A random look at IoT security

Richard Moulds of Whitewood Security

The traditional concept of a corporate security perimeter has been fading slowly for at least a decade. The cloud put it on life support and the IoT will kill it off for good. The IoT presents a whole new set of challenges and on a completely different scale.

The biggest security impact of the IoT is the massive increase in attack surface that it creates. In fact, the IoT is the security professional’s worst nightmare – lots of sensitive and often regulated data collected and stored on low-performance, low-power devices scattered across the country or the world. These are devices that are easy to tamper with, are in use for a long time and are hard to update. That’s not a good combination.

The recent WannaCry and Petra ransomware attacks dramatically exposed the dangers of using out of date software. But the economics of the IoT mean that devices such as smart meters will be in service for years and may only be touched twice – when they are installed and when they are replaced. Yet an IoT device deployed today will need to defend against attacks that haven’t even been thought of yet, says Richard Moulds, general manager at Whitewood Security.

Trusting the identity of millions of remote devices and proving that messages and commands haven’t been tampered with or eavesdropped is no simple task. IoT devices don’t have a sense of suspicion and can’t be easily trained – they simply apply a set of tests to verify trust and blindly accept the result.


All IoT devices need to talk – the question is, how secure are their communications? They rely on encryption to protect data but how strong is that encryption? The strength of encryption often comes down to how good the cryptographic keys are that lock and unlock access to data or systems and it’s whether these keys can be guessed or stolen that makes the difference.

Companies are getting better at protecting keys but as computers get faster and with quantum computers around the corner, cracking keys is becoming more feasible. And If keys can be guessed then the game is up.

Surprisingly, making truly random keys is harder than you would think and IoT devices are notoriously bad at it.

Almost all keys are generated by an operating system, but software is deterministic, pre-programmed to act in a certain way. If software does something random, we call it a bug! To trigger legitimate behaviour that is actually random, the operating system looks for sources of randomness – defined as entropy – usually by sampling some aspect of its physical environment. Everything from user mouse clicks and keyboard strokes to radio noise and timing jitter in the hardware can all yield entropy.

But IoT devices can suffer from entropy starvation. They tend to be low-power and low-cost devices, designed for a specific task and with very limited access to randomness. The same is true in the cloud. By abstracting cloud applications from the physical world, they are cuts off from their main supply of entropy.

IoT devices might spend most of their working day in a dormant state and have access to very few sources of entropy, if any, and yet are expected to spring to life, generate perfectly random keys and communicate securely.

The challenge is to create a source of entropy available to billions of IoT devices and cloud applications that will stand the test of time. Quantum-based entropy may be the answer. Quantum entropy is the nearest you can get to perfect randomness by exploiting random behaviour at the sub-atomic level, which is fundamentally random and unpredictable by any attacker, even with a quantum computer.Whitewood random numbers

The next challenge is actually deploying entropy to IoT devices consistently and at scale. The idea of remote delivery of entropy from a centralised source may offer the way forward – the concept of ‘entropy as a service.’ In time, entropy might be considered an essential ‘utility’ service in the same way that atomic time and date services are delivered to servers and devices today.

This may sound like a problem to worry about in years to come, but Siemens was recently forced to do a major software patch because it was discovered that the encryption in some of its IoT building controllers wasn’t very strong, because they had no randomness and hence were generating the same keys.

Furthermore, Edward Snowden’s disclosures claimed that a newly standardised Random Number Generator (RNG) had been purposely weakened. It’s effectively impossible to spot the difference between a truly random and non-random number – and that’s a problem when all crypto and therefore IoT security depends on them.

The author of this blog is Richard Moulds, general manager at Whitewood Security

Comment on this article below or via Twitter: @IoTNow OR @jcIoTnow


FlorLink’s SmartHub solution connects to cloud using Sequans Monarch cellular IoT connectivity tech

Posted on: December 7, 2022

6 December 2022 – Sequans Communications S.A., a provider of cellular IoT chips and modules, and FlorLink, IoT technology and solutions provider, collaborated on FlorLink’s new SmartHub retail solution, which is now connected to the cloud by Sequans Monarch cellular IoT connectivity technology. SmartHub includes a large suite of sensors that can monitor multiple sales

Read more

PLVision launches SONiC Core to help organisations with faster network disaggregation

Posted on: December 7, 2022

1 December 2022 – PLVision, a custom software product development company focused on open networking systems has announced the launch of its SONiC Core initiative aimed at extending the reach of Community SONiC to drive its adoption in new, demanding markets. PLVision’s initiative will help simplify and speed up SONiC deployments and SONiC-based product development.

Read more

The IoT Adoption Boom – Everything You Need to Know

Posted on: September 28, 2022

In an age when we seem to go through technology boom after technology boom, it’s hard to imagine one sticking out. However, IoT adoption, or the Internet of Things adoption, is leading the charge to dominate the next decade’s discussion around business IT. Below, we’ll discuss the current boom, what’s driving it, where it’s going,

Read more

9 IoT applications that will change everything

Posted on: September 1, 2021

Whether you are a future-minded CEO, tech-driven CEO or IT leader, you’ve come across the term IoT before. It’s often used alongside superlatives regarding how it will revolutionize the way you work, play, and live. But is it just another buzzword, or is it the as-promised technological holy grail? The truth is that Internet of

Read more

Which IoT Platform 2021? IoT Now Enterprise Buyers’ Guide

Posted on: August 30, 2021

There are several different parts in a complete IoT solution, all of which must work together to get the result needed, write IoT Now Enterprise Buyers’ Guide – Which IoT Platform 2021? authors Robin Duke-Woolley, the CEO and Bill Ingle, a senior analyst, at Beecham Research. Figure 1 shows these parts and, although not all

Read more

CAT-M1 vs NB-IoT – examining the real differences

Posted on: June 21, 2021

As industry players look to provide the next generation of IoT connectivity, two different standards have emerged under release 13 of 3GPP – CAT-M1 and NB-IoT.

Read more

IoT and home automation: What does the future hold?

Posted on: June 10, 2020

Once a dream, home automation using iot is slowly but steadily becoming a part of daily lives around the world. In fact, it is believed that the global market for smart home automation will reach $40 billion by 2020.

Read more

5 challenges still facing the Internet of Things

Posted on: June 3, 2020

The Internet of Things (IoT) has quickly become a huge part of how people live, communicate and do business. All around the world, web-enabled devices are turning our world into a more switched-on place to live.

Read more

What is IoT?

Posted on: July 7, 2019

What is IoT Data as a new oil IoT connectivity What is IoT video So what’s IoT? The phrase ‘Internet of Things’ (IoT) is officially everywhere. It constantly shows up in my Google news feed, the weekend tech supplements are waxing lyrical about it and the volume of marketing emails I receive advertising ‘smart, connected

Read more