2 min read

The NSA wants its algorithms to be a global IoT standard. But they're simply not trusted

Graham CLULEY

April 27, 2018

Ad One product to protect all your devices, without slowing them down.
Free 90-day trial
The NSA wants its algorithms to be a global IoT standard. But they're simply not trusted

We all should know by now that the state of security of many Internet of Things devices is a shocking mess.

Time and time again security holes are found in IoT devices, providing an opportunity for hackers to spy on unsuspecting users, steal information, or even hijack gadgets to perform internet attacks on others.

The only explanation seems to be that the manufacturers of many so-called “smart” devices have given little thought or effort into how they should properly protect owners and their data from malicious hackers and snoopers.

And although some bodies have called for “security trust marks” so consumers can know which devices they can trust, we still seem to be some way away from agreeing a globally accepted baseline to which IoT devices should adhere.

One group that would like to encourage the adoption of improved cryptography in IoT gadgets is the International Organisation of Standardization (ISO).

And, fascinatingly, the ISO has just voted against two new encryption algorithms specifically designed to secure IoT devices, which typically have limited resources in terms of memory and power.

Why were the algorithms – known as Simon and Speck – rejected? It seems because they were developed by the NSA.

Part of the concern is that Simon and Speck might contain encryption backdoors that would be abused by US authorities. Although nobody has directly accused the NSA of attempting this with Simon and Speck, the agency has something of a chequered history when it comes to subverting and weakening previous standards.

For instance, in 2013 it was discovered that the NSA had sabotaged NIST security standards by incorporating a backdoor into a random number algorithm (known as Dual_EC_DRBG), built into RSA’s widely-used BSAFE encryption libraries.

In a series of tweets, Dr Tomer Ashur, representing the Belgian delegation of the standards body, explained that the NSA had not presented itself well to the ISO:

Being international in nature, ISO’s decision making process is about building consensus. NSA’s aggressive behavior together with half-truths and full lies they provided us with discouraged such consensus which brought us to where we are today.

This is yet another example as to how the NSA’s surveillance program is bad for global security. If they had been more trustworthy, or at least more cooperative, different alliances would have probably been formed.

But instead, they chose to try to bully their way into the standards which almost worked but eventually backfired.

To add insult to injury, Dr Ashur compared America’s NSA unfavourably with the Russian and Chinese authorities, who have also proposed algorithms:

On a personal note: spying agencies have no place in civilian standardization. If you can’t motivate your decisions, we can’t trust you. The Russians and Chinese seem to understand that and are much more cooperative in addressing concerns.

According to a Reuters report from last year, Israeli ISO delegate Orr Dunkelman the distrust of the NSA runs deep:

“I don’t trust the designers. There are quite a lot of people in NSA who think their job is to subvert standards. My job is to secure standards.”

I think we’re all agreed that the Internet of Things needs better security, and strong cryptography standards is an essential part of that. But lets ensure that those standards are bulletproof, and not actually introducing their own intentional flaws which could put us all at risk.

tags


Author



Right now

Top posts

What is medical identity theft and how to protect against it

What is medical identity theft and how to protect against it

July 27, 2022

2 min read
Curious about Omegle? Here’s how the roulette-style chat platform can threaten your online privacy and security

Curious about Omegle? Here’s how the roulette-style chat platform can threaten your online privacy and security

July 07, 2022

5 min read
Identifying and Dealing with Online Bullying Is Not Impossible - School Presentation Inside

Identifying and Dealing with Online Bullying Is Not Impossible - School Presentation Inside

June 28, 2022

2 min read
Let’s Celebrate World Social Media Day by Improving Your Privacy and Security Online

Let’s Celebrate World Social Media Day by Improving Your Privacy and Security Online

June 28, 2022

3 min read
Bitdefender Reveals the Top Cyber Threats Faced by Consumers in 2021

Bitdefender Reveals the Top Cyber Threats Faced by Consumers in 2021

June 22, 2022

1 min read
Scam alert: Cybercrooks use shady investment domain to scam keen investors out of money and data

Scam alert: Cybercrooks use shady investment domain to scam keen investors out of money and data

May 24, 2022

3 min read

FOLLOW US ON

SOCIAL MEDIA


You might also like

Chinese criminals scam kids desperate to play games for more than three hours a week Chinese criminals scam kids desperate to play games for more than three hours a week
Graham CLULEY

August 12, 2022

2 min read
Sophisticated Smishing Attack on Twilio Leads to Employee Credential Leak and Data Breach Sophisticated Smishing Attack on Twilio Leads to Employee Credential Leak and Data Breach
Silviu STAHIE

August 09, 2022

1 min read
Attackers Hit German Chambers of Industry and Commerce; All Digital Services Down Attackers Hit German Chambers of Industry and Commerce; All Digital Services Down
Silviu STAHIE

August 05, 2022

1 min read