The Internet of Things is a whole new infrastructure which of course leads to a number of challenges that must be addressed. In Germany there are plans for an “Identity Safety Act” that should protect this new infrastructure. Right now, this plan exists as a so-called benchmark paper. Such papers often serve as the basis for subsequent legislation so it pays to take a look at the basic ideas of the plan and form one’s own opinion.
The benchmark paper says that each identity associated with the IoT needs to be technically protected. To achieve this, each connected device should be equipped with a cryptographically secured hardware access. What is meant is a chip in each device which stores an identification number that cannot be changed by software. If two devices in the network communicate with one another – whether mobile phones, machines or refrigerators – they should previously mandatory exchange their identity, simply said, tell each other who they are. The paper argues that the IoT could only be secured if it is always clear who is talking to whom.
Of course it is right that, in a networked world, it must be ensured that the right devices communicate with each other. But the question is, if a general mutual identification of all devices really makes sense – especially from a privacy perspective. A legally binding, hardware-based identification of all components in the IoT also means that they can be clearly and unequivocal assigned. So it is apparent that the data protection would be sacrificed for the supposed increase in safety.
Is the State Device ID a Monitoring Nightmare?
This is also the opinion of Frank Rieger, a spokesman of the Chaos Computer Club. According to zeit.de, he said that the benchmark paper tried to use the security problem of IoT components as a stepping stone for a universal state device ID, which would be a monitoring nightmare. The real problem was not tackled, namely, that the software basis of IoT devices is just as bad as those in our computers and phones. For him, this would be the right starting point for a whole new market dynamic.
This is also the opinion of Frank Rieger, a spokesman of the Chaos Computer Club. According to zeit.de, he said that the benchmark paper tried to use the security problem of IoT components as a stepping stone for a universal state device ID, which would be a monitoring nightmare. The real problem was not tackled, namely, that the software basis of IoT devices is just as bad as those in our computers and phones. For him, this would be the right starting point for a whole new market dynamic.
In any case, the question we are facing is which safety benefits we can expect from the chip. According to the paper, an identity chip could protect the communication between two devices against influences from the outside. Penetration of unauthorized third parties, such as hackers, would be ruled out. But in fact, everyone who deals with computer security may be surprised by so much “optimism”. It’s no secret that, so far, every technical system was cracked. And only because a crypto chip is installed, it will likely not be impossible to bring the device to do things it should not do. In EC-card terminals in shops crypto chips are installed long ago. Nevertheless, they can be manipulated. And this is simply because the terminals include many other chips and systems that have safety gaps. And even the identity chips itself may have gaps, errors or undetected vulnerabilities.
Stifle Innovation and “Counterproductive” for IT-Locations?
But according to the paper, the chip should not only serve as identification technology. It should also be something like a guard which is programmed to prohibit any access to the device that the manufacturer does not want. That the networked devices can only perform specifically defined functions must already be implemented in the hardware basis. The paper says that, by the use of such Secure Elements (i.e. certain hardware components) and regardless of the installed software, a misuse of the product must be excluded. Nevertheless, there can be no absolute certainty that this will enable all risks to be fully identified and controlled.
And even if the chips could effectively prevent from unauthorized access to IoT devices, the idea of the chip may stifle innovation and be “counterproductive” for IT-locations. Because according to the paper, every identity chip should be certified by a government organization. But this can really take a long time, not to mention the costs of introducing new equipment everywhere. So what remains is the question if this approach is really useful or will in fact just satisfy individual economic and government interests.
What do you think about the idea of a State Device ID?
{{comment.comment}}