As the basis of the Westphalian State is to be in possession of the ultimate coercive force, the local law enforcement office eagerly wants to secure their ability to invade your fridge. The armed forces, on the other hand, might want to do the same thing abroad for the sake of national security.
The threat is not that far-fetched, as recent headlines have demonstrated how innocent game consoles were used for plot against the sovereign. While competent security agencies are well aware that state security involves much more than taking away or intercepting digital toys, this kind of headline incurs huge value for the securitizing process in the public mind.
Global Business Infrastructure
The fundamental aims when securing any information system are to ensure that the data stays coherent, confidentiality is not lost and the data is available when needed. While these and any derived requirements are commonly implemented today in traditional web applications and infrastructure, by definition, the complex and evolving IoT has some particular restrictive characteristics. Yet for global businesses, and indeed, as noted, increasingly for states too, it is essential that they and their customers are able to operate safely in the world of Things.
Many devices in the mesh-like network of Things are expected to be rather autonomous, and yet need to be in connection with other devices. As such, a backend system is usually included in the architecture, to coordinate communication across the devices. While useful from the point of view
of the application, this kind of dependence and transfer of data will introduce an expansion of the borders of the IoT security domain. While completely autonomous devices could conceptually be developed, in practice, business and legal requirements often lead to practical hybrid solutions, where parts of the application and data are stored on the device and parts are shared across the network.
Perhaps one of the most widely spread IoT-like systems is the RFID or biometric passport. Capable of storing essential details and getting power over the air, it contains essential cryptographic features to ensure that gates at the border are not easily led astray.
(Image Source: Automatic Border Control Process – Wikipedia)
Active chips are equipped with an internal power source, so that they can initiate communication as well. While they are forerunners on the market of Things, these small devices have also been known to be tragic examples of failures of security. Setting up a trivial antenna on the street could initiate connection to any passport within range, and by knowing or guessing its password, gain access to personal details. While the feature is apparently designed for the border gates, it demonstrates the practical dangers of building backdoors in the Internet of Things.
By Kristo Helasvuo