“You can draw a parallel at almost every level between a smart meter and a set-top box.” So says Steve Christian, SVP of Marketing at video revenue security firm Verimatrix, describing the security issues bedevilling the ‘smart home’ and – at a wider level – the Internet of Things (IoT) itself.
Christian offers a rich tapestry of ‘IoT’ security breaches ranging from the Samsung smart fridge and Vizio smart TV with insecure implementations of SSL (Secure Sockets Layer), the standard security technology for establishing an encrypted link between a web server and a browser; through to the Wi-Fi routers and Internet-connected baby monitors incorporating vulnerable management ‘backdoors’ giving access to networks from outside; and on to POS (Point-of-Sale) terminals that expose customer credit card information or cars whose controls can be hacked through weakly-protected Internet-connected entertainment systems.
Indeed, a forthcoming research report commissioned by Verimatrix from ABI Research concludes that “Security in IoT products and services cannot be ignored any longer. […] In the pantheon of device types that comprise IoT, no one category is immune from malware threats and security issues. […] Most importantly, the opportunities for malware attacks and disruptions will only increase as the IoT connections expand from the 10s of billions to the 100s of billions and even trillions.”
How to address such an all-encompassing security challenge? Back to Christian’s analogy of the ‘smart-meter-as-STB’. “Although some people may roll their eyes at this kind of assertion, there are a lot of things they have in common, if you think about it in the right way. The first one being the integrity of the end-point device. Is it running software that’s not been perverted in some way? Can you update that software in a secure fashion? Is the software that is running on that device tied in in some way to a hardware root of trust in the SOC, or something like that? Is the communication path from that device secured in a way that prevents you from snooping and/or intercepting and perverting the data?”
It is the latter element that ABI Research’s report indicates poses the highest security risks today. “For both IoT suppliers and end-users, overwhelmingly the “IoT plumbing”—from edge device through to the cloud—is where the connected solution is considered the most vulnerable,” the report declares.
In many cases, the horse has already bolted, says Christian. “A rush to get things to market without proper attention to these kinds of things has left a large number of questions unanswered, I would say, and certainly a lot of vulnerabilities that can never be fixed – because secure update is one of the fundamental foundations that you need to talk about in the systems: if you haven’t paid enough attention to security in the first instance, then you are unable to update things once they’ve been fielded.”
It’s not just that some IoT end-point devices are intrinsically non-updateable, notes Christian, but “who is responsible for updating them? Because since it’s a dynamic industry, the original vendor may not have adequately thought about who is responsible long-term for providing updates – or they may even be out of business.”
Such arguments will be all too familiar to anyone acquainted with the security issues that afflicted the OTT video delivery sector at its inception, particularly with respect to the provision of premium video over the Internet to ‘un-controlled’ devices acquired at retail, such as tablets and smartphones.
It is no surprise, then, that Christian believes connected video security specialists such as Verimatrix are particularly well-equipped to advise and support companies that want to operate in the IoT space, for instance the energy utilities.
“There are businesses associated with, say, the delivery of gas that are somewhat parallel to the ones that are associated with the delivery of video,” asserts Christian. “Although it sounds strange, that really is the case. […]
We believe that we can offer [such companies] three things,” says Christian. “A proven infrastructure for deployment of secure solutions; a developed partner eco-system; and a focus on security from a technology and service standpoint.”
Christian says the penny dropped when he was attending an IoT conference and heard a manufacturer of air compression equipment state that the opportunity for his company was not so much to sell a big compressor at a capital cost but to sell compressed air as a service.
“What I realised when I made the connection was that if you were selling compressed air as a service, charging by volume or something like that, and you had no ability to enforce payment for the service, by shutting off or controlling the delivery of that compressed air, you wouldn’t have a very sound business model,” relates Christian. “You need both integrity in the measurement process but also the ability to cut off service in the event of a default of payment or other breach of contract. So it’s a very positive thing to be able to have security, for very much the reason that exists in the video world, which is enforcement of payment.”
What Christian appears to be saying is not only that it is in the nature of the IoT to create new business models that are service- rather than product-based, because the IP-based IoT grid enables persistent management and control of connected devices; but also that this is a value-added feature that can be monetised, and one where the resulting revenue stream can be secured by what is, in effect, a conditional access system by any other name.
