Securing the Internet of Things

Barely a day goes by without a new security horror story about the Internet of Things, be it cameras allowing unauthorised remote access, remotely hackable car door lock systems or the ability for unauthorised parties halfway across the world to turn off the lights in your house.

In a rush to get devices to market, security has been neglected by many vendors, and this shows little sign of abating in the near future. As competition heats up across the many sectors making up the IoT, the pressure to get devices into customer’s hands will only increase, creating no shortage of future security issues waiting to be discovered.

This situation is the product of business priorities, not technical restrictions. Although far from a solved problem, computer and network security has advanced far beyond the issues plaguing many IoT devices and systems today. If modern best-practices were applied to the litany of consumer devices on the market right now, a drastic reduction in the frequency and potency of malware and unauthorised access attacks impacting these devices would be seen.

As ever, here’s the problem with security: it’s invisible. A perfectly secure solution offers no greater functionality or speed, and indeed is likely to compromise both of these attributes, than an insecure solution. Time and time again it has been shown through consumer buying habits that security is not highly-valued, and more secure almost always takes a back seat to faster or cheaper.

Security is a nebulous concept to many consumers, with limited visibility. One interesting data point is the success of the Mac vs the PC, where an often-cited reason for purchasing the former over the latter is the impression of better security. However, this is infrequently replicated across other product segments, and is largely due to the reams of bad press during the 1990s about ‘PC viruses’ coupled with very successful advertising campaigns by Apple capitalising on this during the 2000s.

Although there is growing consumer awareness of security and privacy, it’s unlikely that these factors will significantly impact buying decisions to a measurable extent for IoT in the near future. Many consumers have an attitude of ‘it won’t happen to me’, and are undeterred by widely-reported and exploited security issues with many devices in their homes today.

It’s also little consolation when equipment manufacturers simply say they value security and pay lip-service to it; without actual investment of time and money in ground-up security engineering, from device software to the cloud services supporting them and all the other related parts of an IoT system such as device registration, poor security will continue to be endemic across IoT devices.

If we assume that IoT device security is and will remain poor for a substantial period of time, likely measured in years, what can be done? When the device itself and the user cannot be trusted to implement security, where else can it be implemented with a reasonable chance of success?

The network can, and many would argue should, be used to provide a solid layer of defence against attacks targeting IoT devices. By routing traffic destined for IoT devices through a back-end system which attempts to identify known exploits and non-standard access attempts, the ISP stands the best chance at improving the overall level of security for a home user’s network and IoT devices.

Indeed, this functionality could present the ISP with an additional value-added service that they could effectively market or even monetise individually. Internet service packages could include TV, internet and phone service as they do today, with added network-based threat detection and prevention for up to 10 IoT devices included for free, with the option to pay a monthly fee for a higher number.

Tying into other significant global trends around Network Functions Virtualisation (NFV) and virtual Customer Premises Equipment (vCPE), this capability is likely to be one of the first value-added service offerings from forward-thinking ISPs who have the available network infrastructure.

Although by no means omnipotent or invulnerable, the likely benefits of a software-based threat detection system inside the network applying best practices and being updated quickly following the revelation of a zero-day exploit are significantly higher than expecting a home-device consumer to patch their devices or apply even basic security precautions to their network.

Until IoT devices are treated as what they are – long-living distributed computing systems, not as throwaway consumer items, they will remain poorly-secured and unpatched. Manufacturers of IoT devices are beginning to discover that once a product is released, it lives for a very long time, and customer’s growing expectations only add to this. The implications for support in terms of both customer service and software updates are significant.

However, it’s fair to ask: if a significant proportion of IoT consumers aren’t overly concerned about security, why should IoT equipment manufacturers and supporting service providers care?

Simply put, eventually they will care. When tangible impact is felt by the consumer from poor device security, such as their car not starting or their front door not unlocking, security will become a major issue. Although privacy leaks and unauthorised access attacks have occurred with not just IoT devices but computers of all shapes and sizes for many years, the loss of information is too abstract for many to link it with a particular level of importance.

As the severity of attacks increases in step with the increasing integration of IoT devices into tangible areas of people’s lives, the stakes rise significantly, as does the visibility that security gains for these devices in the mind of the average consumer. At a certain (overdue) point, security will become the determining factor in a purchasing decision, when the core functionality of a device such as operation as a front door lock is available at the same level from multiple manufacturers.

Can security truly be a differentiator for a consumer purchasing decision?

Ultimately, yes. But it will take attacks on tangible systems and functions before it is.