February 02, 2018

Why the IoT Requires Secure Updates & Data Erasing

By Special Guest
Thomas Rayas, SVP, marketing and customer success, FutureDial.

If the tech enthusiasts are right, everyone we know will have toasters and light bulbs with internet functionalities soon. And with all of these connected devices there’s going to be a flood of applications and services that support them.

A majority of Internet of vendors will create these services based on the notion that machine-to-machine devices are just an extension of mobile and therefore can be supported as such. But that’s not the case.

After the initial euphoria over IoT has passed, the reality of the market is rapidly sinking in among investors, marketers, and designers. The underlying technologies and ecosystem designed to support the elusive IoT market remains too immature to reap profits for many corporations and investors. In fact, anecdotal evidence shows that anyone pitching a startup in the IoT space faces knee-jerk skepticism from the investment community. In short, IoT backlash has begun. 

In this piece I’m going to share my predictions around the bigger challenges facing IoT builders and designers; support for secure in-field updating and data erasing of connected devices.

Of the services that deal with updating and maintenance on connected devices, two major necessities stand out. First, how enhancements like security/software upgrades are sent to the connected devices while in-field. And second, how we clear the highly sensitive data off of an IoT device before it exchanges hands.

In-Field Updates
Connecting embedded devices to the internet is hardly trivial. But an even harder-to-solve problem follows once these devices are deployed. IoT devices need firmware over-the-air and in-field software updates. And these must be done quickly and securely. This means that vulnerabilities have to be patched in hours, not weeks, delivering features to customers whenever and wherever they are in need, and offering consistency and reliability to large fleets of connected devices.

Traditional FOTA update approaches, such as what is done for mobile devices, are simply not enough when billions of connected devices are performing increasingly complex tasks. As an example, we can take the industrial IoT market, where we can’t afford to ignore the vulnerability of connected devices. In a smart factory, for example, a manufacturer needs to handle a big volume of data and deal with unpredictability in day-to-day operations. Can the company program the necessary changes and provision devices – when needed – as quickly as possible? After all, knowing the real-time status on the manufacturing floor is what makes the connected factory smart.

IoT application developers have to constantly worry about making specific IoT hardware work while keeping their applications up to date. If such an effort needs to be made for an individual IoT purpose, the process involves setting up an operating system, establishing a secure local network, configuring some means of recording and viewing logs, and providing some means of shipping new versions of code to devices in the field. All of this needs to be done in a secure and timely manner to protect and support the user properly.

IoT Device Clearing
The second challenge facing IoT is connected device clearing. Typically, we expect that IoT devices would be as easy to clear as the personal laptops or mobile devices that they are paired with. But IoT goes beyond personal devices like Fitbits, lightbulbs, Red Bull refrigerators, and medical implants. We also need to think about IoT for the home, auto, factory, office, smart grid, and agricultural communities, where pressing privacy and security issues exist.

One industry that we can use as an example is motor manufacturing. Automakers are increasingly launching models that sport internet-enabled infotainment systems and hubs, and driverless cars aren't far behind. But while the connected car industry is booming, the road ahead is far from smooth.

The National Highway Traffic Safety Administration has created an automated vehicles policy that outlines only cursory guidance for protecting consumer data. The agency directs companies to model their practices after a 2014 set of generic privacy principles released by automakers. While this was an important first step, we believe that technology can be developed to assist in the secure and simple (cost-effective) clearing of personal data that resides on connected cars following a sale or rental return.

Historically, used car buying between consumers was a risk to the buyer. But since the age of the internet, a buyer can now research and find the value and history of a car before buying it. Add to that the data from a car that’s been connected to a user mobile and/or Bluetooth, and the subsequent auto owner could potentially access the previous driver’s route history, phonebook data, calling lists, recent messages, and even musical choices. Now the seller is the one at risk – and it’s a huge risk.

Even if the original owners delete their phone from the list of paired devices, there's a possibility that this sensitive information remains in the car due to the small amount of embedded flash memory required for pairing a car to a device.

The potential for IoT is growing by the minute, but unless we can put proper processes in place that support and protect the consumer, we are potentially putting all IoT users at risk.

About the author: Thomas Rayas is senior vice president of marketing and customer success for FutureDial (www.futuredial.com).

Edited by Ken Briodagh

Back to Homepage
Comments powered by Disqus