The National Security Agency (NSA) is paying to build
backdoors security into the Internet of Things (IoT).
(Granted, it’s not like we can presume that the NSA wouldn’t build in backdoors, given the history of backdoors in iPhones, iPads, and routers, et al. But as Naked Security’s Mark Stockley pointed out at the time, why would the NSA bother to build in back doors when so many IoT devices are wide open anyway?)
The NSA is backing The University of Alabama in Huntsville (UAH) with a one-year, $299,622 grant, the aim of which is to build a lightweight virtualization architecture that can be used to build cybersecurity into IoT systems.
And oh, what a dizzying array of systems that’s growing to encompass, given that just about anything can be made “smart” by connecting it to the internet.
Some of the smart things that, if appearances don’t deceive, well may have had security tacked on as an afterthought instead of baked in from the design phase:
- Cars that have been remotely hacked;
- Planes found to be vulnerable to remote takeover;
- Industrial control systems (ICS/SCADA), including one car insurance company’s dongle that tracks drivers’ locations and driving habits and also, whenever possible, collects, transmits and stores the places drivers have been;
- Connected-home gadgets; and even
- Vending machines.
The architecture, which UAH will begin to work on in a few days, is called Dielectric.
Dr. David Coe, the principal investigator and an electrical and computer engineering researcher, said that the aim is to incorporate cybersecurity into the product design phase:
While finding flaws and repairing them will continue to be an important focus in cybersecurity research, this proposal focuses on an architectural approach to building security into the system at the outset.
The research will tie together multiple disciplines at the university: faculty members will be coming from the electrical and computing department and the computer science department, bringing expertise in cybersecurity, embedded systems, hardware-software co-design, secure processing, and automotive systems.
UAH’s writeup of the grant quotes Dr. Letha Etzkorn:
With the Internet of Things, one expects various 'things' - that is, embedded systems - to connect to the cloud. We are examining security methodologies that can apply both at the embedded systems level and the cloud level.
True, it’s being funded by the NSA – an agency that’s garnered more recognition for prying into privacy than for being far-sighted with regards to the frontiers of making connected-everything a safer landscape.
But it’s welcome, nonetheless.
The auto industry, for one, was recently chastised when US Senator Edward Markey issued a report criticizing its thus-far weak response to addressing security vulnerabilities, as well as the lack of privacy protections for the data collected from vehicles by the manufacturers.
Markey introduced legislation last month seeking to establish mandatory security standards for all cars and trucks.
Such standards would be a step in the right direction, but if each industry crawls forward at its own pace and with its own resources, cybersecurity in the IoT will continue to be a fragmented landscape, littered with laggards.
By contrast, Dielectric, which aims for a far broader, industry-spanning scope, seems like a welcome leap in the right direction.
Of course, if you think it’s utterly bonkers to trust the NSA with securing anything that comes into or near your house or person, please do share your thoughts in the comments section below.Follow @NakedSecurity