Throughout human history, the scenario of doomsday has been changing in accordance with the technological achievements of the evolving civilization. Steam locomotives, for example, were terrifying subtle romantic poets at the end of XIX century who saw the “iron monsters” as harbingers of the Apocalypse. The science fiction keeps adding fuel to fire when another technological breakthrough happens no matter be it mass destruction weapons or mobile phones.
Computers, Internet, and artificial intelligence in their turn took up the baton of “the beast from the abyss” destined to dominate all of mankind. The core idea of numerous versions of the technogenic doomsday comes to a confrontation between people and various inanimate smart objects. Probably the most famous contemporary narrative dedicated to the hell effect of the industrial revolution is the “Terminator” saga where the polarity between humans and out-of-control robots became the most pronounced.
But what about the trendy Internet of Things? How dangerous for humans can be all those internet-connected home appliances, toys, cars, and many other chip-empowered gizmos? What if some negligence of the IoT developers can lead to unforeseen horrific consequences turning our smart gadgets into armies of digital zombies?
While creating an application for one of the blockchain-based startups, Indeema, as a professional IoT development company, decided to dive deeply into the IoT security issue in order to share some original ideas of how not to let the Internet of Things become the Internet of Shit.
Danger #1: leaks
Fat scandals with regard to the leaks of personal data keep proliferating over the globe since the number of objects connected to the Internet grows. The volume of private info appearing publicly accessible due to hacks and security breaks is counted in petabytes. Names, email addresses, photos, voice messages, passwords and other personal information constitute the huge massif of data exposed through the security vulnerabilities of the internet-connected devices that hackers can exploit. Numerous examples of the massive data leaks hint at the negligence of the IoT manufacturers rather than at sophistication and evil adroitness of hackers who can hardly be intentionally interested in the personal data of millions (!) of random IoT users. The data-leakage practice shows that in many cases hackers steal the information which isn’t nailed down. In other words, when servers or clouds containing personal data of users are poorly protected as well as the IoT objects are manufactured with little to no security, hackers cannot resist the temptation of stealing the data which can be generously commercialized on the black market. Why? Because personal data becomes the most valuable asset nowadays.
Data is money
Commercial values change over time. The statistics reflect how the state and corporate secrets along with know-how and billing information have given way to personal data in the total amount of hacks and leaks. The deep reason for such a situation lies in the new methods of doing business in almost all sectors of economics. The contemporary fierce competition implies the ultimate personalization when brands are fighting for every particular customer. Since only the customized solutions win, the personal info of consumers is worth its weight in gold. Particularly noteworthy is that the lion’s share (67% in 2017) of personal data leaks belongs to various network channels (web, cloud) rather than to the lost/stolen equipment or removable media and paper docs. And of course, the IoT objects play not the least part in it. Just the data retrieved from the IoT devices can talk a lot about the people through the environment they are in.
A specific misconception regarding the data security is pretty common among the IT-related audiences now. Once the hottest topic of the contemporary cyber discourse is the crypto economy with its decentralization paradigm, many internet users are satisfied when a development team of an internet-based project declares an “advanced decentralization technology” they applied to make their product or service secure. Various cloud service providers, as well as the so-called crypto initiatives, sound very convincing when they mention some distributed file architectures capable of protecting their customers’ data from leakage. However, any distributed file system itself can hardly guarantee a sufficient security level unless the cloud hosting environments are protected with a well-considered multi-stage authentication of all devices and entities participating in a network communication. A little while ago, the Shodan search engine’s team conducted an investigation of the data leaks happened through Apache Hadoop HDFS (Hadoop Distributed File System) servers. Despite the system is specially designed to store and process huge amounts of user data in the distributed cloud hosting environments, the improperly configured HDFS-based servers exposed more than 5 petabytes of the vulnerable personal data of users.
What do we do with it?
The famous dogma that Internet was built with no security in mind could be a motivation for applying four unequal approaches to cope with the security issue. The inequality of the approaches implies different efforts required from us by each method as well as different effects they can result in. Thus, in principle we can:
- ignore the security of the IoT objects when they cannot contain any valuable information by default. In contrast to a chipped Teddy Bear capable of sending our voice messages to our kids, an internet-connected toilet-paper holder holds no hackable personal data which can be commercialized somehow. However, the home Wi-Fi can be exploited through the holder in order to get access to the other internet-connected devices where the valuable personal data resides;
- refuse using any IoT device at all. Even lightbulbs can cause the denial of service attacks onto the entire home IoT system when they start sending continuous “change me” packets if one of the bulbs burns out. Indeed, such an approach is the most effective with regard to the IoT security issue. However, the radical methods like that can lead to the neo-Luddite lifestyle pushing people out of civilization;
- use the IoT devices in a more responsible manner when the out-of-the-box settings made by the manufacturers are carefully adjusted when the devices are installed. We should clearly realize that the majority of the IoT manufacturers tend to intensify their goods’ upsell without following anti-hacking standards that are still unavailable in the IoT industry in fact. Besides, such passwords as “password” or “1234567” are rather feeble excuses for our recklessness than the reliable security measures capable of keeping our personal data secure.
- insist on the new more advanced technologies of data security to be implemented by the IoT developers and manufacturers. This is about a new paradigm of understanding of how our valuable data should be stored and processed in the internet-connected environments. This is exactly what Indeema emphasizes while developing a highly-encrypted DLT-based application for one of the current customers.
Web 3.0 requires P2P relations
Let’s put away the vulgarized financial-bubble-near aspects compromising the very idea of such a profound technology as the cryptographically encrypted peer-to-peer protocols. The contemporary cryptocurrency speculations just reflect the initial “wild-wild-West” stage of the crypto economy while the truly serious developers and businesses should focus on the technological breakthroughs of DLT (Distributed Ledger Technology) capable of elevating internet-based projects to the next level of evolution. The P2P workflows making information-sharing communication with either cloud repositories or remote IoT devices unhackable imply the unmistakable recognition of peers after all. Many projects can declare they use blockchain or other DLT methods to secure the users’ data but only few of them are able to implement those technologies in practice. However, such a typical situation can be changed for good when a professional software development company with a rich practical background catches the case.
What Indeema creates for Internxt
The distributed cloud platform remains a viable business idea despite the abundance of both the similar prospective startups and the available cloud service providers. Especially relevant such a solution is for a corporate sector where the secure data storage will never become obsolete. The applications Indeema is developing for Iternxt differ from the analogs in the very technology which provides peers with the unhackable distributed system of files preliminary sharded and encrypted. In addition to SHA 256 and AES 256 CTR cryptographic methods, some special virtual entities along with original algorithms of a peer recognition are created in order to eliminate both the human factor and inadvertent errors in the data storage workflows. The apps will run on a DLT-based protocol enabling users to care about neither their private keys nor the security of the distributedly hosted data. Even though it may sound pretentious, the system has both the ultimate hack-proof and foolproof capabilities. How does it relate to the IoT? The similar approach can be applied to any IoT-related project since the same operational algorithms work in a communication between the IoT objects and a cloud.
Due to the absence of anti-hacking laws in the IoT industry, many manufacturers are looking for the sales growth only without paying too much attention to the security capabilities of their devices. The situation is further aggravating by the prolific hackers who hunts the valuable personal data of users which remains poorly protected by the conventional cybersecurity means. At the same time, the reliable data-protection technologies based on cryptographical encryption and DLT protocols have been invented a while ago. Even though the distributed peer-to-peer systems are on the current hype around of numerous blockchain startups, their implementation practice remains scarce. The original methods of unmistakable authentication of peers belong to the field of professional software developers rather than to just conceptual initiatives of the crypto startupers. When it comes to the actually working highly-protected file systems the experienced IoT developers can show the way. Such internet-based environments as cloud repositories and industrial-scale IoT networks can be effectively protected against hacks and data leakage by those developers who acquired the Web 3.0-relevant cryptographic technologies in their actual development practice.