Both mobile computing and the Internet of Things (IoT) generate a lot of bad news with respect to security. So combining “mobile” with “IoT” seems likely to produce even more bad news: The number of attacks on mobile platforms is rising and breaches of enterprise data are a constant threat to IoT, as well as to mobile computing.
Nonetheless, both technologies are driving the transformation of enterprise architecture. As it evolves, secure mobile technology is maturing with strong privacy and service controls. These advancements also improve the IoT’s security position and applicability. The confluence of these two developments is realized in the user interface (UI), and this is where mobile and IoT may make a perfect match.
Mobile devices are emerging as the preferred host for IoT user interfaces, which connect to IoT gateways, the cloud, and sometimes directly to IoT devices. As an IoT UI, the mobile solution must also support IoT data confidentiality and integrity; and it must support enterprise-grade security for endpoint privacy and authenticity.
"The security of the IoT service is very much anchored in the security of the user who accesses the service "
This is an important point: The security of the IoT service is very much anchored in the security of the user who accesses the service, and hence the security of their UI. Thus, the most important requirements for effective IoT user interfaces are human-user centric.
There are several features that are required for a safe and effective mobile IoT user interface, but four considerations top the list:
1. Rich Interface for Interactions: The device that hosts an IoT UI may need to connect to gateways, the cloud and directly to IoT devices. Multiple radios, high-fidelity audio and microphone, and multimedia capabilities aid in reducing complexity for users by making interactions intuitive and simple.
2. End-User Authentication and Privacy: The device that hosts an IoT UI needs restrictive controls so that only an authorized user can access data (or secrets) or run transactions. Such strong identity and authentication methods (which may include biometrics) incur the need for added privacy protections, especially the safeguard of the user’s identity and personal data.
3. Security capabilities. The IoT UI needs to securely access remote resources. Users need keys to authenticate and authorize actions, they must run security protocols such as TLS and SSH, and their systems must protect the keys against intrusion by malware, social engineering or other attacks.
4. Loss prevention and recovery. Any mobile device runs the risk of loss, theft and destruction—and all must recover from these misfortunes. But a mobile device hosting an IoT UI has a higher bar for recovery that must include controlling access to machines, alarms, environmental controls, monitoring data, etc.
Although not exhaustive, these basic requirements not only help the user, they ensure the integrity of the IoT-service lifecycle.
For example, the importance of rich interfaces is illustrated by how we install popular consumer IoT devices such as the Amazon Echo, Belkin WeMO, and the like. The purchaser connects to the device’s service set identifier (SSID), then connects the device to a home Wi-Fi SSID, so that the device can, in turn, connect to other devices. This onboarding might seem complex or prove difficult for some users, but most people can accomplish onboarding using a mobile phone. This is due, in part, to the rich, multimedia interfaces that manufacturers make available for selecting and joining Wi-Fi networks. These rich interfaces, both network and graphical, aid the smartphone (and by extension, the user) in more-easily enabling IoT services.
On the down side, IoT security is often no better than mobile security; this is where the second consideration on the list, user authentication and privacy, comes into play. If anyone can pick up your cell phone and control your enterprise services, then we are in real trouble. End-user authentication and privacy starts with protecting who can access the UI. Mobile platforms do this today via biometric authentication, password verification, email/SMS password recovery and other increasingly sophisticated authentication services. As we see the rise of enterprise-grade security in mobile platforms, we can also see potential benefits to IoT in feasible, security-critical enterprise applications.
As to security capabilities, many modern mobile platforms have evolved into well-equipped security endpoints for enterprise services and, increasingly, for IoT security services. To wit, the security is such that the U.S. government is seeking to force companies to insert backdoors to weaken it. Enterprise-grade security services build on this and extend it with VPN, TLS, encrypted envelopes, innovative privacy protocols for chat, common cryptographic libraries, and key storage. Protected key storage is common on iOS Secure Enclave and Android Trusted Execution Environments, thereby protecting keys on the user’s mobile IoT endpoints.
Finally, in reference to the fourth basic requirement for a sae and effective IoT UI, we must acknowledge that mobile devices will be lost, stolen and dropped in the ocean—and mobile solutions must be robust to such misfortune. Biometric authentication (and particularly re-authentication before accepting a request) can help protect against the device falling into the wrong hands. Active loss detection, revocation, data destruction and recovery are vital features in a mobile IoT UI.
As both mobile technologies and IoT implementations continue to mature together and proliferate, there is an ever-growing wishlist of features and capabilities that would make both more effective. New mobile technologies that would aid the IoT UI include the following:
1. Simplify Onboarding. Users may need to switch Wi-Fi access points, photograph labels, key in digits and perform other onboarding tasks that are simply too complex. Anything the mobile device or mobile cloud can do to simplify onboarding ceremonies improves IoT feasibility. There are standard technologies that are available.
2. Better Multi-Factor Authentication, Key and Password Management. It needs to be “nearly impossible” for an intruder to break into your mobile device or to run malware or otherwise get command of your IoT services. Fingerprints are convenient, and it’s good to periodically prompt for a PIN code, but facial recognition and other advanced schemes are needed to further improve on mobile authentication as additional factors.
3. End-to-End Encryption. TLS 1.1 is a good transport protocol that gets widespread use on mobile platforms for HTTPS and other services. But not every IoT service is end-to-end. Some use cases require data to remain encrypted on intermediate systems—and even remain encrypted in the cloud. New “application-layer envelopes” are emerging for IoT services.
4. Continuous Innovation. The recent announcement from WhatsApp about message encryption shows that mobile platforms can provide true end-to-end security to billions of mobile endpoints. More innovation like this can only improve mobile security and encourage similar developments in IoT.
The concept of continuous innovation extends to privacy features, cryptographic services and general security in future mobile platforms—but also to any development that facilitates ease-of-use and peace-of-mind for the end user. Securely enabling refined user control of IoT networks and services through intuitive and feature-rich mobile user interfaces is a goal worthy of effort, and one that is well within reach.