This year during CES, one trend we observed was that conventional network-level security will soon become a thing of the past – especially in the IoT age – as self-protection and sandboxing of devices from network attacks gains more currency.
For this, the devices have to be hard-coded, as more user data migrates to the edge, and multiple nodes. Why? It makes sense when one understands the limitations of legacy security systems and third-party objects. And during the present IoT era, a whole new dynamic approach to security is unfolding.
To get a peek into the current transformation in smart devices and apps security, we went behind the scenes and heard it straight from industry leaders. In this IoT security special, we explore the next-generation ideas, which have been tested and validated by device manufacturers, OEMs and software vendors alike.
How to Strengthen the Security of IoT Devices
Smart yet unsafe. That’s the impression many people still have before they check out a connected device. Is there any truth that these may be more prone to hacking, remote exploits, and malware from various corners? David Barzilai, Co-Founder of Israel-based Karamba Security, offers a more credible analysis of the problem.
Smart IoT devices inherently offer many more attack surfaces than computers or smartphones. This makes it difficult to confront the attackers using older network-based security solutions, such as antiviruses, or even Unified Threat Management (UTM) appliances. The visibility they offer is limited. According to Mr. Barzilai, “IoT companies need a mechanism to protect IoT devices ‘seamlessly’ at their own level.”
At Karamba Security, which was nominated by Forbes as one of the Top 20 IoT Startups to Watch in 2020, their whole approach to device security is very different. Instead of keeping track of network traffic going in and out of a device, Karamba operates on a built-in “deterministic” model to protect and monitor the device in its runtime environment. A smart device is supposed to have “self-protection” instead of involving the developer each time an attack strikes.
Adds Mr. Barzilai: “Our software is integrated with the device manufacturer toolchain and automatically scans the binaries to create policies which are embedded into the device firmware. So for every file in the software system, we automatically create a whitelist which is maintained in our factory. Those unique values or hashkeys are checked during the runtime against any binaries that are different.”
At the moment, Karamba Security is working with leading OEMs and IoT manufacturers to hard-code secure their devices using this novel approach. Mr. Barzilai notes that quite a few attacks on connected vehicles were launched in recent years due to third-party vulnerabilities, such as through infotainment systems. The connected vehicles industry is one of their biggest segments: so Karamba security helps secure Alpine Electronics, a Japanese infotainment company.
Barzilai also notes that such deterministic security mechanisms are more common in smart energy, automotive, or industrial IoT space. The consumer IoT segment is still having these security gaps because the stakes are not that high. He confidently believes that with a deterministic, device-level security solution in place, Mirai botnet-like attacks would have never occurred in the past.
What About End User Security in IoT?
While smart device manufacturers should hard-code their device security, what should end users do? To answer this question, we received some of the latest insights from an energetic startup at CES 2021: Typewise AG. Based in Switzerland, Typewise is a next-generation smartphone keyboard, which changes the very paradigm of AI usage for smart devices. They have a research collaboration with ETH Zurich and ex-Googlers to import more intelligence into the app. But the fundamental idea is rock solid.
Says David Eberle, Co-Founder and CEO, of Typewise: “Instead of sending your keyboard data to the cloud, Typewise pretrains the AI models using similar public data, such as OpenAI, and builds it into the app, to be rolled out directly to the user environment.” Clearly, when no keyboard data is exposed to third-parties, and you still get AI suggestions for best results, the text prediction should be more secure for end users.
Adds Mr. Eberle: “At Typewise, our vision is all about decoding human thoughts and ensuring they remain private.” He believes the same concept of sandboxing data in the device can be extended to voice and brain-computer interfaces. Mr. Eberle believes that Switzerland has earned a reputation for data secrecy and “detached” governance, which makes it an important player in enshrining IoT privacy standards.
Security is one of the most important considerations in any hardware device or software solution. Nonetheless, when you have eye-catching gadgets on display, it’s easy to get lulled into a sense of false reassurance. With the buzz around driverless vehicles, smart cities, and connected appliances, one may not have answers on how exactly the IoT devices should be protected. At least that was the situation until now.
However, the recent CES 2021 event may have changed that indecisiveness and will almost definitely impact how IoT companies view security. Based on our learnings, we have to concur that deterministic security and the sandboxing of data in devices is the future for IoT device security.