Is authentication alone to be trusted? Yesterday evening, I answered a knock at my door expecting it to be my next door neighbour, to collect one of the many Amazon deliveries that litter my hallway.
Unfortunately it was not to be, instead, it was a potential door to door distraction burglar - albeit one with a strangely believable story. “Hello there, may I shake your hand, I’ve been a bad person in the past, I’ve been in jail, now I’m trying to make an honest living, can you help, here’s some ID, can I come in…and will you just buy a dishcloth?”
Let’s run through that again…you’ve got some ID to back up the fact that you’re not really to be trusted, and you wish to sell me something at vastly inflated prices that no marketing team would ever suggest I would want in the first place. Yes, of course, come on in, you’re welcome. Maybe I’m cynical…but all I was thinking, aside from please leave my doorstep, was “headless device”.
I hesitate to use the term IoT – as that’s frankly giving a lot of kudos to a lot of dumb devices – but my awkward doorstep moment is exactly the same way in which we’re in the main dealing with IoT today. We’re authenticating the devices based on flimsy evidential proof – if any – and then giving them free range to case the joint! This is not going to work in the long term…it’s going to end badly.
So, imagine the scene when former criminals arrive at your home but are actually selling something you want and need – an automated ironing solution for example. How would you enable this transaction to take place without risking home security?
Let’s start with Authentication – for what it’s worth in this scenario, I can at least take the ID and grab a fingerprint for later. The key thing is going to be Authorization – I will take your magic ironing solution, but you’re not coming in the house to conduct this business. To provide further assurance and Accounting I will have CCTV to record the transaction – as well as to watch your behaviour as you leave the driveway.
You wouldn’t transact any other way…so why treat IoT devices any differently when they connect to your network?
For more reading, check out this CSO Online article.