The Debate Over How to Encrypt the Internet of Things

So-called lightweight encryption has its place. But some researchers argue that more manufacturers should stick with proven methods.
Images of a lock and fences with devices
Illustration: Sam Whitney; Getty Images

Internet-connected gadgets like light bulbs and fitness trackers are notorious for poor security. That's partly because they’re often made cheaply and with haste, which leads to careless mistakes and outsourcing of problematic parts. But it’s also partly due to the lack of computing power in the first place; it's not so easy to encrypt all that data with limited resources. Or at least that’s how the conventional wisdom goes.

But real-world data suggests that many of those ubiquitous tiny gadgets can run versions of traditional, time-tested encryption schemes. A team from the Swiss IoT encryption firm Teserakt argues that there's no need to reinvent the wheel when the real solution is simply holding IoT manufacturers to higher standards. They made their case at a National Institute of Standards and Technology conference in Maryland this month focused on developing “lightweight” cryptography for embedded devices.

But traditional cryptography, particularly the stalwart Advanced Encryption Standard, often works just fine in IoT devices, says Antony Vennard, Teserakt's chief engineer. The researchers have even observed a number of situations where security-conscious manufactures found ways to incorporate it, like in the embedded systems of cars. And other, independent studies have had similar findings.

"The lightweight competition is based on the idea that for embedded devices—things like industrial controllers and chips in credit cards—AES is too heavy, too big. Using it takes up too much space and power," Vennard says. "But my passport has a chip in it that can run AES. Modern smart cards can run it. Fitness trackers like FitBits can run it. In our experience, AES is pretty much everywhere, even in embedded devices."

It’s important to talk about the actual utility of lightweight encryption now, because it takes years for the cryptography community to develop and vet a new encryption scheme to ensure that it’s safe to use. NIST has already been working on lightweight cryptography since 2015. And once those standards are in place, it takes even more time to gain real-world experience implementing the scheme to catch mistakes. It adds a lot of time and potential risk to the process of securing these devices. If you can make existing encryption algorithms work on them instead, all the better.

In February, for example, Google debuted a method for encrypting most low-end Android devices regardless of how piddly their processors are. Rather than a novel encryption scheme, it relied on clever implementations of AES and other existing cryptographic methods to reduce the chance of introducing a fundamental flaw. The method, dubbed Adiantum, is an impressive solution to one of Android's more daunting problems. But Johns Hopkins cryptographer Matthew Green points out that the lengths Google had to go to to achieve it may actually indicate a need for lightweight cryptography, rather than showing that it's worth sticking with AES. "It's not actually a great argument for 'AES is fast enough,'" Green says.

Though it may be possible to implement traditional encryption more widely than the IoT industry currently believes, Vennard admits that there are situations where lightweight encryption would be useful. Certain devices, particularly things like simple sensors in industrial control settings, are powered by microcontrollers so rudimentary that they really would require special encryption techniques to secure. But Vennard argues that the key is clearly defining these categories rather than creating a situation where developers and manufacturers don't know which cryptographic techniques should be used where.

"There are some cases where you might need lightweight crypto, but where it could get confusing is where people aren’t sure what level of security they need," Vennard says. "If people can use AES—we have about 20 years of experience implementing AES—but don't, that's a risk, because implementing something new is tricky."

It's also always possible that the US government knows something private researchers don't. Along with NIST, the National Security Agency, for example, has stressed the importance of developing next-generation cryptography schemes. That's partly because of the threat to encryption posed by the rise of quantum computing, but it's also because of the IoT security crisis.

At the WIRED25 conference in San Francisco earlier this month, Anne Neuberger, head of the NSA's new Cybersecurity Directorate, emphasized that one of her group's priorities is "ensuring that we’re working with standards bodies, we’re working with companies to ensure that those products are as secure as possible—cloud security, internet of things, looking at can we do low compute, low power. What’s the cryptography for that?"

Debate about the merits of lightweight cryptography isn't exactly generating major drama—especially considering NIST itself invited Teserakt researchers to share their industry perspective at its conference. But it's an important issue, especially given the stakes in working to better secure the billions of internet of things devices lurking everywhere.

"The upshot here seems to be that, sure, AES works, but performance matters, too," Johns Hopkins' Green says. "And for something like file encryption, where every file read or write requires doing crypto, the difference can add up, both in terms of speed and battery life."


More Great WIRED Stories