The Internet of Things: an identity theft goldmine for terrorists and criminals?

Protecting against the threats of the IoT

We spoke to Allen Storey, Product Director of cyber-security company Intercede, about the threats inherent in the Internet of Things, and the steps which must be taken to protect consumers and companies against them.

TechRadar Pro: What are the main opportunities and threats to come from the IoT?

Allen Storey: The opportunities are almost endless.

As more and more devices become connected their ability to interact in smarter ways will allow for the provision of new and more personalised services e.g. monitoring my health via wearable technology or controlling my home heating, lighting and security system from my phone.

A number of these technologies are already emerging (just look at Hive), but as things become smarter and more connected they will break out of their silos (i.e. only communicating with their own service) and start to communicate with each other.

Imagine my self-driving car is told by my smart fridge that I am out of coffee and reroutes me to a supermarket on the way home from work to buy some. The world enabled by big data has only just begun!

The main opportunities go hand in hand with the main threats. As things become more connected the opportunity to hijack them for nefarious purposes increases.

Being able to send my son an electronic key to his phone to let him in the house would be beneficial on those occasions when he has lost/forgotten his key. However, I need to be sure that only I can send a key and only my son can receive and use it, otherwise it will become an easy target for thieves.

The greatest online threat at the moment is identity theft. Within the IoT that threat will extend to identity theft of a device as well as a person. Imagine that device is protecting an element of critical national infrastructure such as a power station… the threats therefore extend beyond those presented by the casual criminal to those of more concern such as organised crime and terrorism.

TRP: Who is in charge of regulating and setting standards within the IoT? Surely without a single centralised body, such as the GSMA in the telco space, there can never be uniformity?

AS: The internet has no single regulatory authority, but that does not mean there cannot still be standards. The internet itself is a good example of how multiple services and devices can communicate over a common network that nobody owns.

A number of major industry players see the benefit in securing the internet and have formed alliances to attempt to set vendor independent standards in this area (e.g. the FIDO alliance with members including Google, Microsoft, MasterCard, Samsung, Paypal, Visa and Intercede). Combined with government initiatives such as US NSTIC (National Scheme for Trusted Identities in Cyberspace), all this is showing that both industry and government have a desire and indeed mutual interest in providing solutions.

TRP: How can you secure the IoT?

AS: This is a heavyweight question with multiple parts to the answer best provided by specialists on each area, hence the need for collaboration within the industry.

Intercede believes a starting point has to be knowing who, or what, is connecting really is that which they claim to be. This is ideally achieved by means of a tamper-resistant digital identity that can be electronically verified online.

TRP: Do you think consumers and companies alike are aware of the security threats represented by the IoT? Whose job is it to educate consumers/companies about the IoT in general? Government, individual organisations, or is it the individual's own responsibility?

AS: It is difficult to look at a news site without seeing yet another story of a major organisation being hacked or passwords being leaked, and I believe that the public is beginning to understanding that passwords alone are no longer enough.