Fitting Into IoT Security with a New Open-Source Encryption Standard
Andrej KovacevicAndrej Kovacevic
If today's IoT devices have an Achilles heel, it's that they're prone to security lapses and often catastrophic data leaks. Part of that has to do with the breakneck speed at which the IoT industry developed and continues to churn out new devices. That speed made it impossible for the industry to coalesce around any agreed-upon security standards.
And as a result, today's IoT implementations force users to find their own security solutions to stay safe. But for IoT to reach its true potential, those fundamental security issues will require an industry-wide solution – and soon.
Today's IoT implementations force users to find their own security solutions to stay safe. But for IoT to reach its true potential, these security issues will require an industry-wide solution.
So far, most efforts toward that end have seen manufacturers employing a mixture of legacy technologies like VPNs and SSL encryption to protect data going to and from their devices. But those technologies are of a different time and weren't built to accommodate the unique Applications involved in IoT networking.
For example, it's common for IoT devices to communicate in a one-to-many or many-to-one configuration, which most existing encryption schemes don't support without requiring significant hardware resources. And those shortcomings make it clear that new, custom-built encryption technology is a core component of what's really needed to protect IoT devices now and in the future.
Preferably, that technology would be open-sourced so every IoT manufacturer could adopt it. And at this year's Real World Crypto conference in New York, that's exactly what Swiss cryptography company Teserakt announced they were working on. Here's a look at their announcement and how it fits into the broader security situation in the world of IoT.
The product that Teserakt unveiled is called E4, and it's an all-in-one encryption implant that manufacturers can include in their IoT devices and server backends. At the event, Teserakt's CEO Jean-Philippe Aumasson likened their approach to the end-to-end encryption used in major messaging platforms like WhatsApp and Signal. He indicated that the decision to make their solution open source was intended to encourage industry-wide adoption and foster consumer trust through code transparency.
And crucially, the company also indicated that they're building their system in consultation with technology companies in the aerospace, automotive, energy, healthcare, and agriculture industries. The idea behind that is to consider the many Applications that an IoT encryption system would have to accommodate. And by covering all of the major industries that might one day employ the technology, Teserakt hopes to create a universal solution that can protect many data streams.
The E4 system, for all its utility, won't be a complete IoT security solution, however. Security researchers have already pointed out that it will only protect devices from man-in-the-middle attacks and other similar exploits. It doesn't do anything to improve the devices' security or the servers they communicate with.
Those problems would remain even if the IoT industry achieved universal end-to-end encryption adoption using E4 or similar technology. But creating a single wide-use IoT encryption solution would protect against many of the mistakes IoT vendors make today. For example, a recently announced flaw in implementing the open platform communication (OPC) network protocol by multiple vendors and issues like it would be rendered moot by end-to-end encryption.
It's also important to note that the E4 solution is still not ready for production environments. For that reason, Teserakt still hasn't released the fully open-source server code for it. However, they have indicated that a release will be forthcoming when they've completed the documentation for the software.
But even when they do release the code, experts and industry stakeholders are quite likely to spend months – if not years – going over it with a fine-tooth comb before committing to use it. And that's yet another hurdle that has prevented previous IoT security solutions from ever making it into wide use. Major vendors may instead opt to create their own proprietary solutions in the intervening months. And history has shown that they'll be loath to make changes once that happens.
The good news here is that Teserakt's E4 IoT encryption solution is a step in the right direction for the industry, even if it's an incomplete one. In the end, some security standards will have to materialize for the IoT industry to fulfill its lofty promise, and it's good to know that available options are coming online. That will make the jobs of device manufacturers and IoT software developers a little easier in the coming years. But for now, all anyone can do is keep an eye on Teserakt's GitHub page to watch as E4's development unfolds. With some luck, it will catch the attention of enough stakeholders in the IoT industry to start making its way into their near-term plans. And if it does, that will go a long way towards making the future of IoT a little more secure. And that's something.
The Most Comprehensive IoT Newsletter for Enterprises
Showcasing the highest-quality content, resources, news, and insights from the world of the Internet of Things. Subscribe to remain informed and up-to-date.
New Podcast Episode
Related Articles