Twenty years ago, if you told me my phone could be used to steal the password to my email account or to take a copy of my fingerprint data, I would’ve..
The good thing about standards is that there are so many to chose from.
IoT is still very immature. And there is not even a consensus in what it means. It covers many different technologies like the new entrants wearables and connected household supplies, but also the very mature technologies in m2m.
So there might not be one way of doing secure IoT. Different products and implementations require different setups, but there are some common characteristics that need to be implemented from the start:
- Product Life Cycles. How do you cope with security patches? Remote update? Product End of Life? (think Windows XP that's still in use even though it's not supported anymore)
- Communication over public networks. Things will sleep to save batteries. So the communication will be bursty and asynchronous. Normal security technologies used today are built for sessions and synchronous communication. Also, IoT devices will be "thin" to be cheap. Encryption can be quite heavy on processors, but must be implemented to have a secure link.
- Communication over varying connections. A connected car will jump between networks. 4G, 3G, GPRS, public WiFi, etc. And you will lose connection in radio shadow. How about roaming?
- Simplicity. How many routers and firewalls out there are still using the default password "password"? The vast number of common users will need to have automatic configuration and security. Remember the blinking 00:00 on the VCR? The suppliers of apps, systems and devices have to figure out how to protect the user without putting any requirement or blame on them. You also have to provide simple but secure authentication mechanisms for all the people/systems/products accessing the device. Without complicated setups etc.