Haleigh Wright is the assistant to the publisher of The Data Administration Newsletter (TDAN.com).
Introduction
Recently, I attended the International Cryptography Conference, or CRYPTO 2016—one of the largest academic cryptography conferences in the world—held yearly at the University of California, Santa Barbara. It was co-located with the Conference on Cryptographic Hardware and Embedded Systems, or CHES 2016. I attended a joint keynote presentation delivered by Paul Kocher, President and Chief Scientist of Cryptography Research, a Division of Rambus, that touched on, among many other things, the very real and very pervasive problems with security in today’s data-laden world.
The ‘Barber Surgeon’ Era
In Paul Kocher’s keynote at CRYPTO 2016, he referred to the present era as the ‘barber surgeon’ era of Cryptography—a time when we expect barbers to be able to perform medical surgery. This term comes from medieval times, when doctors didn’t perform surgery, but barbers did—right along with cutting people’s hair. Kocher names this as the current state of cryptography: a time when we expect practitioners, or those implementing cryptographic techniques for practical security purposes, to accomplish a whole lot. As expected from a barber performing surgery, “practice yields many bad outcomes (and very few good).” On the other hand, theoreticians in cryptography are struggling to keep up with today’s “dire needs” because “research is too divorced from practice.” Kocher outlines a few common reasons for this divide: “theory struggles with messy reality,” the “theory isn’t applicable,” and/or “practice ignores theory.”
What do we do about this gap between theory and practice while the worlds need for real, practical security continues to grow exponentially? Kocher points out that it is only going to get worse—and has the potential to get much, much worse. I’m sure this audience can take a guess as to why: the amount of data—and, most importantly—the value that that data has is continually increasing. A lot of you may spend your time explaining to stakeholders exactly that—that their data has value, and a lot of it. It’s not simply just a matter of finding that value anymore—we need to protect it once we do.
Kocher highlights that the more value our data has, the more people will want to gain access to it. The unavoidable coming of the Internet of Things (IoT), according to Kocher, will only far exacerbate the problem of security in practice, as the number of networked devices explodes and thus so will by nature vulnerabilities. Kocher points out a number of key differences between traditional devices, such as computers and smart phones, and IoT devices. These key differences and how we address them now and in the future, Kocher says, will be of utmost importance. Continue reading for details and explanations of Kocher’s talking points.
Product Vendor Security Expertise
First, the security expertise that vendors or manufacturers of traditional electronics have is much higher than that of vendors of IoT devices. Think about it: even the most reputable software producers in the world experience data breaches and bugs in their products. Imagine a vacuum manufacturer trying to make a secure IoT vacuum cleaner that can ‘see’ (record video)—I don’t know much about the vacuum business, but this is a very, very scary thought at first consideration. Nobody expects (at least now) for IoT vendors to have access to the same security expertise we expect major vendors to have for traditional devices.
Secure Product Lifespan
The second difference that Kocher highlighted is the disparity in lifespan of products. Consumers have gotten used to replacing their computers or phones a few years after they get them, as the product inevitably becomes obsolete. However, when it comes to IoT, we’re talking about a lot longer time before the consumer is willing to replace the object. You can’t be expected to go buy a new smart car or dishwasher every time the computer inside of it becomes obsolete—it’s just not realistic.
User Attention to Security per Device
A user of a computer or cell phone knows that they are keeping valuable data on it. Whether it be private pictures or their credit card information, people are aware that others may be after that kind of data. Most people know about things like computer viruses and spyware, and many will even buy extra software to help further secure their devices. While Kocher characterized the user’s attention to security per device for traditional devices as “high-ish,” for IoT, he characterized it as “low/none.” This makes sense—who is going to buy antivirus for their IoT vacuum? People aren’t going to pay attention to the security of every single object around them that is connected to the internet.
User Tolerance for Security/Reliability Issues
When an operating system has a glitch or a failure, we don’t throw our hands up and toss the system and/or device out the window, never to be used again. Consumers understand that such complicated devices are going to have issues—and they are willing to deal with these issues for the payout they will ultimately get from continuing to use their device, or perhaps they simply don’t have the option of not using it. Kocher says that user tolerance for security/reliability issues with traditional devices is high, and their tolerance for IoT objects is very low, if it not none. Vacuums that aren’t connected to the internet work just fine, and if those that are connected continually fail, nobody will use or buy the IoT vacuum—and with good reason. If I had to wait for my vacuum to update when I turn it on in order to clean the mess I just made, I probably would say goodbye to that “smart” vacuum and head to the closet for the broom (which at that moment I would be hoping it wasn’t “smart” too).
Connected to Physical World
The biggest difference between traditional devices and IoT devices is that IoT devices are connected to not only networks, but the physical world as well. These devices can see us, hear us, touch us, smell us, and taste us, just like another living thing (well, that’s the goal, anyway). We’ve transformed from technology that we have to give deliberate directions to via some kind of keypad, to devices that can collect data from us, transmit it, and make decisions of off it at any and all times without any conscious effort on the user’s part. This vastly increases the amount of data generated about us, essentially digitizing our lives and transmitting it, and thus making it available to an attacker.
You may think, “okay, but what the heck can a smart vacuum reveal about my life that I wouldn’t want anyone knowing?” To put it in perspective, just in the past few weeks a new study was published about microphones on smartphones being able to detect when someone is depressed; over a year ago, researchers at Northwestern used smartphones’ GPS capabilities to do the same thing. I’m sure I don’t have to tell this audience, but—where there is (‘good’) data, there is value—even if we haven’t pinned down what that value is just yet. Back to the “smart” vacuum: with just a short brainstorm, I’m sure you could come up with some immediate pieces of data you would want to keep private. The first one that comes to my mind is the times during which you schedule the vacuum to run. Common sense suggests (even if it’s one of those fancy silent vacuums) that you’re likely to schedule the vacuum to run when nobody is home, so that nobody gets in its way. You may even cage up your animal if you have one, for the same reason. I’m sure you can see where I’m going; this creates an insanely crisp window for burglars. “Smart” vacuum have eyes? Attackers may then even have the ability to “look” and see if their theory is correct—or even more intelligently—check to see that the place they’re sizing up is worth the hassle before ever even getting close to it.
Number of Software Platforms
Today, we know (and hopefully) love a small number of software platforms that operate on virtually all of our traditional devices. This will all change with IoT. Tons of different “smart” objects, with varieties of each type… You get the picture. The high variance in software platforms that IoT will bring will certainly make it much more difficult to secure them or even analyze their security before they hit the market, or even at all.
On-device Security Tools
With traditional devices, Kocher qualifies the on-device security tools as ubiquitous, while on the other hand, IoT devices have usually none. Everyone expects their off-the-shelf computer to be programmed carefully enough to protect it from being a shining beacon of vulnerabilities whenever it’s connected to a network (that is, if we update it, of course). Security is built-in; we even have ad blockers built in to browsers nowadays. However, with IoT devices, it may not ever cross someone’s mind that they need security tools on their “seeing” IoT vacuum; it’s just a vacuum after all, right? Wrong. Once we link that object up to a network, it needs some kind of on-device security, just like traditional devices, to protect it. It might sound ridiculous to think that we will need some kind of ad blocker functionality on a vacuum today, but it is certain that we need to prevent our IoT devices from being high-jacked in any fashion. Because they are connected to the physical world, our personal information and data is not only at risk, but so too are our physical surroundings.
Vendors can Afford Monitoring and Patching
If (and perhaps, when) IoT becomes the law of the land, imagine a world where every manufacturer of a technological device has a constant team of developers monitoring their product line’s software platform and creating patches whenever a vulnerability is caught. Sounds like an IoT Utopia, right? Well, it probably is. The likelihood that vendors of these non-traditional connected devices will have the means to support that kind of ongoing effort is relatively low considering the large number of platforms that will soon exist to support them. It would take a lot of time, money, and many resources to keep all the devices that continue to flood the market secure—if they even started that way, which is still asking a lot in today’s world. With the small number of software platforms that exist for traditional devices, we have gotten used to these updates that help keep them presumably healthy and secure. This need will certainly demand to be supported somehow for IoT devices.
Conclusion
So we must be doomed to a 1984-like future, and we have to entirely trash the IoT idea, right?
No! According to Kocher, cryptographers (practitioners and theoreticians) need to look at the lowest common denominator in all systems, whether traditional or IoT—the hardware—for answers. But this may not be the only source of solutions.
As a current member of academia, and one who hopes to transition to industry after graduation, I agreed wholeheartedly with Kocher that the disconnect between practice and theory in cryptography is an extremely important one to close up. While both legs continue to grow, hopefully we can get them on the same body and get this Crypto-Frankenstein in action, barbershop surgery or not (except without any angry mobs)!