Security Issues with the IoT
As a system of interconnected devices, the Internet of Things (IoT) has existed for decades, albeit under different names and in different guises.
The ability to connect, communicate with, and remotely manage immense numbers of networked, automated devices via the internet has now permeated all areas of our lives. However, against a wider backdrop of increasing cyber fraud and online crime, our growing reliance on interconnected devices is raising serious concerns about security.
We ask to what extent this intelligent technology can withstand security breaches or malicious interference? And to what degree is the IoT and its super mass of devices susceptible or vulnerable to intrusions that could compromise privacy or threaten public safety?
IoT security issues
In our view the overall security of the IoT hinges on how security risks are assessed and then managed.
IoT security goes beyond being ‘secure’ or ‘insecure’. There are degrees of vulnerability to contend with. Some devices are basic and lacking any security features. Others offer highly sophisticated security features. Others fall somewhere in between.
The key questions to ask are:
- What is the risk of a device being compromised?
- What damage will the compromise cause?
- What will be required (time, resource, cost) to achieve different levels of protection?
Fundamentally, this is about how stakeholders make informed cost-benefit analysis decisions with respect to IoT devices.
Vendors will always have an interest in reducing cost, complexity and time to market. Adding more memory and a faster processor to implement security measures could easily make a product commercially uncompetitive.
So it becomes a question of tolerance of the device customer. Can I tolerate my device being hacked? Is security enough of a concern to increase the cost of my device?
As embedded software developers, we believe device developers for the IoT have an obligation to ensure devices do not expose either their own users or others to potential harm.
Posing unique security challenges
Consumer demand is driving innovation, but the flip side is that it is also imposing unforgiving timelines on developers. There is a huge sense of urgency among companies to get their IoT devices to market as quickly as possible. To meet the demand, quick deployment can become the principal focus at the expense of security considerations, leading to IoT devices going to market with poor encryption, unpatched operating systems, and more.
But we see other challenges too:
- User awareness
Security risks arise through a general lack of user awareness of device capability, features and functions. A user may not be aware when a device is performing unwanted or overstepped functions. Or they may not be aware of manufacturer updates to device functions, creating vulnerabilities.
Some IoT devices are designed to be embedded in the environment, meaning a user does not actively monitor its operating status. And many devices have no clear way to alert the user when a security problem arises. A security breach might persist for a long time before being noticed and corrected if correction or mitigation is even possible or practical.
The sheer volume of interconnected devices in itself is we believe creating unique security challenges. This is particularly the case with identical or near identical devices potentially magnifying the possible impact of any single security vulnerability by the number of devices that all have the same characteristics.
It is a characteristic of many IoT devices that lifespan is considerably longer than what is usually associated with technology equipment. Longevity in the context of security raises issues where post-deployment reconfiguration or upgrading is impractical or impossible, for example if the company that developed the device no longer exists.
Further, security features that are adequate at the time of deployment may not be adequate for the full lifespan of the device as security threats emerge and evolve.
Any potential requirements for IoT devices to have a built-in end-of-life expiration feature that disables them would we consider be very challenging in the open marketplace.
Tackling the issue of IoT security
IoT developers, as individuals and the community as a whole, will need to adapt (and in some cases overhaul) current practices to overcome the security risks being posed now and in the future. There are a number of ways we believe control can be exerted over the threats:
- Knowledge sharing
Best practice and lessons learned from IoT security problems should be captured and conveyed to development communities to improve future generations of devices.
Training and educational resources should be made available to teach engineers and developers more secure IoT design.
- Risk assessment
Developing and implementing technical and operational standards for accurately quantifying and assessing security risks will provide clarity and consistency across the market. The same applies to identifying and measuring characteristics of IoT device security.
- Commercial realism
The reality is, device designers and manufacturers are not motivated to accept additional product design cost to make devices more secure, and, in particular, to take responsibility for the impact of any negative externalities resulting from their security decisions. Further, incompatibilities between functionality and usability will need to be reconciled with security.
Failure to change this stance will prohibit any progress in ensuring mitigation of security risk. IoT security solutions should support opportunities for innovation, social and economic growth.
- Regulation & liability
To be fit for purpose, regulations will need to keep pace with changes in IoT technologies and associated security issues and liabilities. It is possible that consumer protection and product liability laws may need to be adapted or extended to cover any defects related to the IoT. The practicalities of this and the cross-border complications we’ll leave to the lawyers to debate! From our perspective, it is a fine line to achieve sufficient regulation to maintain order and standards while also enabling innovation to thrive within an open environment.
With widespread appetite for IoT devices showing no sign of abate, security issues will continue to be one of, if not the most important, challenge of mass adoption. The IoT development community has to take responsibility and respond to these threats.