Billions of online gadgets are expected in the future – gigantic amounts of information are expected that should not get on the loose. The internet of things requires control over both identities and information in the devices.
The ground rule is that the provider of a service has the responsibility for the information and the identity of an online device. It is not the user’s responsibility if the apparatus gets hacked. A good example is the home alarm. Usually, the customer subscribes to a service where the surveillance company installs alarm equipment, and the surveillance company has the responsibility for seeing to it that no one can hack their way into the alarm equipment. Problems arise when it is the customer who installs an alarm and then purchases a service to monitor the alarm.
“There can be deficiencies in the technology that open up for intrusion. From the customer’s perspective, it is more attractive to purchase a service where technology is included, in that the provider has the responsibility for the overall picture, “ says Stefan Sundh, solution architect at Nexus.
EU’s new data storage directive increases the demands on those who offer digital services. The one who stores data must be able to account for what type of data is being stored, what the purpose of the storage is, and to ensure that the information can be deleted upon request. The service provider must also even be able to secure the identities so that no unauthorized person can gain access to the information and alter it or steal it. This puts additional pressure on the service providers of online gadgets to monitor the devices and reduce the risk of intrusion.
“The one who saves the information is responsible for how this is safeguarded and protected, essentially,” says Stefan Sundh.
To succeed with this, according to Stefan Sundh, requires working with the open standards that exist for secure communication and identification between online devices, systems, and services. That way, the inter-operability between various products and providers can be safeguarded. Open standards also provide a good picture of how the security is constructed, which means, for example, that the further development of security solutions from other providers with open standards becomes easier.
The classic security advice – to keep software patched, that is, updated with the latest versions that lack known security holes – can be difficult to follow. The problem is that the software in many devices is not made to be updated – to be able to succeed with that would require that one physically open them and connect up with the device. For the most part, this is impractical and economically impossible.
“Basically this is a system deficiency from the very beginning. You have to think right from the outset – can the software in the online gadgets you buy be patched? Professional buyers need to have that on their list of requirements,” says Stefan Sundh.
And then there is the management of the life cycle – the online apparatus needs to have a procedure for easy recall or renewal of identities. Recently, it was revealed that only a few encryption keys have been used for all digital car keys in the automobile industry. This means that if an encryption key goes astray, millions of cars may be subject to intrusion risk.
“This is impossible for the end customer to know anything about. Here it is crucial that the one who is offering online gadgets has thought this through,” says Stefan Sundh.
Ericsson has predicted that we are going to have 50 billion online gadgets by the year 2019. Others, such as the technology research and advisory company Gartner, are more cautious and predict about 20 billion online gadgets by the year 2020.