The biggest IoT threat will be ransomware, Hong says. “Today's ransomware attacks involve encrypting a victim's data and holding it hostage until they pay you,” he says. “Tomorrow, IoT offers a range of new ransomware attacks. Script kiddies might annoy people by locking them out of their house or their cars.” Anonymous might fiddle with a company's HVAC or lighting, raising electrical bills or irritating occupants, he says, and attackers might seek to break into multiple autonomous vehicles or medical devices, holding people virtually hostage, he says.
The lab at Carnegie Mellon is investigating several ideas for security within Giotto. One is how to use proximity as a way of gaining access, Hong says. For example, if you're in a room, you might be able to get access to some of the room's sensors and services, such as the temperature. If you're outside the room, you might get degraded or no information.
“We're also looking at how to differentiate between public and private data,” Hong says. “For example, at our university, we might designate sensors in hallways as public data that anyone affiliated with the university can see and use. But data and services associated with private offices might be only accessible to the occupant of that office as well as the building manager.”
Also, the lab is looking at how different layers of Giotto can support different parts of security. For instance, the physical layer needs to make it easy for people to understand that the sensors are there, check what data the sensor is collecting, see how that data is used, and understand who can see that data, Hong says.
“The logical and middleware layers need to offer access control, as useful defaults for what data and services people can access, and really simple controls that don't require a PhD to understand,” Hong says. “The app layers need to make it easy for average developers to make use of the data while also respecting people's privacy.”
In corporate IT, there's a strong emphasis on endpoint security—or putting security software on laptops, desktops and smartphones, Hong says. “This only works for the top-tier of devices, but not for the billions of devices that will make up the middle and bottom tier,” he says. “There will need to be major advances in network security to protect these kinds of devices.”
Organizations will also need significant innovations in artificial intelligence and big data techniques to detect unusual behaviors, Hong adds. “We can barely manage the security of our desktops, laptops, and cloud servers today, and adding thousands or tens of thousands of devices to a home or corporate network will mean that we will need new and automated ways of quickly detecting and responding to attacks.”
Sign up for Computerworld eNewsletters.