Ditch the Password – Reevaluating Threat Models in the Internet of Things

The UK government addressed the security of smart devices (that is, those connected to the internet). In a paper released by the Department for Digital, Culture Media and Sports, titled ‘Secure by Design’, it calls upon manufacturers to incorporate inbuilt security measures into device designs. This initiative is part of the government’s ambitious plan to make the United Kingdom, as per the paper, the safest place to be online.

The report makes reference to malware such as Mirai and Reaper as prime examples of why IoT security is in need of a rehaul: both botnets exploited vulnerabilities where users had not acted to change default passwords, or manually run patches on internet-connected devices.

It’s estimated that the average household in the UK has ten smart devices, a number predicted to rise to fifteen by 2020. While the report correctly identifies the rife opportunities for cybercriminals to hijack these increasingly popular connected devices, and offers guidelines to manufacturers, it must be remembered that they are just that – guidelines. Granted, while an industry standard for security would be optimal, it’s probably time that attack vectors are minimised through other means – notably, by returning control to the end-users.

Password-protecting accounts is fast becoming an obsolete practice. The strongest – walls of text, digits and special characters – may be brute-force resistant, but are still vulnerable in a data breach. The weakest – much more prevalent due to the ease with which they can be remembered – are a security disaster waiting to happen. Couple this with the fact that many choose to repeat the same passwords across sites, and it rapidly becomes apparent that a serious overhaul is needed.

Advances in technology in the blockchain and biometric domains have changed the game for identity management. Gone is the requirement to trust that every company ever registered with is protecting its users’ data adequately. Blockchain technology combines the decentralisation of data with zero-knowledge storage to ensure that the user, and the user only, has access to their own data.

Client-side encryption would allow individuals to make payments to various sites, without their personal or sensitive information ever touching third-party servers. To further mitigate the risk of card-not-present fraud, the use of biometric security and association of KYC through proof of biometric facial recognition (facial or fingerprint recognition) would add an additional layer to the security model. Even in the event of a device’s physical integrity being compromised (whether stolen or cloned), a malicious actor would be unable to spend funds.

Biometric security comes with the added benefit of not needing to remember strong passwords. You may forget what your username and password is, but it would be an impressive feat to forget where you keep your index finger.

Increasingly sophisticated methods are being adopted by criminals to gain access to data stored in silos with too many exploitable weaknesses. It’s time for individuals to leave behind an archaic infrastructure and to take back control with blockchain-based solutions.

About The Author

Alastair Johnson is the founder & CEO of Nuggets. Nuggets is an e-commerce payments and ID platform. It stores your personal and payment data securely in the blockchain, so you never have to share it with anyone – not even Nuggets.

To Top

Pin It on Pinterest

Share This