IoT Security + Why it Should Matter to You
Back in February 2020, before lockdown + COVID hit us here in Ontario, L-SPARK hosted the Secure IoT Challenge in partnership with Telus, Blackberry, and Queen’s University. L-SPARK’s Executive Managing Director, Leo Lax, had the privilege of chatting with Roop Mukherjee, Principal Architect for Blackberry, on Secure IoT and why it’s so important.
Welcome! We’re here at the Secure IoT Hackathon Challenge at Queen’s University.
Why was Blackberry interested in participating in this event?
Thank you, Leo.
Our interests lie in the opportunity to secure things. We are involved in this project because IoT is an area where most people aren’t paying enough attention, and an industry that is experiencing explosive growth. We feel that we can add value in securing IoT to the cloud and back.
So IoT stands for “Internet of Things”, which is ‘everything’ so to speak.
You mentioned it’s under-secured. I would have assumed making sure it’s secured would have been the first thing on people’s mind. So, what do you think it is? Are people just not paying enough attention to the security surrounding IoT?
I think the fact that it is ‘everything’ makes it harder to secure.
When we talk about securing things in your home, traditionally you would be referring to a safe; if something needed securing, you put it in the safe. That’s how most of the data on our computers has been secured as well, in a vault on our computer.
It’s easy to miss security when it comes to IoT because you don’t expect to need it for a chair, let’s say – what harm can it do to you? But when that chair is measuring your weight, or your blood pressure, and then sending that data off and up to someone – it’s a different story.
I think that’s another element that is interesting – we used to have a disconnected world. A chair was just a chair. And our vault was in a room and physically secure, and was not connected to anything.
IoT is all about making everything connected. We’ve come from a disconnected world, and we’re moving into a highly connected world. In this transition, we oftentimes forget about security.
Is that correct?
Yes! The most dangerous part that you’ve pinpointed is the connection.
The fact that I have a chair that measures all of these things, it’s still not that dangerous – it just sits there. If someone wanted that data they would have to break into my house, and there are laws in place to protect us against that. The world has changed drastically because now there are ways to gather data and send/share it with anyone.
We’ve talked a little bit about privacy. Privacy is connected to the ownership and rights of data.
Does technology play a role in the protection of that privacy?
Yes, we do!
Until we’re actually faced with a situation where our private information is somehow recycled back to us, and we have a man in the mirror kind of moment, we won’t get it.
The companies that have built their business around using our data, have done a great job of not letting that come face-to-face with us.
Can you explain that?
So, for example, Google and Facebook are all collecting our data, but when they advertise to us you get a sense of how much they know about you but it’s not to the point that makes you anxious – yet.
Let’s say the chair that measures your blood pressure tries to sell you blood pressure medication without your doctor knowing, that might freak you out a little bit. I know it would freak me out a little bit.
They have done a good job of hiding this.
Another thing to note is that a lot of the time the companies that are collecting this data are very strong security companies as well. They know their business depends upon maintaining the security of this customer data.
Now with IoT, a lot of companies are putting this data out there, and a lot of desperate companies, with varying degrees of security consciousness, are collecting and using this data. Therefore, a lot of other companies are becoming aware of this data, without having enough user security in mind, and that’s where the need for security comes into play.
We live in a world that is transforming everything into a connected environment. Data has now become pervasive, and is available somehow in this connected environment.
If the data that was being collected was being collected and used only by the person or company originating this data – security wouldn’t be as necessary.
What you’re saying, is that because this data exists and is actually being used by third party companies or groups, who were not originally involved in the data process or collection,you have to make sure there is security in place to revoke or engage that right.
The chair is mine, and my blood pressure is mine.
Let’s make sure that the user has control over it -how do you expose this to the user to make informed decisions?
An important concept is Privacy by Default, your data should not be able to go anywhere else, unless the user takes it upon themselves to share it.
One of the principles of security is making sure the device is not open to be tampered with. It keeps the information and credentials secure and lets the user know they are connecting to someone they can trust, and that’s the building block of a lot of the things we’ve been talking about.
At a fundamental level you need those things.
What you’re saying is, I want to be able to have a chain of trust and I want to be in control of where the chain comes from or who is the originator of that chain.
This has been a very informative discussion, and thank you for sharing your knowledge surrounding secure IoT!
Thank you to you and Blackberry for participating in the Secure IoT Challenge with us here at Queen’s University.
Until next time!