Is there any advantage in encrypting sensor data that is not private?

17

3

Some sites, such as this article on end-to-end encryption for IoT, suggest that all traffic sent across the IoT network should be encrypted, saying:

Enterprises, government agencies and other organizations should take adopt [sic] an “encrypt-everything” strategy to protect against IoT-enabled breaches.

I can understand the need to encrypt any data that could be confidential, such as the commands to lock/unlock a 'smart lock' device, but is it really necessary to encrypt everything, such as the sensor that reports the current thermostat reading?

Is it simply the case that "encrypt everything" stops people from forgetting to encrypt data that really ought to be encrypted, or is there a real benefit from using cryptography, despite the extra power, time and cost of it?

Aurora0001

Posted 2017-01-02T20:50:35.890

Reputation: 11 277

2I've been wondering how to pose this question for a while.Sean Houlihane 2017-01-03T10:14:36.030

5You'd be amazed at what you can get out of a simple thermometer reading. Back when I was in to overclocking, I graphed my computer's temperature. I could spot the furnace cycling in that graph (obviously), but I could also track the sun's movement across the sky, spot when the room lights were turned on or off, and tell when someone entered or left the room -- and make a reasonably accurate guess as to where they were.Mark 2017-01-10T00:28:18.937

Answers

23

Absolutely, because:

  1. A secure device and channel means that you can trust the data. Yes, the actual temperature is not very private, but an attacker can provide false temperatures and cause an undesirable response (e.g turning heating on unneccesarily). This is how stuxnet worked, by misreporting the speed of the centrifuges, causing the control system to make them go faster until they broke. Note that a secure channel is not only encrypted, but authenticated and integrity-protected. Integrity is what matters here.
    Encryption alone does not let you trust the data: an attacker can modify encrypted data even if they don't know exactly what they're modifying. Even authentication alone does not let you fully trust the data, as authentic data can be replayed. You need a protocol that guarantees data integrity.
  2. It's difficult to tell the difference between a faulty device and a compromised device. Detection and repair of faults is difficult and costly, so not having to repair devices (or debug the entire system) is worth putting in some security.
  3. Within a broader ecosystem you don't want some devices with encryption and some not, as this increases costs, maintenance, and management of devices. If you cannot say, for certain, that no private data will be transmitted in a few years' time on the system (not just the device), then it may be safer to engineer it now.
  4. Your definition of private data may be wrong, and unless you're checking it with auditors and regulatory experts across the regions in which you operate, assume that the data is private. GPS co-ordinates, and even IP addresses can be considered personally identifiable by some regulatory frameworks.

Simon Munro

Posted 2017-01-02T20:50:35.890

Reputation: 1 183

7

Sensor reports to a current thermostat reading feel very private to me. A burglar could use the data to find out when a person is at home. After the house got robbed the owner might decide it's a good idea to sue the manufacturer of the thermostat violating their privacy and thus enabling the burglary.

Is this the kind of legal risk a manufacturer of the thermostat wants for their products? Do you want to argue in front of a court that it's completely fine for your company to give burglars the information that they need to know when to break into the homes of your customers?

Christian

Posted 2017-01-02T20:50:35.890

Reputation: 385

1That's the most sensitive thing people keep forgetting about: if everybody has some sensor reporting some seemingly stupid data, one can start to monitor a whole neighborhood habits with a single antenna, and passively. ("stupid" can be power meter, tap water meter, temperature, ambiant light, sound level, light switch command, etc.).Nipo 2017-01-30T21:57:11.093

6

Yes, there is advantage to encrypting all communications. You wouldn’t post asking of there is any advantage to locking your house, would you?

There question is not of whether, but of how much, advantage there can be.

One of the greatest security experts Bruce Schneier, who has a great blog, btw, will tell you that you can't make things totally secure. What you can do is make them secure enough to make the cost of cracking them more than the benefit from doing so.

In crude financial terms, if it costs $100 to break into somewhere and get $5, the potential intruder is deterred, even though it is possible to break in.

In crude social terms, if I have a visible alarm, security cameras, motion activation floodlights and a pack of hounds, a determined burglar could still break in to my house. But if your house next door looks the same and doesn't have such deterents ...

You can read a lot of his musings on the IoT, by Goggling for Bruce Schneier iot, including

Random Bruce Schneier fact #81

Bruce Schneier taught Chuck Norris how to divide by zero as they stood silent in an elevator.

Mawg

Posted 2017-01-02T20:50:35.890

Reputation: 2 069

5

It's always a choice of the designer/developer. But using encryption and other security measures becoming a necessity in these days.

As per an example, sensor that reports the current thermostat reading, can be taken control by an intruder to send you false signals. (They can have some strategy to rob you by doing so, who knows ?)

You may have heard that you cannot make systems that are Unbreachable. You only make systems which are harder to breach !

No matter what steps you've taken, they still can break them. Hence why bother to take some extra steps to make it safe ?

Thisaru Guruge

Posted 2017-01-02T20:50:35.890

Reputation: 674

5

In addition to other answers, if the data is sent in plaintext it can be modified.

Apart from mentioned problems faking data can cause (turning heat to the max due to lying thermometer in the middle of hot summer might lead to fire hazard, for example) manipulating data can lead to compromise of IoT device, and everything that accesses it (for example, you notebook might be checking temperature, but HTML page showing temperature could be replaced in-transit with computer virus designed to infect your internal network, or JSON data might be modified to break into application reading malformed data etc).

Not that implementing security is without its risks, especially in IoT world. Security is hard, and implementation of it usually vastly increases codebase, and with it number of bugs (and thus possible attack vectors / exploit opportunities). IoTs rarely get firmware upgrades, so when a IoT device without auto-update has a problem, it is almost guaranteed to provide Botnets with extra zombie machines.

And yes, auto-upgrade itself is not without issues - from privacy issues to possibility that evildoers will take control of it if not implemented properly; but it should be lower risk than hoping your first firmware will be without any security bugs allowing attackers to increase their zombie ranks.

Matija Nalis

Posted 2017-01-02T20:50:35.890

Reputation: 346

1“if the data is sent in plaintext it can be modified” Neither this nor the converse is true. If the data is sent in plaintext and signed then it can't be modified without detection. (To be more precise, in order to detect modifications, the transmission also needs to be protected against replay.) Conversely, encrypted data can be modified if it isn't signed.Gilles 2017-01-28T21:03:49.647

@Gilles you are correct, of course - I didn't want to complicate by going into too much technical details, so by "plaintext" I was implying "with no security measures at all" (like most of IoT devices today operate). If the manufacturer bothered with signed data protected against replay, they would also almost certainly encrypt the data too instead of sending it in plaintext (they'd probably just slap TLS layer on moved on if they bothered with security). While theoretically possible, the situation you describe would almost never happen in practice.Matija Nalis 2017-01-28T21:48:05.747