Is Smart Really Secure? How to Strengthen IoT Security with Encryption
Living in a “smart” world means that there is a rapidly growing network of connected devices that collect and share data. Thanks to the Internet of Things (IoT), smart devices such as thermostats, fitness wearables and even refrigerators are all around. In fact, Gartner expects over 20 billion IoT units to be installed by 2020. This represents a significant business opportunity for manufacturers.
As a result of the expanding IoT market, manufacturers around the world are competing to develop the latest device and put it in consumers’ hands. The IoT is what makes real-time interaction possible between objects, regardless of physical distance. For example, you can turn the AC up in your house while you’re on the other side of the country waiting for your flight home from a business trip, or you can receive health data straight to your phone about the workout you just completed.
Data is what enables these interactions to occur so one would think that data security and privacy are top concerns for IoT manufacturers—and users. But, this wave of new smart gadgets comes with a cost: the rapid speed of product development does not always allow enough time for security considerations. And, with so much data flowing in and out of all of these IoT devices, there is a significant opportunity for data to end up in the wrong hands.
The Challenge with IoT Security: Lack of Encryption
Given the millions of data points used in connected devices, investment in securing IoT infrastructure and networks should be a top priority for manufacturers, but in reality that is not the case. Instead, data security and privacy are the largest issues in today’s smart world.
Data is constantly being transmitted, processed and stored by organizations and individuals alike using a variety of IoT devices—from smart TVs to wifi-enabled cars and everything in between. The data originates from the device, then travels to the cloud. From there, data is used to develop analytics which are then delivered to a variety of users. What’s concerning is that this data is often sent without any encryption, putting it at risk for exposure, theft or breach. To illustrate this, consider these common IoT applications:
- Home Security: If you have a video security device at your front door, it is utilizing the IoT to send snapshots of any individual who rings your doorbell, straight to the app on your smartphone. If your home security device does not encrypt this data, a third party—such as the police—could gain access to your “visitor log” without you even knowing by going straight to the device manufacturer. With encryption, the snapshots/videos would be inaccessible to the manufacturer and therefore all unauthorized third parties, too, ultimately putting control over this sensitive data in your hands.
- Wearable Fitness Devices: Wearable technology—such as smartwatches or fitness trackers—is one of the best-known applications of the IoT. These gadgets collect large amounts of data from the user including heart rate, blood pressure, blood oxygen levels and more. This data has proven valuable to the healthcare industry because it can be used in the prevention of diseases and illness, and for general research. Despite these benefits to the healthcare industry and to users, many fitness devices also come with a significant lack of user data security and privacy. If these devices utilized encryption, manufacturers could ensure that the user data is only accessible for authorized users. With data-centric encryption, if you don’t want someone to be able to track your running route but you’re okay with the manufacturer knowing how many miles you ran, you can control that.
- GPS Trackers: Keeping tabs on the whereabouts of your children, pets or even seniors is made possible by the IoT. GPS trackers that send the exact location coordinates back to your connected device give you peace of mind over the safety of your loved ones. But, when a major security flaw was found earlier this month in 600,000 such devices, data was being sent unencrypted from the devices to the cloud. That meant that these devices were an easy target for hackers who were able to see the location of your child or loved one at all times. Had encryption been layered into these devices’ security from the start, device owners would be able to control who has access to their loved ones’ location data.
From a privacy standpoint, these examples are alarming because individuals’ data is shared between—and often sold to—various organizations without the user’s knowledge. To account for those organizations whose business it is to sell or analyze data generated by IoT devices, privacy rules and regulations are needed to anonymize sensitive data that can personally identify individuals. As more privacy regulations—such as the California Consumer Privacy Act (CCPA)—are being introduced, IoT manufacturers should consider encryption as a way to not only maintain data privacy, but also to help future proof their business and meet regulatory standards.
For ultimate security, each data point must be protected with data-centric encryption and privacy controls that travel with the data from the moment it is created by the IoT device. Encryption protects and isolates data between users, companies and third-parties with access to the data. Encryption also helps organizations build trust with users when it comes to sharing sensitive information with the right people.
Using Encryption to Power IoT Innovation
Moving forward, organizations must pay attention and prioritize ways in which IoT encryption can power the next generation of devices securely. As research suggests, the single largest threat to the future of IoT is a lack of data protection. Fortunately, there is a solution. With data-centric encryption, IoT data is secured from the moment it is created, regardless of where it is shared.
In order to succeed in the future as the IoT market becomes even more competitive—and as privacy regulations tighten—solutions providers must ensure better data protection with data-centric security. But, for small companies with limited budgets and resources, the secure development of mobile app or web-ready IoT applications can be quite difficult.
To maintain a rapid pace of innovation by ensuring new IoT developments are secure, solutions providers can lean on Virtru’s SDK to embed data protection into their application, without any cryptographic expertise required. Protecting your data with industry-tested persistent encryption and key management is now possible with the Virtru Data Protection Platform embedded in your IoT applications. Relevant core capabilities include:
- Dynamic access controls enforce data security and privacy policies as they evolve over time or in response to a lost device.
- Track data events at the object-level through audit controls.
- Low latency encryption does not slow down the workflow or data streams.
Learn how you can empower your engineering team to secure IoT data from breaches and future-proof it against changing compliance requirements. Explore the Virtru Developer Hub here.