Skip to 0 minutes and 8 seconds A few years back, I was tasked to develop the security documentation of an IoT alliance, and a little later, I contributed to the security specifications of the standardisation body ETSI machine to machine. I had some intriguing and unexpected insights while developing this documentation. As you know, security between two devices is established by encrypting the data packets where the specific encryption key is prior agreed by both sides for an exchange of keys. The entire process of handling this exchange of keys is often referred to as key management.
Skip to 0 minutes and 47 seconds Now before I started the security work, I was convinced that the real problem with security IoT is the actual process of encryption– that is a very sound framework for encrypting the IoT data packets. What I found out, however, was that the actual encryption methods were already really good. The problem was rather the key management. And since key management involves complex systems and often humans, this becomes the weakest link in the IoT ecosystem. For example, while very strong security was available on the smart metering radios I dealt with back then, the default security configuration was set to zero– that is no encryption. The argument was it would enable quick testing of the solution during deployment.
Skip to 1 minute and 35 seconds In reality, field engineers often forgot to change this setting on all smart meters to full security, which in turn left the entire network very vulnerable. The human in the loop proved to be the actual security problem– something standards and security manuals should definitely cater for.
Mischa shares his experiences with security and privacy in the Internet of Things. Mischa again shares more of his experience in Week 4.
© King’s College London