In Securing the Internet of Things Pt. 1, we saw that security is an absolutely critical component of any IoT system. Without proper security, vulnerable devices can threaten the privacy and safety of consumers, businesses, and governments alike.
In Securing the Internet of Things Pt. 2, we saw that there are many issues with IoT security right now and these issues aren’t easily fixed. We face a myriad of significant barriers that inhibit making the necessary changes.
So what are some possible solutions? How should consumers, businesses, and governments be thinking about IoT security?
Better security practices at the consumer level are extremely important. Not only is your own data, privacy, and safety at risk when you don’t take the proper security measures, but you can also negatively impact thousands of other people. This is exactly what happened with the Mirai botnet attack described in Securing the Internet of Things Pt. 2.
First, make sure the software on all of your devices is up-to-date.
Software updates help address newly discovered vulnerabilities, keeping your devices as safe as possible. While it would be nice for all your devices to update themselves, many require permission from you the owner (a necessary precaution against nefarious updates from third-parties), so you need to be on top of it.
Second, regularly change your passwords.
You might be tired of hearing you need to change your passwords, but too few people actually do so on a regular basis. When passwords are stolen, it’s often without the awareness of the victim. That password might not be used immediately either.
Finally, influence the market with your dollar.
One of the biggest barriers to change is a lack of incentives for IoT manufacturers to provide better security. Make sure to buy products from businesses that take security seriously, incentivizing the rest of the market to follow suit.
When buying an IoT product or service ask: does the seller plan to offer updates to the device over time? How long will those updates be offered, is it close to the lifespan of the product? Is there a program for reporting any vulnerabilities that are discovered?
Is it really reasonable for consumers to stay on top of updates or to change passwords on dozens of devices every 6 months? Probably not. While the consumer practices above are important for IoT security, it’s ultimately on the shoulders of businesses to create the necessary changes.
There may not be strong financial incentives to be proactive on security, but businesses need to be aware of the consequences of their actions (or lack of actions) when building IoT products and services.
First, make security a priority, not an afterthought.
Security isn’t something that can be bolted on at the end, it needs to be considered at every step of the development process and beyond.
IoT security presents a unique challenge because there are so many devices and, consequently, so many possible points of attack. The old paradigm was that devices could be considered safe as long a they were behind a firewall, but no longer.
Now, devices need to be secure in and of themselves. Sometimes devices can’t be behind a firewall because of the nature of the IoT application. Or, threats can even propagate from within the apparent “safety” of the system (e.g. as one device in a home network becomes compromised then begins affecting other devices on that same network).
As such, security needs to permeate every aspect of an IoT system. Hardware. Software. Connectivity. Everything.
Second, take precautions to protect data.
Make sure that all data is encrypted. If the system does get compromised, this means the data can’t simply be read in plain text by the hackers. This may seem obvious but, sadly, it isn’t practiced enough.
Also, don’t store data on customers that you don’t need. If you don’t need location data, don’t store it. Not only does this limit the damage if you are attacked successfully, but it also makes you a less valuable target in the first place.
Finally, realize that there is no such thing as perfect security.
Even if you’ve made security a priority and you’ve taken precautions to protect data, you can still be hacked. There is no such thing as perfect security. Just as security measures continue to improve, so too do means of attack.
All of your products and services should ship with reasonably current software. That is, software that isn’t outdated and doesn’t have known vulnerabilities. However, new vulnerabilities will be discovered over time.
As a business, you need a plan to find these vulnerabilities and to address them when they’re exposed. Have some way for people to report vulnerabilities that they find. Use automated, secure, over-the-air updates to address these vulnerabilities. Plan to provide support for IoT devices over their entire lifespan (as many as 15–20 years) instead of just the standard 3–5 years.
In general, you need to have a plan for how you’re going to respond to a breach of security.
The practices I describe above would go a long way in helping to address the current issues with IoT security. But will consumers and businesses actually follow these practices? Without the proper incentives, I think it unlikely.
One of the duties government is to address market failures, creating incentives (positive or negative) where they don’t currently exist and ultimately benefiting everybody. By creating regulations to penalize businesses that don’t take security seriously enough, government can positively influence the market.
An argument against government regulation is that such regulations might stifle innovation. This may be true, but as new technologies continue to evolve and develop greater potential for harm, it might be beneficial to slow the rate of innovation and gain greater safety and privacy.
We have nutrition labels for foods so that consumers can make more informed decisions about what they’re buying. Similarly, government could introduce an IoT security rating or label to help consumers better understand the IoT products and services they’re considering for purchase. Something like a Five Star Rating simplifies decision making, making it easier for consumers to make choices that support improved security.
However, such a rating system might also prove to be ineffective. As explored above with businesses, there’s no such thing as perfect security and everything changes at rapid pace. What happens when a vulnerability is discovered in a product/service with a five star rating? Is it downgraded? This might be hard to do if it’s a physical product in stores.
Looking to the future
Ultimately, there is no single solution or answer. The Internet of Things will create challenges that we have never faced before, and those challenges will constantly evolve with time.
The best things we can do is to realize that the nature of IoT is importantly different from what we’ve experience in the past. We need to understand that security is extremely important to everyone, and think critically about how to secure our future.
The views and opinions expressed in this article are those of the authors and do not necessarily reflect the official policy or position of the IoT Security Foundation.