Today we published what is probably one of our most important presentations. The topic is IoT security and we break some important new ground while offering something that almost everyone in the IoT space will find useful.
Two-factor authentication is common in e-commerce today — if you try logging into your bank’s website from a new computer, you are usually asked to prove you are who you are via a userid and password, but also via a second authentication credential that is sent to me via SMS text or email.
The core thesis of our presentation is that there is an opportunity to outfit wireless IoT endpoints with a second wireless link whose primary job is to support two-factor authentication.
I have written on IoT security before, focusing on the benefits of listen-before-talk and the idea that endpoints shouldn’t talk more than necessary for a whole list of reasons. But combining this with a back channel for endpoints provides for unique opportunities to secure the endpoint and to make them more efficient. We think back channels are of immediate benefit to WiFi endpoints like IP cameras, but there is no practical limitation of where you can deploy a back channel given the range/signal propagation of LPWAN technologies.
If you design or sell endpoints that are likely to be vulnerable to hacking (this is basically everyone today), a back channel could make a huge difference in your security story but could make your IoT story vastly more compelling.
If you work in IoT or follow the news, IoT security is a huge challenge. Last fall, the Mirai botnet attack took down the internet in parts of the US and it only used ~100,000 hijacked cameras, DVR’s, and routers. It’s safe to say there are other botnet armies lying in wait out there, perhaps much larger than what we saw last fall, along with scads of other security and privacy problems that the IoT has not tackled. Some of this is due to crummy ways wireless IoT protocols (not Haystack’s) were engineered, and some is just plain human screw-ups. But scanning the news while building this presentation, to me it’s clear that adding two-factor authentication to the IoT is a big step towards responsibly addressing what is today an IoT security quagmire.