When it comes to measuring the security of Internet of Things devices, a checklist for ’low hanging fruit’ security features like strong passwords and hardened firmware is a good place to start. But (much) more is needed, says Mike Sheward of Particle.io.
IoT is such a remarkably broad term, encompassing everything from the connected smart speakers that you’ll find in the typical home, to the industrial systems that control furnaces and pumps that you won’t – unless someone has a particularly unusual living arrangement. This broad definition is one of the reasons IoT is such a fascinating industry to work in, and also why it can be a challenge to define a uniform security standard for devices to conform with.
Listening to private conversations in a residence, or disrupting the water supply to an entire town are two very valid security concerns, but with differing blast radii in terms of impact. So when we talk about IoT security, it’s important to remember this context and build security standards that are flexible enough to span the entire spectrum of devices out there.
There are some things of course, that are foundational, and go a long way to ensuring a general security baseline. Hidden backdoor accounts and default, unchangeable, weak passwords, have long been the downfall of many a device. Similarly, bloated firmware with unnecessary running services and tools left on a device can be leveraged by a malicious actor to do bad things. So, when it comes to measuring the security level of a device, a simple checklist of these ‘low hanging fruit’ type items is a good place to start, but they are just that – the start.
IoT ecosystems: an overlooked risk
One of the commonly overlooked aspects of IoT devices are the ecosystems that surround them. In other words, the environments they talk back to. The bits that make the ‘connected’ in connected products work.
“When reviewing (security) features, it’s important to ask the question – do they really protect my privacy, or do they simply defer protection to a different company?” -Mike Sheward, Particle.io
During the development of a connected product, there is often such a rush to focus on the hardware aspects of the ‘thing.’ The software, both on the device and in the ecosystem that it leverages, are usually given less attention than the actual hardware components. This makes sense of course, because hardware is hard, takes time to manufacture and is far more difficult to update and redesign. Software usually falls into the category of ‘oh we can polish this later’. Unfortunately, in many cases, later never comes.
All of this is to say, in thinking about a general IoT security standard, it needs to be applied just as easily to the cloud services bundled with a device, as the device itself, because these are incredibly important measures for determining if a ‘thing’ is secure or not.
As a society, we’re becoming increasingly aware of topics such as data privacy, security, and the impacts when these things are not applied correctly. This has been driven by new laws that give consumers more rights in relation to their personal data and how it’s used, the fact that many people have been caught up in at least one data breach at this point, and the expectation that online services will always be online.
To see this last point in action, go check out social media during any sort of cloud service outage, it takes about twelve seconds for someone to wonder if said cloud service has been ‘hacked’.
Some companies are now leveraging this newfound awareness in their marketing and product features. Apple, for example, often plays up its privacy practices and features. Having the ability to create an aliased email address to hide your real one to prevent it from being sucked into the giant vacuum of advertiser data, is now a standard feature on the iPhone. Something that would have been unthinkable a few years ago.
Of course, when reviewing these features, it’s important to ask the question – do they really protect my privacy, or do they simply defer protection to a different company? Transparency in the answer to that question is important, and one that should be factored into any IoT security standard.
Consumers need a baseline level of understanding as to who exactly has their data, how it is protected, and how they can expect it to be shared or used. Companies need to be forced to be extremely transparent in relaying these points, with severe penalties for being ‘flexible’ with the truth.
On IoT labeling: the proof is in the pudding
This brings us on to the White House’s proposed label for IoT devices. A ‘nutritional information’ sticker which allows consumers to make judgments about a product based on their risk appetite. On paper, it’s a great idea. It encourages manufacturers to be transparent about what their products are doing, and how they are doing it.
In reality, the proof is very much in the pudding. Enforcement and certification are always the biggest challenges in a program like this one.
I always say that the information security industry would do well to follow the lead of the aviation industry. In aviation, because the stakes are so high, quite literally, the certification and compliance requirements of components are as well. Of course, all of this comes at a cost, and not one that many IoT manufacturers can afford.
The answer, therefore, lies somewhere between. We need a security standard that is both informative to the consumer and can be independently verified because the tests and output are uniform enough. If we can find this happy medium, then the program will be a success. If not, it’ll likely go down in history as another attempt at self-regulation that is open to cheating and manipulation, and that is something that’ll make us all less secure.