Internet of Things Security & Privacy

Why We Can’t Use Things to Secure the Internet of Things

Hardware doesn't work to secure digital mobile transactions. Photo: Danai Khampiranon via Shutterstock

Hardware is how we secure digital mobile transactions today, but it may not work much longer. Photo: Danai Khampiranon via Shutterstock

It was in back in 2011 when Marc Andreessen first famously wrote “software is eating the world” and five years later, software continues to transform entire industries. There are many examples: with a bold idea and some lines of code iTunes disrupted the entire music industry, Amazon revamped the bookstore business, and Netflix wiped out Blockbuster. But when it comes to securing digital transactions, where you might think we were completely reliant upon software, the world mostly still relies on hardware.

The result is the mobile commerce security environment we see today–a world of digital transactions with higher stakes, surrounded by risk. Most industry efforts so far have resulted in highly fragmented solutions that are hard to scale and update, and have proved extremely costly and time-consuming to deploy. Two examples are Apple Pay and Samsung Pay. What do they all have in common? They are hardware-based. Hardware needs to be manufactured, deployed and replaced as new use cases and vulnerabilities come along. Hardware is also designed for specific platforms, so the resulting security solutions are controlled by the few players who manufacture or own them.

Stripped down to its core, mobile commerce is nothing more than the simple exchange of data. However, because the data in question involves people’s money, the need to secure it is urgent, and adds a lot of complexity to the system. That is how hardware came into the equation. When we first started to mobilize digital transactions, there was no way to secure them other than by using smart chips that could safely store sensitive data and authenticate whoever needed access to it.

As technology continues to evolve and we all transact more and more through connected devices, this hardware way of securing the mobile commerce ecosystem simply won’t suffice. The research firm Gartner estimates that the Internet of Things (IoT) is currently comprised of nearly 5 billion connected devices and that by 2020 that number will be multiplied five times to reach 25 billion. The cost of protecting all of these devices with hardware will be prohibitive. And that is just part of the problem.

The recent recall of 1.4 million Jeeps, Dodge Chargers and other Fiat Chrysler vehicles after hackers took command of a moving car by exploring a security vulnerability is the tip of the iceberg. Using hardware has become not only impractical, but obsolete. As everything gets connected, from cars and fitness bracelets to baby monitors and insulin pumps, the long lead times needed to update hardware when new threats come along are simply not acceptable.

The future of digital transaction security will require well-crafted software that works across platforms and devices, enabling them to communicate and transact seamlessly. Software-based solutions will also allow for a faster and cheaper response when challenged by vulnerabilities. New security features will generally be deployed over the air with a simple software update.

Not only is software more efficient, cost-effective, and quicker to deploy, it can also level the playing field. Providers can own their solutions end-to-end, without the need to ask permission or strike agreements to access and use security hardware in the user’s device.

IoT devices are here to stay. And while there is a lot of hype right now around connected cars and smart thermostats, consumer-facing applications are just scratching the surface. There is huge untapped potential for the business use of connected devices. A recent report by the McKinsey Global Institute estimates that if we work out the challenges around key areas such as interoperability and security, the potential economic impact of IoT devices can reach a staggering $11.1 trillion per year by 2025.

As we delve deeper into a truly connected world, security needs to be at the forefront of all aspects of the application value chain. Consumers want peace-of-mind to transact online and businesses need less friction to operate. To deliver on these promises, application providers will need to think seriously about how software can solve the many challenges associated with securing digital transactions on connected devices.

My company MagicCube is working on software-based security for digital transactions. The versatility and flexibility of software means that this technology will be able to improve and adapt rapidly with experience and use. So it will be able to enable  more transactions at a significant level of security While the risks associated with deploying breakthrough technologies will always be there, they can be mitigated by a huge uptake in transaction volumes  This is a trade-off the financial and commerce industries already understand and are willing to take. Meanwhile, hardware alone may increasingly present a roadblock that slows the number of transactions, as the nature of the connected universe evolves.

The time has come to bid farewell to costly, impractical, restrictive technologies and to embrace the future. Our challenge is clear: further secure software solutions so they can finally replace what is quickly becoming an antiquated approach.

 

Sam Shawki, (@sshawki on Twitter) is an expert in mobile commerce and the CEO and co-founder of MagicCube, a digital transaction security company based in Sunnyvale, CA.

Tags: , , , ,

  • Steven Sprague

    That nasty trust anchor comes into play. Inknown compute can steal everything!

    Software defined security with hardware anchors