物联网(物联网)多年来一直是一个行业流行语, but sluggish development and limited commercialization have led some industry watchers to start calling it the “Internet of NoThings”.
Double puns aside, 物联网 development is in trouble. 除了产生不适合大多数社交场合的极客笑话, the hype did not help; and, 事实上, 我认为它实际上弊大于利. There are a few problems with 物联网, but all the positive coverage and baseless hype are one we could do without. 吸引更多关注的好处很明显:更多投资, 更多风险投资, 更多的消费者兴趣.
然而, these come with an added level of scrutiny, 这使得许多缺点痛苦地显现出来. 在几年的乐观预测和重大承诺之后, 物联网 security seems to be the biggest concern. 2015年的头几周,这个新兴行业并不乐观, 大多数负面新闻都围绕着安全问题.
这合理吗?? Was it just “fear, uncertainty and doubt” (FUD), brought about by years of hype? It was a bit of both; although some issues may have been overblown, 这些问题是非常现实的, 事实上.
Many commentators described 2015 as “the year of 物联网,” but so far, it has been a year of bad press. Granted, there are still ten months to go, but negative reports keep piling on. Security firm Kaspersky recently ran a damning critique of 物联网 security challenges, with an unflattering headline, “互联网上的垃圾”.
Kaspersky is no stranger to 物联网 criticism and controversy; the firm has been sounding alarm bells for a while, backing them up with examples of hacked smart homes, carwashes and even police surveillance systems. 黑客是否想免费洗他们的车, or stalk someone using their fitness tracker – 物联网 security flaws could make it possible.
风河于2015年1月发布了《欧博体育app下载》, 报告以发人深省的介绍开始. 题为 搜索ing For The Silver Bullet, it summarizes the problem in just three paragraphs, which I will condense into a few points:
然而, there is some good news; the knowledge and experience are already here, 但它们必须适应物联网设备的独特限制.
Unfortunately, this is where we as 系统安全开发人员 stumble upon another problem, a hardware problem.
U.S. Federal Trade Commission chairwoman, 伊迪丝·拉米雷斯, 今年早些时候在拉斯维加斯举行的消费电子展上发表了讲话, 警告将传感器嵌入日常设备, and letting them record what we do, could pose a massive security risk.
拉米雷斯概述 three key challenges for the future of 物联网:
She urged companies to enhance privacy and built secure 物联网 devices by adopting a security-focused approach, reducing the amount of data collected by 物联网 devices, and increasing transparency and providing consumers with a choice to opt-out of data collection.
Ramirez went on to say that developers of 物联网 devices have not spent time thinking about how to secure their devices and services from cyberattacks.
“The small size and limited processing power of many connected devices could inhibit encryption and other robust security measures,拉米雷斯说. 此外,一些联网设备成本低,而且基本上是一次性的. 如果在该类型设备上发现漏洞, it may be difficult to update the software or apply a patch – or even to get news of a fix to consumers.”
While Ramirez is spot on in most respects, I should note that the Internet went through a similar phase two decades ago. There were a lot of security concerns, 90年代出现了互联网传播的恶意软件, DDoS攻击, sophisticated phishing and more. 尽管好莱坞在一些电影中描绘了一个反乌托邦的未来, we have ended up with kittens on social networks and a high-profile security breach here and there.
The Internet is still not secure, so we can’t expect 物联网 to be secure, 要么. 然而, 安全形势不断发展,迎接新挑战, 我们以前见过, 我们会再看一遍, with 物联网 and subsequent connected technologies.
Some of you will be thinking that the hardware issues mentioned by the FTC boss will be addressed; yes, 他们中的一些人可能会.
随着物联网市场的增长, 我们将看到更多的投资, 随着硬件的成熟, we will get improved security. Chipmakers like Intel and ARM will be keen to offer better security with each new generation, since security could be a market differentiator, 让他们获得更多的设计胜利,获得更大的市场份额.
技术 always advances, so why not? New manufacturing processes generally result in faster and more efficient processors, 迟早有一天, 差距将会缩小, thus providing developers with enough processing power to implement better security features. 然而,我不确定这是一个现实的场景.
First of all 物联网 chips won’t be big money-makers since they are tiny and usually based on outdated architectures. 例如, 第一代英特尔Edison平台基于Quark处理器, which essentially use the same CPU instruction set and much of the design of the ancient Pentium P54C. 然而, the next-generation Edison microcomputer is based on a much faster processor, based on Atom Silvermont cores, which is in many Windows and Android tablets, 今天. (Intel shipped ~46m Bay Trail SoCs in 2014.)
从表面上看, we could end up with relatively modern 64-bit x86 CPU cores in 物联网 devices, 但价格不菲, 它们仍然会比最小的ARM内核复杂得多, and therefore will need more battery power.
Cheap and disposable wearables, which appear to be the FTC’s biggest concern, won’t be powered by such chips, 至少, 短期内不会. Consumers may end up with more powerful processors, such as Intel Atoms or ARMv8 chips, 在一些智能产品中, 比如带有触摸屏的智能冰箱或洗衣机, but they are impractical for disposable devices with no displays and with limited battery capacity.
销售完整平台, or reference designs for various 物联网 devices, could help chipmakers generate more revenue, 同时引入更多的标准化和安全性. The last thing the industry needs is more unstandardized devices and more fragmentation. This may sound like a logical and sound approach, since developers would end up with fewer platforms and more resources would be allocated for security, 然而, 安全漏洞也会影响到更多的设备.
一个 of the most common ways of tackling any problem in the tech industry is to simply throw money at it. So, let’s see where we stand right now in terms of funding rather than technology.
According to research firms IDC and Gartner, 物联网 will grow to such an extent that it will transform the data centre industry by the end of the decade. Gartner expects the 物联网 market will have 26 billion installed units by 2020, creating huge opportunities for all parties, from data centres and hardware makers, 开发者和设计师. IDC also expects the 物联网 industry to end up with “billions of devices and trillions of dollars” by the end of the decade.
Gartner’s latest 物联网 market forecast published in May 2014 also includes a list of potential challenges, some of which I’ve already covered:
All these points (and more) must be addressed sooner or later, often at a substantial cost. We are no longer talking about tiny 物联网 chips and cheap toys based on such chips, 这是基础设施. This is a lot of silicon in server CPUs, expensive DDR4 ECC RAM and even bigger SSDs, all housed in expensive servers, 在更大的数据中心.
That’s just the tip of the iceberg; industry must tackle bandwidth concerns, data management and privacy policies, 和安全. So how much money does that leave for security, which is on top of Gartner’s list of 物联网 challenges?
很多 of money is already pouring into the industry, VCs are getting on board and the pace of investment appears to be picking up. There were also a number of acquisitions, often involving big players like Google, Qualcomm, 三星, 金雅拓, 英特尔和其他公司. There is a list of 物联网-related investments on Postscapes. The trouble with many of these investments, especially those coming from VCs, is that they tend to focus on “shiny” things, devices that can be marketed soon, with a potentially spectacular ROI. 这些投资对安全或基础设施没有太大帮助, which would basically have to trail 物联网 demand.
Big players will have to do the heavy lifting, not VC-backed startups and toymakers. Agile and innovative startups will certainly play a big role by boosting adoption and creating demand, 但他们不能做所有的事情.
我们这样想, even a small company can build a car, 或者数以万计的汽车, 但它不能修建高速公路, 道路, petrol stations and refineries. That same small company can build a safe vehicle using off-the-shelf technology to meet basic road safety standards, but it couldn’t build a Segway-like vehicle that would meet the same safety standards, 其他人也不能. 汽车安全标准永远不适用于这类车辆, we don’t see people commuting to work on Segways, so we cannot expect the traditional tech security standard to apply to underpowered 物联网 devices, 要么.
Having commuters checking their email or playing Candy Crush while riding their Segways through rush hour traffic does not sound very safe, 它? So why should we expect 物联网 devices to be as safe as other connected devices, 拥有更强大的硬件和成熟的操作系统? 这可能是一个奇怪的类比, but the bottom line is that 物联网 devices cannot be expected to conform to the same security standards as fully fledged computers.
真正的, 我们并没有看到很多关于物联网安全漏洞的头条新闻, but let me put it this way: how many security related headlines did you see about Android Wear? 一个? 两个? 没有一个? It is estimated there are fewer than a million Android Wear devices in the wild, so they’re simply not a prime target for hackers, or a subject for security researchers.
How many 物联网 devices do you own and use right now? How many does your business use? That’s where the “Internet of NoThings” joke comes from, most people don’t have any. 这个数字还在上升, but the average consumer is not buying many, so where is that growth coming from? 物联网设备已经出现,而且数量正在迅速增加, 由企业而非消费者市场驱动.
Verizon and ABI 研究 estimate that there were 1.去年有20亿台不同的设备连接到互联网, 但到2020年, 他们预计会有5人.4 billion B2B 物联网 connections.
Smart wristbands, toasters and dog collars aren’t a huge concern from a security perspective, but Verizon最新的物联网报告 关注一些更有趣的东西:企业.
The number of Verizon’s machine-to-machine (M2M) connections in the manufacturing sector increased by 204 percent from 2013 to 2014, followed by finance and insurance, 传媒及娱乐, 医疗保健, 零售业和运输业. The Verizon report includes a breakdown of 物联网 trends in various industries, 所以它提供了对商业方面的洞察.
The overall tone of the report is upbeat, but it also lists a number of security concerns. Verizon describes security breaches in the energy industry as “unthinkable,,称物联网安全在制造业中“至关重要”, and let’s not even bring up potential risks in 医疗保健 and transportation.
I will not try to offer a definitive answer on how 物联网 security challenges can be resolved, or when. 该行业仍在寻找答案,还有很长的路要走. Recent studies indicate that the majority of currently available 物联网 devices have security vulnerabilities. 惠普发现,多达70%的物联网设备容易受到攻击.
While growth offers a lot of opportunities, 物联网 is still not mature, or secure. Adding millions of new devices, 硬件端点, 数十亿行代码, 还有更多的基础设施来应对负荷, creates a vast set of challenges, 这是我们在过去二十年中所经历的任何事情都无法比拟的.
That is why I am not an optimist.
我不相信这个行业可以将很多安全经验应用到物联网中, 至少还不够快, not over the next couple of years. 在我心中, the Internet analogy is a fallacy, simply because the internet of the nineties did not have to deal with such vastly different types of hardware. Using encryption and wasting clock cycles on security is not a problem on big x86 CPUs or ARM SoCs, but it won’t work the same way with tiny 物联网 devices with a fraction of the processing power and a much different power consumption envelope.
More elaborate processors, with a biger die, need bigger packaging and have to dissipate more heat. They also need more power, which means bigger, heavier, more expensive batteries. To shave off weight and reduce bulk, manufacturers would have to resort to using exotic materials and production techniques. All of the above would entail more R&D支出,更长的上市时间和更大的材料清单. With substantially higher prices and a premium build, such devices could hardly be considered disposable.
So what has to be done to make 物联网 secure? 很多. 从科技巨头到个人开发者,每个人都可以发挥作用.
Let’s take a look at a few basic points, 比如可以做什么, 以及正在做的事情, 提高物联网安全性的方法:
从第一天起就明确强调安全始终是一件好事, especially when dealing with immature technologies and underdeveloped markets. 如果您计划开发自己的物联网基础设施, or deploy an existing solution, do your research and stay as informed as possible. 这可能涉及到权衡, as you could be presented with a choice of boosting security at the cost of compromising the user experience, 但只要你能找到正确的平衡,这一切都是值得的. 这不能在飞行中完成,你必须提前计划,并且计划得很好.
急于将新产品和服务推向市场, 许多公司可能会忽视长期支持. 这种事经常发生, 即使是在大联盟中, so we always end up with millions of unpatched and insecure computers and mobile devices. 对于大多数公司来说,它们太老了, 而一次性物联网设备的情况肯定会更糟. 主要的手机供应商不会在2-3年的手机上更新他们的软件, so imagine what will happen with $20 物联网 devices that might be on your network for years. Planned obsolescence may be a part of it, but the truth is that updating old devices does not make much financial sense for the manufacturer since they have better things to do with their resources. Secure 物联网 devices would 要么 have to be secure by design and impervious from the start, or receive vital updates throughout their lifecycle, 我相信你会同意这两种选择都不现实, 至少, 没有.
Implementing secure access control and device authentication sounds like an obvious thing to bring up, 但我们这里讨论的不是普通的联网设备. 创建访问控制, 以及认证方法, that can be implemented on cheap and compact 物联网 devices without compromising the user experience, or adding unnecessary hardware, 比看起来难吗. 正如我之前提到的, lack of processing power is another problem, 因为大多数先进的加密技术都不能很好地工作, 如果有的话. 在一个 以前的文章, 我考虑了一个选择, outsourcing encryption via the blockchain technology; I am not referring to the Bitcoin blockchain, but similar crypto technologies that are already being studied by several industry leaders.
Si vis pacem, para bellum——如果你想要和平,就要准备战争. It is vital to study threats and potential attackers before tackling 物联网 security. The threat level is not the same for all devices and there are countless considerations to take into account; would someone rather hack your daughter’s teddy bear, or something a bit more serious? It’s necessary to reduce data risk, 从物联网设备中保存尽可能多的个人数据, properly secure necessary data transfers, 等等....... 然而,要做到这一切,你首先需要研究威胁.
如果所有这些都失败了,至少要为潜在的安全漏洞做好准备. Sooner or later they will happen, to you or someone else (well, preferably a competitor). 永远要有退出策略, a way of securing as much data as possible and rendering compromised data useless without wrecking your 物联网 infrastructure. It is also necessary to educate customers, employees and everyone else involved in the process about the risks of such breaches. Instruct them in what to do in case of a breach, and what to do to avoid one.
当然, a good disclaimer and TOS will also help if you end up dealing with the worst-case scenario.
World-class articles, delivered weekly.
World-class articles, delivered weekly.
