The fast-growing use of IoT devices for everything from consumer appliances to industrial data-collection has offered many benefits for individuals and businesses alike. The trend, however, also presents security issues.
New IoT devices can exchange significant volumes of data — often sensitive — every second. Without the proper protections, hackers can siphon off valuable information they shouldn’t have access to. In some cases, they may even be able to send messages or data of their own.
Cryptography — and specifically, the encryption and decryption of transferred information — has to be an essential part of IoT design as a result. It can keep IoT devices and the data they transfer secure, which should be at the forefront of everyone’s minds. After all, nobody wants their sensitive information to be compromised.
How cryptography keeps IoT devices secure
IoT devices transfer massive amounts of data — an amount that’s predicted to grow to 79.4 zettabytes in 2025 — that’s often confidential, sensitive or otherwise worth securing.
With cryptography, it’s possible to encrypt this data. Messages are encoded with a special key so they can only be decoded by a specific user, device or set of users.
When developers or manufacturers implement end-to-end encryption, no one but the sender and intended recipient can access that data as it moves from device to device — even if it travels across the internet to reach its destination. This means that with the right encryption standards in place, even the manufacturer of a particular device won’t have access to that information.
This kind of protection is essential for businesses working with highly sensitive data that want to keep that information safe. Encryption effectively reduces the angles of attack a hacker would have if they were trying to steal data transferred across different IoT devices.
The data most IoT devices transfer is encrypted at some point as it moves across the web and to other devices. Few manufacturers, however, implement on-device or centralized encryption, meaning that information may only be safe some of the time that it’s in transit.
While cryptography is essential for good IoT device security, there are some significant challenges to implanting encryption standards. Because these devices have different, less powerful hardware specifications than other items, like computers or smartphones, standard approaches to encryption may be less workable.
Implementing cryptography in IoT devices
There are a few different cryptographic standards for manufacturers to choose from. Most data protection tools on the market — as well as many governments and security organizations — use the gold standard encryption method, which is the Advanced Encryption Standard.
However, not every manufacturer is convinced that popular encryption standards, like the AES, are right for IoT devices.
IoT devices are unique, however. In many cases, they have specialized hardware that provides just enough processing power for whatever task they need to complete. In industrial settings, an IoT device may only have the equipment to track one type of data and send that information to a central server.
Some manufacturers have pushed back against the idea of using tried-and-true encryption standards like the AES. This is because the AES isn’t designed to be lightweight — meaning that for devices with little processing power, like IoT sensors, implementing the standard could be challenging.
Research on leading IoT devices has found that manufacturers probably don’t need to work with lighter-weight — but less secure — security standards. Instead, it’s often possible to find a way to make AES work, even on these low-power devices.
The challenges of IoT cryptography
However, for IoT devices with very little processing power — like internet-connected microcontrollers in heavy equipment — lightweight encryption may be a necessity.
New, lightweight encryption standards for IoT devices haven’t been used at scale yet, mostly because there hasn’t really been a need for that kind of measure in the past. While developers, cryptographers and cybersecurity experts know the strengths and weaknesses of AES, they won’t have the same knowledge about a new encryption standard. This could make IoT devices that use these new standards more vulnerable.
Waiting for lightweight encryption technology to become available could also present significant issues. It may be difficult to retrofit existing IoT technology with new security standards at scale, meaning that owners would either need to replace old devices or accept limited data security. Even if older items can be secured, waiting may mean leaving vast amounts of device communication unsecured in the meantime.
Cybersecurity developers are starting to create new technology that can handle this problem. Projects — like the open-source E4 developed by Swiss cryptography firm Teserakt — aim to help manufacturers ensure data is protected as often as possible, no matter where it’s from or where it’s going.
Keeping IoT data safe with cryptography
The number of IoT devices in use is likely to grow at a fast pace over the coming years. Growth of Industry 4.0 tech will likely make sensors and other devices even more useful, encouraging businesses to adopt the technology.
This trend will likely make cryptography much more important, as well. Without end-to-end encryption, data transferred between IoT devices will remain unsecured and vulnerable to eavesdropping and manipulation.
New and old cryptographic standards can help keep IoT devices safe. While manufacturers have pushed back against the idea of including encryption on some devices — citing issues like the resources needed to encrypt information using some standards — developers are at work creating new technology that may be able to help.
Article by Megan R. Nichols
Megan R. Nichols is a technical writer and the editor of Schooled By Science. She regularly discusses Industry 4.0 for IoT Times, ReadWrite and IoT Evolution. When she isn’t writing, Megan enjoys hiking local trails. For more articles follow Megan on Twitter.