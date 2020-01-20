End-to-end encryption is a staple of secure messaging apps such as WhatsApp and Signal. It ensures that no one – even the app developer – has access to your data while it traverses the web. But what if you could offer a version of that protection to increasingly ubiquitous – and notoriously unsafe – internet-of-things devices?

The Swiss cryptography company Teserakt tries exactly that. Earlier this month, at the Real World Crypto conference in New York, it introduced E4, a type of cryptographic implant that IoT manufacturers can integrate into their servers. Today, most IoT data is encrypted at a certain point in time as they are moved across the web, but keeping that protection consistent throughout the ride is a challenge. E4 would do most of the work behind the scenes, so whether companies make home routers, industrial control sensors or webcams, all data sent between the devices and their manufacturers can be encrypted.

Technical companies are already relying on web encryption to keep IoT data safe, so it’s not like your large fitness tracker is sending your health data without protection. But E4 strives for a more comprehensive, open source approach that is aligned with the reality of IoT. Carmakers who manage dozens of models and hundreds of thousands of vehicles, or an energy company that takes measurements from a huge fleet of smart meters, could be more certain that full encryption protection extends to every digital layer that will cross data.

“We now have many different devices in different industries that send and receive data,” said Jean-Philippe Aumasson, CEO of Teserakt. “That data can be software updates, telemetry data, user data, personal data. So it has to be protected between the device it produces and the device it receives, but technically it is very difficult if you don’t have the tools. So we wanted to build something that manufacturers could easily integrate at software level. “

Being open source is also what gives the signal protocol, which supports signal and WhatsApp, so much credibility. This means that under the hood experts can check for vulnerabilities and errors. And it enables every developer to incorporate the protocol into their product, rather than the loaded and risky task of developing encryption security.

“In the end, we know it’s good to do.”

Jean-Philippe Aumasson, Teserakt

Aumasson says that the signal protocol itself does not literally translate to IoT, which makes sense. Messaging apps relate to external, but still direct, human-to-human interaction, while populations of embedded devices send data back to a manufacturer or vice versa. IoT needs a scheme that takes into account these “many-to-one” and “one-to-many” data streams. And end-to-end encryption has different privacy goals when applied to IoT versus secure messaging. Encrypted chat apps are essentially meant to lock the developer, internet providers, national spies, and other snoops. But in the IoT context, manufacturers still have access to their customers’ data; the purpose is instead to protect the data against other entities and Teserakt itself.

It also only hardens IoT defenses against a specific type of problem. E4 wants to improve the defense of information during transport and offer protection against interception and manipulation of data. But just as encrypted chat services cannot protect your messages if bad actors have access to your smartphone itself, E4 does not protect against compromising a company’s servers or security on IoT devices themselves.

“I think it’s a good idea, but developers should keep in mind that it only covers part of the data protection,” said Jatin Kataria, chief scientist at the IoT security company Red Balloon. “What is the security architecture of the embedded device itself and the servers that receive this data? If those two endpoints are not that secure, you can only get that far with end-to-end encryption.”

Teserakt has consulted with major technology companies in the aerospace, healthcare, agriculture and automotive and energy sectors to develop E4 and plans to earn money by asking companies to adjust implementations for their specific infrastructure. The company does not yet have a full server code for E4 in addition to the protocol details and cryptographic documentation that it has released, but says the final step will come once the documentation is complete. Given the icy pace of investment in IoT security in general, you would probably not expect that E4 will soon protect the entire industry.

