The Internet of Things (IoT) brings a new set of security concerns. Unlike VPN encryption, which safeguards networks through an encrypted and anonymous tunnel, IoT devices must be inbuilt with their own strong security and encryption standards. VPN allocates an isolates space on the network. However, inside the VPN space, all the network nodes can be accessed by any participant. When IoT devices are out there, a VPN has many open doors.
One London casino learned that lesson the hard way. Hackers were able to enter the casino's gamblers database. They got in through the casino’s internet-connected fish tank thermometer. The intruders managed to access the database and pull it back across the network up into the cloud through the unsecured thermostat. So, the personal and financial data of London casino high rollers escaped to the wild through an innocuous fish tank control.
And the challenge is growing. It is evident that the IoT is growing and will continue to grow in the next couple of years. There are common encryption methods in use in the IoT. In the US, unlike Europe, there is no single, national law that regulates the collection and use of personal data. Rather, US companies are regulated by a variety federal and state laws--HIPAA and FINRA, for example-- covering data breaches and unauthorized disclosure of personal information.
There are, however, IoT encryption standards. Manufacturers know that encryption must be the silver bullet to protect their products and consumers. As far as standards for the IoT, the most common encryption methods are:
1. The Data Encryption Standard (DES).
The U.S. Government National Institute of Standards and Technology (NIST) oversees this formal encryption method or DES. DES uses the same encryption key to encrypt and decrypt data. Both the sender and the receiver must have the same private key. The latter process is known as a symmetric key algorithm.
The important difference between DES and AES (described below) is that DES is less secure than AES. In fact, DES encryption is a result of a 30-year-old effort by the U.S. government to provide cryptographic security for all government communications. The goal was to achieve both cryptographic security and standardization. DES is the cornerstone of cryptography, but has since been cracked by researchers.
2. The U.S. Government Advanced Encryption Standard (AES)
AES uses a single encryption key of varying lengths. The AES algorithm concentrates on a single block of data and re-encrypts it 10 to 14 times, depending on the key length.
When using an internet connected medical device, AES meets U.S. Government requirements for HIPAA data protection. AES also meets FINRA standards for protecting financial records. AES is an efficient and elegant algorithm whose strength resides in its key length options. The longer the key length, the more exponentially difficult it is to break the encryption.
3. Triple Data Encryption Standard (DES).
This algorithm is a type of computerized cryptography where each block of data receives three passes. Additional security comes from the larger key length. Triple DES was replaced by NIST, which adopted the aforementioned AES. Triple DES is now considered obsolete, but is still used by some IoT products because of its compatibility and flexibility.
What Triple DES does well is protect against brute force attacks. Brute force is an exhaustive effort (as opposed to intellectual strategies) through repeated trial and effort. Brute force attacks use automated tools to guess various combinations until the hacker cracks the key.
4. RSA Encryption.
The initials RSA come from the last names of three founders of RSA Data Security (Rivest, Shamir, and Adelman). RSA encryption employs a public key encryption technology licensed by RSA Data Security, who also sells its accompanying development kits.
RSA encryption allows users to send encrypted information without having to previously share the code with the recipient. It is a public-key encryption, and the public key can be shared openly. However, the data can only be decrypted by another private key. Each RSA user has the common public key, but only designated recipients are privy to the private key.
5. Twofish Encryption Algorithm
Twofish is another block cipher algorithm proposed by Counterpane Labs over 20 years ago as a replacement for the AES. Twofish was a finalist for selection as the new NIST Advanced Encryption Standard, but was not selected.
Twofish uses a block ciphering system based on a single key of any length up to 256 bits. This encryption standard is efficient on computers with lower capacity processors and IoT device smart cards. Twofish appears in many of the free encryption software products like VeraCrypt.
Consumers need to be aware
How can the consumer find secure IoT devices? No one needs to be an expert in data encryption to properly secure their internet-connected devices. IoT home and business security begins with the network router and shopping for the highest quality, most secure IoT devices.
Likewise, any new IoT device introduced to the system will have default security settings, which may need to be changed immediately. This includes resetting any default passwords for network access.
Other precautions include keeping software patches up to date. Software patches typically close a vulnerable pathway into a device’s access code. Also, using two-factor authentication (2FA) is a wise security precaution. 2FA requires a secondary user authentication with a one-time additional access code sent to the user’s mobile device or email.
The internet of things is growing exponentially. It has spread from the power grid to smart refrigerators at home and at industrial levels by monitoring production line efficiency. The devices that connect to the internet must be encrypted because of the personal and business intelligence data they transmit. IoT users and security managers need to be attentive to security and to the ways encryption can both power and protect the next generation of secure networks and devices. The best protection available right now is encryption.
Algorithms and elegant mathematics notwithstanding, staying one step ahead of cyber attackers requires securing both the network through using VPN and encrypting IoT devices. Securing those devices is a matter of wise shopping, inventory management, and educating users. Never depend on manufacturer security settings. Look for products with the best reputation for security along with performance.