The promise of the Internet of Things won’t amount to much unless everyone in the value chain takes security seriously and designs it into every part of the IoT ecosystem.
That was the warning from Simon Segars, CEO of ARM, during a keynote on the second day of the Mobile World Congress in Barcelona Tuesday.
“One of the biggest barriers to adoption for IoT is security,” Segars said. “If we don't get security right, the IoT can’t deliver its true potential.”
Segars noted that while cybercriminals have not yet really put IoT to the test yet, that’s mainly because it’s too new. With tens of millions of devices being connected, the potential for exploiting weaknesses is huge. And we’re already seeing cases of connected things being found to be highly insecure.
“Even something as innocuous as a connected teddy bear can be potentially dangerous,” Segars said.
He remarked that it’s easy with hindsight to identify weaknesses – for example, when hackers stole customer credit card data from Target, the weak spot ultimately wasn’t Target’s firewall, but an employee at a Target vendor who fell for a phishing scam. But with IoT, you don't really want to discover its security weaknesses the hard way, he said. “With IoT we really have to get on the front foot.”
The good news is that the IoT is still in the fledgling stage, so there’s still an opportunity to get security right.
“But it can’t be an afterthought,” Segars warned. “Security has to be designed into it from the start. We need security in the hardware – from the silicon to the cloud.”
The catch is that IoT security also has to be easy to use. “Using two-factor authentication for email is a smart idea, but it does make email harder to use. Many people don't use it for that reason, and because they think they’ll never be hacked so they don’t need it.”
Anne Bouverot, CEO of ID security firm Morpho, agreed in the following keynote that security and convenience have to be balanced, and the way to do that from a consumer standpoint could be to shift from passwords to biometric solutions.
“Biometrics is one way to get security and convenience to play together,” Bouverot said, citing fingerprint-based biometrics like Apple’s TouchID.
The future of biometrics, she continued, is selfies – that is, facial recognition. “Unlike passwords, your face is not a secret, but it clearly belongs to only us, and it’s a good way to identify a person.”
(Bouverot demonstrated Morpho’s facial recognition software onstage by using it to unlock her phone, then inviting GSM Association CMO Michael O’Hara to try and unlock it. He failed to do so, even when using a printed photo of Bouverot’s face.)
Segars of ARM advised MWC delegates to put security at the forefront of their IoT plans. “My request is for everyone in this room to take security seriously. Adopt [the GSMA’s] Mobile Connect. Hire hackers to break into your stuff.”
Fundamentally it all comes down to the issue of trust, Segars said. “Without trust, the IoT will be limited in functionality and operate in silos. And consumers won’t use it.”