On October 21, 2016, a massive and sustained Internet attack, specifically a distributed denial of service (DDOS) attack, caused network outages across large swaths of the United States and Europe. The attack launched with the help of hacked IoT devices, such as routers, video cameras, and digital video recorders.
Earlier this year, hacked devices attacked the website KrebsonSecurity.com—ironically a blog covering cyber-security news and investigation. Hackers used the same malware strain in both attacks. These types of attacks will only increase as IoT grows.
Businesses need to ensure adequate security throughout their entire IoT system. Existing technologies help do that in part, but the ultimate answer will probably involve new IoT-based solutions. Patents a traditional vehicle for driving innovation play a key role because they entice companies to invest in R&D for security.
The Ubiquitous Security Problem
Because IoT systems collect startling amounts of data on peoples behavior, identity, and networks, security becomes critical for IoT to be extensively adopted. People must feel comfortable that their information is safe before they truly accept the technology.
At its core, IoT involves connecting and networking devices that until now have not necessarily been connected. This means that all of those devices, from your brand-new connected refrigerator to your connected vehicle, are creating new entry points to the network and presenting new security and privacy risks. Threats to these IoT assets abound, such as poor web-interface authentication and authorization methods, non-existent transport encryption security, inadequate security configurations, and poor physical controls.
In IoT systems that rely on sensor measurements, any data or signal distortion can significantly affect the systems function. For example, connected smart vehicles using satellite navigation signals are vulnerable to spoofing. A hacker masquerading as a satellite could send false positioning signals causing an autonomous driving function to fail, or worse, an accident.
For IoT systems involving financial transactions, like usage-based insurance or smart banking sometimes referred to as the Fin-ternet of Things data privacy and security is also a concern. The emergence of sensor devices and telematics in smart cars allow them to transmit information on driver behavior to insurance companies so that they can adjust premiums. This benefits insurers and low-risk drivers because their reduced premiums better represent their safe driving behavior. So too for homeowners insurance: smart homes may transmit data about how a household is managed. Insurers can then use the data to automatically adjust monthly premiums, based on traffic flow in the home and safe behavior, like locking doors when leaving homes or turning off ovens when not in use. Most consumers would consider information on their behavior at home or in their cars to be very personal and thus want it protected.
On a broader scale, security for IoT devices tied to healthcare, such as medical devices, or part of the public infrastructure, such as power grids and water supplies, has evolved into public safety concerns. Imagine what would happen if a smart power grid became the target of a DDOS attack like the one launched in October.
The U.S. Department of Homeland Security has recently announced a plan to develop strategic principles for IoT to protect the nations infrastructure from cyber threats. Other government agencies, like the Federal Trade Commission, the National Telecommunications and Information Administration, and the Department of Transportation have also been tackling the issue, but no one has yet divined a comprehensive answer.
Patents to the Rescue
Patenting in IoT security may provide the solution by motivating more R&D investments in the space. A patent is basically a temporary monopoly from the government, giving the patent owner the right to exclude others from making, using, selling, offering for sale, or importing an invention.
Experts have traditionally viewed the patent system as a prime driver of innovation. The ability to monopolize the invented technology for a significant period of time creates incentives for businesses to invest in R&D and publicly disclose any resulting inventions. Theoretically, this allows a business to recoup its R&D costs and make a profit commercializing its patented invention. Otherwise, competitors can simply copy the invention, discouraging any investing in R&D.
Some would argue that copyright provides a means for protecting software inventions, so why bother with patent protection. But copyrights protect only the creative expression or specific implementation of the invention in a computer program. It does not prevent a competitor from taking the underlying invention or algorithm, and implementing it in a different way, such as in another programming language with different software architecture or even in the same programming language with just a different way of writing the code.
Patents, on the other hand, can protect the heart of a security or software innovation. They can protect the underlying inventive idea or a specific implementation of the idea if the implementation itself is inventive.
Obtaining security and software patents does have some challenges. Recent changes in the law have caused courts and the U.S. Patent and Trademark Office to find some computer-implemented inventions ineligible for patenting. Also, IoT systems are often distributed around the world with different entities owning different components of the system. This can create a divided infringement problem and make it harder to assert IoT patents against infringers.
Despite these challenges, many companies are innovating in the IoT security space and pursuing patent protection. Large companies and startups lead this innovation effort, but academia and individual inventors also play an important role.
According to a study by Cisco, companies hold 89% of the currently issued patents on IoT security. Universities hold 7%, individuals the remaining 4%. Among the company patent holders, LG, Ericsson, Qualcomm, and Intel appear to take the lead.
The Cisco study also shows that privacy protection and threat defense enjoy many patent filings (about 62% combined), followed by security provisioning/monitoring, physical security, application security, trusted computing, security management, communication security, and cloud security. Encryption technologies are being heavily patented. In its IoT patent landscape analysis, LexInnovaa technology consulting company found that over 1200 patent applications on IoT-related encryption technologies have been filed worldwide in the last 5 years: 224 on error correction, 628 in data security, and 424 on data encryption.
Intellectual-property rights are driving IoT security innovations because they provide incentives for companies to create the most effective solutions. Obtaining valuable patents for key security technologies will eventually set companies apart in the competitive IoT space.