Security and privacy for IoT devices matter a lot — but especially when a device controls an important function of the human body. Dependent on insulin or a pacemaker to keep things on track, or on electrical stim for pain reduction? There’s a smart device for that, and there are personal health data and device control implications as well.
The recent WannaCry ransomware attack infected hundreds of thousands of systems, initially targeting many hospitals in the UK’s NHS system. And at the moment, we’d better not rely on existing levels of device security to save us from worse harm. A new security study shows pacemaker software code security is abysmal; it readily uncovered 8,000 bugs and found that the devices can connect to monitoring systems that don’t require a doctor to log in.
Where to turn for help? The web and API standards stack
Why standards? Because interoperability is a constant requirement, and standards help independent implementations work together properly without a fuss. If it’s a goal of your business to build an ecosystem, for example allowing any number of third parties to connect to your devices, then standards are your friend. SDKs, libraries and experts implementing standards’ best practices can also help remove the friction and cost of solving problems that are not in your business’s core competency … such as writing your own security code. (Please refer to the 8,000 bugs mentioned earlier.)
Why web and API standards? The IoT economy owes its existence, in part, to the rise of the API economy over the last 10 years. We saw the explosion of mobile applications for controlling digital products, new models of access control for payments and innovations around gathering consent for application access to online services during this time. Standards enabled some of the most crucial steps forward in these arenas.
Which standards are a must? OAuth 2.0 (pronounced “OH-auth” and originally standing for “open authorization”) is the first step to unlocking API security and user consent challenges. There is a growing family of standards based on OAuth that are solving many more challenges over time; the next most important one is OpenID Connect for managing identity and authentication. (Please refer to the incidence of login-free pacemaker monitoring systems mentioned earlier.) If you have ever “logged in with Facebook” from one online account to another site or app, you’ve used a version of the OAuth and OpenID Connect standards to ensure that your authenticated identity was securely transmitted in a consented fashion across the network.
What’s new on the identity standards scene?
Two standards efforts, both built on OAuth, have risen to a new level of maturity, and it’s time to give them a serious look in connection with the internet of things and healthcare use cases in particular.
User-Managed Access (UMA) 2.0: UMA was conceived as an OAuth-based protocol designed to give an individual a unified control point for authorizing who and what can get access to their digital data, content and services, no matter where those things live. Think in terms of “adding a share button” to any online service (say, where tax returns are stored) or a smart device API (say, where lightbulbs are managed), so that a user can selectively delegate access to others for tax data or lightbulb control.
The resulting architecture makes UMA a strong basis for tools and solutions for building trusted digital relationships in many IoT scenarios. UMA’s capabilities can help address both sophisticated consent requirements imposed by regulations and the challenges of demonstrating trustworthiness to skittish consumers.
Commercial implementations of UMA entered the marketplace roughly at the same time that consumer IoT began to blossom in the form of smart home devices and increasingly automated connected cars. As the complex nature of IoT authorization and sharing scenarios came into focus, stakeholders began to formulate a roadmap for advancing UMA’s capabilities beyond the initial standard.
The first generation of UMA was approved in March 2015 by the Kantara Initiative, an industry consortium dedicated to advancing digital identity management and data privacy. UMA Version 2.0, now in its final stage of approval, is designed to align more closely to OAuth in order to accelerate adoption and interoperability with existing services and applications, and to enable disconnected-service use cases common in some IoT scenarios. So for instance, if Alice, the owner of the lightbulb, wants to share access with Bob, who has never before had to prove his identity to Alice’s authorization manager, UMA 2.0 makes this “wide ecosystem” scenario technically more attractive.
Health Relationship Trust (HEART): The HEART initiative, housed at the OpenID Foundation, is working to develop a set of privacy and security specifications that enable patients to control access to health data APIs. HEART came about based on a simple concept: Individuals want the ability to gather, control and share their health data. Increasingly, this data is sourced digitally, such as from smart devices and mobile apps, and may be stored in electronic health records. The more complex a person’s health conditions, the more likely the sources of data will grow. Many people want to be able to give permission to anyone who has access to that data, and they want to be able to change their minds over time.
Clinicians, insurers, researchers and others want or need health data to diagnose, plan care, pay for care and additional reasons. In some cases, they have achieved success in exchanging electronic health data by basing this exchange on standards. However, patients’ desires to control data-sharing have taken a back seat. HEART puts the individual back at the center of the health data-sharing conversation. The group has developed five specifications that have reached implementer’s draft status, based on the existing standards Fast Healthcare Interoperability Resources, OAuth, OpenID Connect and User-Managed Access (UMA).
The regular drip of frightening news regarding the vulnerability of IoT devices and connected services — whether WannaCry-style attacks or BrickerBot hacks — has the potential to seriously undermine the already shaky faith the public has in the internet of things. The work being done on standards such as OAuth, UMA and HEART shows that the white-hat tech world is fighting back against bad actors. It should be understood as a way for industry to police itself — a way to show a safer, more secure and more equitable way forward for every business and individual participating in IoT.
All IoT Agenda network contributors are responsible for the content and accuracy of their posts. Opinions are of the writers and do not necessarily convey the thoughts of IoT Agenda.