My connected devices were initially secured using a hash-based message authentication code (HMAC). An HMAC is constructed for each HTTP request directed at a device. The HMAC is created by combining certain HTTP header elements, the time and date, the request body, and a secret key / password. The output block is then attached to the request header and transmitted to the selected device. Upon reception of the request, the device collects the same header information, the time and date, and the body of the message, and computes the HMAC using the same secret key/password. If the computed HMAC matches the one sent with the request, then the request is fulfilled.
While this protects the device from being compromised and the data from being changed, it does nothing to protect the data from being read by prying eyes. At first glance, this may seem unimportant since the data, whether inadvertently or intentionally viewed by others, carries little information. For example, why would we care if others know the temperature of some sensor in our home? Why would it matter if someone knows the ringtone loaded into our doorbell? Why would it matter if others see the setting on our thermostat? Well, each on its own might not matter, but with perhaps hundreds of devices in our home, we expose a lot of unprotected data for criminals to exploit.
Imagine a criminal mastermind sniffing your unprotected data and learning that your thermostat was set to 55 degrees and the dog bark ringtone was loaded into your doorbell. In addition, late in the evening, the temperature in the home is 55 degrees. It wouldn’t be difficult to conjecture that no one is home. In addition, the dog bark ringtone may lead them to believe that you’re gone for a while.
This simple example is intended to demonstrate that, although we might erroneously think that this data does not need to be protected, it does. In addition to protecting the device from intruders using HMAC, the data must be encrypted using SSL or other secure techniques. By securing both your connected devices and your data, you will reduce the chance of having your virtual and physical spaces compromised by criminals.