With the furor over fake news, where the truth is massaged for commercial or political gain, the focus has gone off fake data—which can have a lot more perilous consequences.
Imagine for a moment that you have an insulin pump embedded into your body. It is equipped with wireless connectivity, remote monitoring, and near-field communication technology. It is, in fact, an Internet of Things (IoT) device. Because the device is accessible by your health professionals, its security could be vulnerable to attack.
It might sound like a Cold War spy novel, but someone could hack into your device and give you a fatal dose of insulin. Hackers could even enter fake insulin level data to trigger the overdose. This frightening scenario is just one example of how IoT devices present challenges to manufacturers and users alike.
Fake data arises from unchecked IoT devices, and the security of these is increasingly being questioned. There are even reports that devices have been hacked into and added to botnets that carry out malicious attacks. Because IoT devices generally have a weak infrastructure, they are easy targets, and the sensitive data they often contain makes them even more enticing to hackers.
There are basically two scenarios to consider. In one, the hacker gains access to the device and compromises the software of the sensor itself, so the readings become unreliable. In another, the hacker compromises the communications device and alters data that flows from the device to the decision point.
While currently most of the focus is on the latter cases, pushing developers to increase security and data encryption of communications devices, the former still seems grossly neglected.
This can be a problem, as we already have seen that device software might be the more successful route for hackers. The first time the implications of fake data came about was with the Stuxnet worm that targeted Iran’s nuclear facilities. That was back in 2010, when hardly anyone had heard of IoT.
When we consider the scope and scale of IoT devices today, it becomes even more frightening. Just recently, a teddy bear “leaked” private messages and email addresses through a hacking network where the data was held for “ransom.”
As demand for many devices is cost-sensitive, devices are often built with little security. Plus, many companies tend to downplay future-proofing; what might be declared safe now could be unsafe in the future.
In IoT, we are at the brink of an era where devices will be participants in financial transactions. To cite an overused scenario, what if you have a smart washing machine that has detergent cartridges built in? When the cartridge is nearly empty, it would be logical for the smart machine to automatically order more detergent from the manufacturer.
But what if a daring detergent competitor hacked your machine and reinstructed the sensor in such a way that you ended up with a truck-load of detergent, all charged to your credit card? What if the competitor not only did that with your washing machine, but with all the other machines out there? Imagine the economic impact on the vendor.
There are specialists arguing that security issues will be the reason IoT will fail. My view is that the most promising new technology on the block that could solve the issues of device integrity is blockchain—pun intended. As blockchain was orginally designed for data integrity, why not use it for device integrity?
By sealing your sensor software with a cryptographic hash and by placing this hash in the blockchain, you could test at any moment whether a device’s integrity has been compromised. Simply do a checksum and compare the result with the outcome stored on the blockchain. It is just a matter of time before we will see the first security solutions based on blockchain hitting the market mainstream.
Let’s be clear: There are still some serious issues with blockchain to be solved. In that sense, it is like the 1990s when the internet appeared in our lives; we had quite number of protocols such as Gopher before the Hypertext Transfer Protocol became the standard. Similar to the internet, which started out so slowly, we will see some very fast movement in this area once the industry agrees on a standard.
While fake news might thrill some people, fake data can take down an electricity grid, a stock exchange, your organization, or, even worse, your life. It has to go.
Bart Schouw is IoT solutions director at Software AG. Based in the Netherlands, he has nearly 20 years of experience in IT in all areas.