IoT is a security hellscape. One cryptography company has a plan to make it a little bit less so
End-to-end encryption is a staple of secure messaging apps like WhatsApp and Signal. It ensures that no one—even the app developer—can access your data as it traverses the web. But what if you could bring some version of that protection to increasingly ubiquitous—and notoriously insecure—internet-of-things devices?
The Swiss cryptography firm Teserakt is trying just that. Earlier this month, at the Real World Crypto conference in New York, it introduced E4, a sort of cryptographic implant that IoT manufacturers can integrate into their servers. Today most IoT data is encrypted at some point as it moves across the web, but it’s challenging to keep that protection consistent for the whole ride. E4 would do most of that work behind the scenes, so that whether companies make home routers, industrial control sensors, or webcams, all the data transmitted between the devices and their manufacturers can be encrypted.
Tech companies already rely on web encryption to keep IoT data secure, so it’s not like your big-name fitness tracker is transmitting your health data with no protection. But E4 aims to provide a more comprehensive, open-source approach that’s tailored to the realities of IoT. Carmakers managing dozens of models and hundreds of thousands of vehicles, or an energy company that takes readings from a massive fleet of smart meters, could have more assurance that full encryption protections really extend to every digital layer that data will cross.
“What we have now is a whole lot of different devices in different industries sending and receiving data,” says Jean-Philippe Aumasson, Teserakt’s CEO. “That data might be software updates, telemetry data, user data, personal data. So it should be protected between the device that produces it and the device that receives it, but technically it’s very hard when you don’t have the tools. So we wanted to build something that was easy for manufacturers to integrate at the software level.”
Being open source is also what gives the Signal Protocol, which underpins Signal and WhatsApp, so much credibility. It means experts can check under the hood for vulnerabilities and flaws. And it enables any developer to adopt the protocol in their product, rather than attempting the fraught and risky task of developing encryption protections from scratch.
“At the end of the day we know that’s the right thing to do.”
Jean-Philippe Aumasson, Teserakt
Aumasson says that the Signal Protocol itself doesn’t literally translate to IoT, which makes sense. Messaging apps involve remote but still direct, human-to-human interaction, whereas populations of embedded devices send data back to a manufacturer or vice versa. IoT needs a scheme that accounts for these “many-to-one” and “one-to-many” data flows. And end-to-end encryption has different privacy goals when it is applied to IoT versus secure messaging. Encrypted chat apps essentially aim to lock the developer, internet service providers, nation state spies, and any other snoops out. But in the IoT context, manufacturers still have access to their customers’ data; the goal instead is to protect the data from other entities and Teserakt itself.
It also only hardens IoT defenses against a specific type of problem. E4 looks to improve defenses for information in transit and offer protection against data interception and manipulation. But just like encrypted chat services can’t protect your messages if bad actors have access to your smartphone itself, E4 doesn’t protect against a company’s servers being compromised or improve security on IoT devices themselves.
“I think it’s a good idea, but developers would need to keep in mind that it covers only one part of data protection,” says Jatin Kataria, principal scientist at the IoT security firm Red Balloon. “What’s the security architecture of the embedded device itself and the servers that are receiving this data? If those two endpoints are not that secure then end-to-end encryption will only get you so far.”
Teserakt has been consulting with big tech companies in aerospace, health care, agriculture, and the automotive and energy sectors to develop E4 and plans to monetize the tool by charging companies to customize implementations for their specific infrastructure. The company has not yet open-sourced full server code for E4 alongside the protocol details and cryptography documentation it released, but says that final step will come as soon as the documentation is complete. Given the glacial pace of investment in IoT security overall, you probably shouldn’t expect E4 to be protecting the whole industry anytime soon, anyway.
That multifaceted IoT security hellscape needs as many available tools as possible, though. Larger services like Microsoft’s Azure Sphere are also exploring ways to extend more comprehensive encryption to peripherals and IoT devices. They aren’t cross-platform like E4, though, and with so many IoT security problems to solve there’s plenty of room for multiple companies to work on protections.
“It’s not a perfect solution for all of IoT’s issues,” Aumasson says. “But it’s an interesting discussion to have about what end-to-end really means in the IoT context. There are so many machines and entities that do not have the need to view or modify this data, so they shouldn’t have access to it. At the end of the day we know that’s the right thing to do for security.”
All Rights Reserved for Lily Hay Newman