How will billions of devices impact the Privacy of Things?

The Internet of Things (IoT) will create the single largest, most chaotic conversation in the history of language. Imagine every human being on the planet stepping outside and yelling at the top of their lungs everything that comes into their heads, and you still wouldn’t be close to the scale of communications that are going to occur when all those IoT devices really get chattering.

Billions of devices, all talking away (and listening) – whether it’s an industrial robot, a self-checkout Point of Sale, a car door sensor, an automated insulin injector, or a toy that teaches your kid to read. Some of them will only speak occasionally, some will talk all the time, some will be coy, and some will talk to anything that will listen. And, perhaps we should be offering the same advice to those chatty devices that generations of parents have already advised their children as they head out the door to play, “Don’t talk to strangers!”

For while we’ve spent a lot of time worrying about the privacy of our data (and we should, we really, really should) we should also spend some time thinking about all those devices and how we can keep their communications private, too.

Unsecured communications will be the bane of the IoT. Devices gathering data and responding to the world will want to send that information back to whatever service they connect to. And all that chatter forces us to face three, very familiar problems yet again:

First, how can the device be sure its talking to the right remote services? What if someone sneaks in a service that sure *looks* like its right, but isn’t? Does the IoT open us up to one, global, man-in-the-middle attack that will suck down data like a sinkhole at the bottom of a lake?

Second, how can we be sure that the information coming from the device isn’t being listened in on, copied, and potentially tampered with? If my office has smart sensors that tell me the door is closed, how do I know it really *is* closed? Maybe someone is tampering with that data stream? What if I could convince a whole bunch of industrial robots to shut down instead of building cars?

Third, how can we be sure that the device I’m getting my information from really is the device I expect it to be? What if it’s also being spoofed? Maybe my valuable cargo container of rare Etruscan art has been replaced by a container of used soda cans that just pretends to be mine. How can I be sure?
All these problems – authentication, non-repudiation, privacy, and so on – are challenges we already have to deal with in lots of other online communications. And, the likely answer for the IoT is going to be the same as it is for other forms of communication – encryption. Encryption lets us have a degree of control over the privacy of the data we send. Likewise, it can be used to help ensure that the two parties in the communication stream really are who they claim to be (since if they are the only ones who hold the appropriate keys, we can be reasonably certain we know who we’re talking to).

So if the answer to these challenges is so well understood, what really is the problem? The problem is that encryption is expensive. Not in terms of money, but in terms of power and speed. Encrypting data costs cycles, it consumes processor time, and it sucks down battery life. And those two things – performance and lifespan – are already going to be huge challenges for the IoT, since so many devices will be so small.

Luckily there’s a lot of work underway already, including things like the ISO/IEC 29192 standard for lightweight ciphers. These encryption approaches will provide algorithms that are sufficiently fast, and of sufficient capability, that they can be implemented on the low-spec devices that will form the bulk of IoT technology.

Such approaches will enable IoT devices to quickly encrypt data before it is exchanged over the Internet and help ensure that the devices at both ends of the communication stream are who we think they are. It will also help reduce the chances of someone listening in on the communication and stealing potentially valuable data.

So with new, lightweight encryption algorithms, improving battery designs, and a new, stronger hashing algorithm (SHA-3) that can also be implemented for the IoT, surely we’re all safe, right?
Well, yes. Maybe. While all these technologies will combine to offer the opportunity to secure communications and data, they only work if you actually use them. That is, if the manufacturers of those devices decide it’s worth their time to include them, at all. And that impetus, that imperative to build security in, will only come if we, as consumers, backed by legislation from our governments, make them.

Then we can fully reap the benefits of the IoT with some assurance we really aren’t just talking to strangers.