Recently there have been headlines in the security and tech press on an effort by some in the U.S Senate to introduce a set of security requirements for IoT devices purchased and operated by the U.S Government. Some have heralded this as the dawn of a new age of network security, where all of our many, many problems with insecure IoT devices will be solved.
It’s a nice idea – and certainly better than no action – but I’m afraid it’s a bandage on the wound at best, and far from a real solution. Why? There’s a few reasons why:
1. It only applies to devices purchased by the Government and related agencies. Compared to the overall IoT market, this is not a big area of opportunity for the types of IoT devices you see on Amazon or on big-box store shelves, such as Netgear Arlo cameras. Devices in use by these agencies in any volume are likely already to be specialised and niche, as well as better secured than the deluge of mass-market devices available today.
2. Similar standards already exist for other classes of devices, such as network infrastructure equipment (see the FIPS (Federal Information Processing Standard) 140-2 family among others) and their adoption within the Government space has done little to improve the general security of the whole market. These standards have been in place for many years and cheap, mass-produced Wi-Fi routers, to take one example, with horrific security issues are if anything more common than ever.
3. All of the secure product development and deployment standards in the world will not save you from an insecure deployment; at the end of the day, they do little to educate and improve the behaviour of the people deploying and operating the equipment after its purchase.
4. Many IoT devices operating in the consumer and enterprise spaces today also rely on a connected cloud service for a variety of functions, raising its own set of issues and complications in terms of overall system security. Determining whether a given device has a sufficient level of security with legislation is difficult enough; add a remote and evolving cloud service to the mix and it becomes near impossible to do in a timely fashion.
5. Security and technical development in general moves far faster than legislation. This means any rules in the legislation have to be sufficiently broad and unfocused to make them applicable to future devices that may be different from the ones existing at the time the legislation was written. The result? Everyone can come up with different varyingly-effective ways to accomplish the aims of the legislation.
I don’t want to sound too gloomy on the prospect of IoT device security legislation, but let’s look at it for what it is: a fairly small potential improvement to the global problem of IoT security, and very far from a panacea to all of our ongoing concerns. Devices not targeted at the U.S Government market will not adopt these standards and so the vast majority of consumers will see none of the benefits.
Could such legislation be expanded to cover consumer devices, and therefore impart some sort of benefit to the vast majority of users and networks? In theory, yes; in other areas of technology such as automobiles, the safety standards for products are tightly regulated. If we look at information security as of equal importance, couldn’t the same thing be done with IoT devices?
Unfortunately, such moves are very unpopular with those companies producing and selling devices as it requires them to invest more time in development and slow down their ability to release products. Although there are some benefits that could be had from this approach, many powerful companies have the money and influence to oppose such measures, which would likely result in them becoming so watered down as to be essentially pointless.
In some ways, the FCC could be looked upon as an example of this model; before sale for a device is approved in the U.S., devices equipped with wireless communication facilities must be tested and approved in accordance with FCC guidelines on the operation of radio devices. Although this certainly does contribute to devices being better behaved and playing by the rules set out by the FCC, it also does limit the speed at which companies are able to bring products to market.
Without a body similar to the FCC and sweeping changes to the entire process of how devices are declared ready for sale in the U.S., this model will not work. So, what can we do?
The sad fact of device and network security is that what is needed to be done is not new, in any way. The steps and thought processes required to properly secure an IoT device are the same as those required to secure any network-connected device, with allowances made for specific implementation requirements due to the low-power and small physical size constraints of these devices.
The basic tenants of device and network security have not changed, so it’s not like a whole new school of fundamental thought is required for vendors and network operators to create secure IoT systems; they merely need to apply tried and tested security principles. The fact that his has not been done by many high-profile devices to an acceptable standard only further shows that security, despite claims to the contrary, is still not an equal priority to features or price for vendors or their customers.
Will IoT devices be the ones to change this equation? The thinking was that by interacting with the physical world – things like IoT locks and garage door openers – they would prompt people to push for the same level of security they feel from a traditional mechanical lock system. Instead, this hasn’t really happened; people buy IoT devices for convenience and features, with security as a secondary check box feature.
If a greater level of security is truly to be obtained for IoT devices, one thing will make that happen: consumers refusing to buy poorly-secured devices in favour of those that are better-designed. Given the behaviour seen to date following security flaws exposed in popular devices, the chances of this happening soon are slim.