Why is security such an issue for IoT? What are the barriers to addressing these issues? #askIoT
In Securing the Internet of Things Pt. 1, we saw that security is an absolutely critical component of any IoT system. Without proper security, vulnerable devices can threaten the privacy and safety of consumers, businesses, and governments alike.
So why is security such an issue for IoT? And how do consumers, businesses, and governments address these problems?
The Internet of Things is powerful because it leverages diverse networks of sensors to generate huge amounts of data, using that data to perform actions and create extremely useful insights. Since IoT requires mass production of sensors and devices, one issue is that a discovered vulnerability in one of those sensors/devices can mean thousands or millions of sensors/devices that can be affected.
So you may wonder, why are these sensors/devices vulnerable in the first place? As we saw in the previous post with the Mirai Botnet, a large part of the problem is that default passwords and login credentials aren’t changed on devices.
To build a sensor or device for an IoT application, multiple companies are involved in the production chain. If you’re building a router for example, you might start with a chip manufacturer like Broadcom, Qualcomm, or Marvel.
That specialized chip is purchased by an original device manufacturer (ODM) who then builds the rest of the router around the chip. Finally, that device is purchased by a brand-name company who adds a user interface and some other features, boxes up the device, then sells to consumers.
Original vendors use default passwords and login credentials so that the next in the chain can get up and started with ease. The issue is that the next in the chain often doesn’t change the default passwords or login credentials, leaving them when shipped to consumers.
Though this seems an obvious problem, another issue is that many companies building these sensors or devices are new to the Internet of Things. Since they’re new to IoT and the potential pitfalls of connected devices, these companies are unfamiliar with security and often don’t make security a priority. After all, integrating security is more expensive and can slow time to market.
As a result, data being sent by these sensors/devices might be unencrypted during communication, meaning it can be intercepted and understood by third-parties. Also, these new IoT companies leave sensors/devices in a network together (e.g. in the home) without isolating them from each other. So if one device is compromised, it can mean access to the entire network and all the other devices on that network.
Barriers to Change
All of us are familiar with software updates. We get them on our laptops, our tablets, our phones, etc.. But why do we get them? Software is never perfect, as new bugs, issues, or vulnerabilities are discovered, changes need to be made and we make these changes with over-the-air (meaning via an internet connection) software updates.
So why don’t we send software updates to vulnerable IoT devices? Well first there needs to be someone creating and sending these software updates, but there’s a distinct misalignment of incentives for companies to do so.
Returning to the above example of the router, the chip manufacturers have small profit margins on their chips so they’re incentivized to do as little engineering as possible and don’t have much reason to provide ongoing support. Instead, the chip manufacturers are busy developing and shipping the next version of their chip.
The ODMs won’t have their name on the final product so they’re also incentivized to do as little engineering as possible and don’t have much reason to provide ongoing support. Instead, ODMs are busy upgrading to make sure they can work with the next version of the chip.
The last step in the chain (the consumer facing company) has greater incentive to provide ongoing support since it’s their name on the final product, but they may not be able to address newly discovered vulnerabilities because those vulnerabilities are from an earlier step in the chain. The barrier here is a lack of incentives for every step in the chain to take security seriously and to provide ongoing support and updates for old products.
However, not all of the blame can be placed on the companies. There are also physical constraints on providing necessary updates.
The Internet of Things often relies on sensors and devices that have low processing power and small memory. Processing power and memory are expensive and consume more energy, so IoT applications utilize sensors and devices that have just enough to perform their tasks. But with low processing power and memory, these sensors and devices aren’t sophisticated enough to perform over-the-air updates.
By nature, over-the-air updates also require connectivity. Many IoT applications have intermittent or unreliable connectivity which poses a further physical constraint on software updates.
And even when updates are possible, there may be other reasons not to push those updates. It’s one thing to have your computer shut off for 15 minutes to install an update, it’s quite another for the safety systems of a nuclear reactor to shut off for 15 minutes. For IoT applications that are life-critical, just a few minutes or seconds might be too long to perform an update.
For IoT applications that aren’t life-critical, you might not want to push updates because they’re so energy intensive. Many IoT applications make use of battery powered sensors and devices, so frequent updates would significantly decrease their expected lifespan.
Speaking of lifespan, another aspect of IoT applications that acts as a barrier is the long life-cycle of products. Whereas you might expect a laptop or phone to last 3–5 years, IoT sensors and devices might need to last 15–20 years. Creating a product that remains secure and invulnerable for that long is basically impossible, so ongoing support and frequent updates are needed. But providing ongoing support and frequent updates for that long is quite expensive and faces the barriers described above.
So how should consumers, businesses, and governments address security issues in IoT?
I’ll answer these questions in Part 3! So please follow and check back!
The views and opinions expressed in this article are those of the authors and do not necessarily reflect the official policy or position of the IoT Security Foundation.