Paul Kocher, the Chief Scientist of Rambus’ Cryptography Research Division, recently participated in an ARM TechCon panel about securing the Internet of Things (IoT). As Kocher told conference attendees, strong hardware-based crypto
needs to be accompanied by an equally robust software security layer.
“8-10 years ago the industry was more focused on single-use platforms such as pay TV chips and smartcards. These single-use scenarios were simpler to design for and offered a high assurance of success,” he explained.
“However, today we have a plethora of devices with multiple functions and features. This complexity means bugs are being created far faster than they are being fixed. In addition, more devices means an increased number of targets, while more information [stored or collected on IoT devices or endpoints] offers greater rewards to hackers.”
According to Kocher, security is not always something people are willing to pay for. Nevertheless, the progression of Moore’s Law is helping to reduce costs from dollars to pennies. In addition, says the chief scientist, the Federal Trade Commission (FTC) has increased its scrutiny of consumer-related hacks, while a more stringent level of security is required for certain government applications and equipment.
“Ultimately, IoT security will enter a stage of maturity and responsibility,” Kocher opined. “In the meantime, we are experiencing growing pains, much like the aviation and pharmaceutical industries did before an increase in both collaboration and regulation. This approach has to change at some point, but the question is how bad does it have to get before people really care.”
What is needed now, says the chief scientist, is to avoid situations where vulnerable products are deployed in the field for 10-15 years or more – at which point they may no longer be supported by belated software security patches. Indeed, as Kocher noted earlier this year, numerous companies are still routinely “checking the security box” to expedite the process of launching a new product.
“They want the least intrusive, least comprehensive evaluation possible. And then there are companies that have been hacked that want to understand their risk and mitigate it,” he added.
“If you get check boxes without teeth behind the consequences, it doesn’t help. If you can get liability and skin in the game for companies that control the risk, it would be transformative.”
Interested in learning more about how Rambus is helping to secure the rapidly evolving Internet of Things (IoT)? You can check out our article archive on the subject here.