Passwords: The Weak Link in Your IoT Network
By Lou Covey
Passwords are like the weather. Everyone complains about them but no one seems to want to do anything about them. Poland-based Cyberus Labs wants to be the exception to that rule. About five years ago the company developed a technology that uses a sonic code to gain access to a system.
They tried to sell it into the banking industry in both the US and Europe before they realized bankers have never met a good idea they liked.The tech went nowhere fast. They also couldn’t convince venture capital to take a flyer on the idea. Then, a couple of years ago they realized passwords were a bigger problem in devices connected in IoT networks communication than human-to-device.
We all know that most people make crap passwords, a major attack vector for hackers. Steal someone’s password and you can take over their lives. But few people other than security experts, systems makers and hackers know that all devices have a secondary password systems that exists only in the devices, and those passwords are even easier to crack. Just last year the FBI sent out an advisory to Comcast and AT&T customers warning them that Russian hackers had found the backdoor to the routers supplied by the ISPs and their data was at risk. It is relatively simple to change the standard password, but the ISPs don’t make it easy to find out how.
That weakness is rife throughout the IoT world from the industrial level all the way down to your teenager’s Nintendo Switch. So the CyberusLabs founders, CEO Jack Wolosewicz and business development director George Slawek decided to pivot from protecting bank accounts to stopping hackers dead at the edge of a network. CyberusLabs consolidated everything into Poland and pitched the idea to the European Commission and they were given a $2 million Euro grant to apply the tech to the IoT world, something Europe is more concerned about than are the international banking industry and the investment community.
“We just spent too much time with the banks,” Slawek admitted. “They are still struggling with the human-to-machine interface to consider anything that comes from a startup. But while everyone knows there is a password problem with humans (with a lot of potential solutions) the dirty little secret is that it’s worse with machine-to-machine log-ins.”
Slawek said device manufacturers don’t just use the same password for each product, they often use it for different devices they produce, and that is something the EC knows is a significant problem. Hence the acceptance into the commission’s Horizon 2020 program for innovative solutions to security issues.
The name of the product is, unfortunately, ELIotPro. It stands for Easy Lightweight Internet of Things Protection, at least the acronym is easy to say if not to type. The technology includes a lightweight encryption algorithm that solves another problem of IoT security as most encryption is to much of a memory hog to be used in small devices. It’s small size is the key to how it works.
An ELIoTPro enabled device, like a tablet, communicates with another device, say a router, using a one-time password in a communication protocol, like a subsonic tone that lasts a few milliseconds, and authenticates the user. Access to the network is granted and the code is never used again. There is no need to remember a password. It is that simple.
It isn’t a perfect solution, though. The company website states that it will stop 80 percent of external attacks on a network (which is actually more than most security systems can claim) but that 80 percent includes phishing and man-in-the-middle attacks that make up almost 80 percent of all network attacks.
Slawek said the concept was taken from the Enigma machine developed by the Nazi’s to produce uncrackable code messages during WW II. It wasn’t until Polish cryptanalysts duplicated the technology and the Allies captured some of the key pads that they were able to decipher the codes. In ELIoTPro’s case, there are no machines involved, but it seems fitting the Polish entrepreneurs have carried on the tradition.
The company is rolling out their solution to the automotive and smart-home/factory/city product companies in Europe in 2020. US deployment is being considered.
As always, comments and questions are welcome.