IoT security is an increasingly urgent issue, but is still in the early stages of resolution. We take a look at the “Cost to Care” ratio, and why it is set to dictate our responses to this trend for some time to come…
The Internet of Things has been a discussion point for years, but only recently has the security aspect become anything more than a concept. However, with recent record-breaking DDoS attacks being squarely blamed on insecure IoT devices, and the publication of the botnet source code (dubbed Mirai); it’s certain this is just a beginning.
With an estimated 25 to 50 billion devices set to be connected through IoT by 2020, the scale of the problem is likely to increase. But as the technology to secure, or at least harden IoT devices to attack already exists, what’s the problem with better securing IoT devices?
As always – the bottom line is cost and demand; the “Cost to Care” ratio, if you will – a term coined by Boston-based information services expert Jeff Schiller at an IoT security seminar last November.
There are three primary factors to consider here:
The IoT device must be independently secure. Can a malicious party hack into it in order to access or alter recorded data? Can it be reprogrammed?
Encrypting stored data, and robust firmware/software validation mechanisms are required to prevent device exploitation. The Mirai botnet acquires new devices by testing out a few default passwords and admin credentials, for example, which are commonly left unchanged by end users.
Whenever data is transmitted, precautions are essential to stop information being intercepted or manipulated. Whether it’s ensuring that the user’s wireless network has appropriate security mechanisms enabled to avoid unauthorised access (e.g. WPA2-AES), or encrypting data when it is transmitted across the Internet (e.g. SSL), transport cryptography and properly implemented server certification are key technologies.
Arguably, however, the most critical is the issue of accumulated data.
In the age of identity theft, a single server storing detailed user information is a tempting target for a cost-effective attack.
How secure is the end server holding this trove of historical data? Are account details, addresses and financial information stored in an encrypted form that conforms to relevant standards? Does the company have audit policies in place to ensure only required staff have access to this data and that they’re using appropriate security hygiene, and perhaps most importantly, is the network monitored, in order to identify unusual network traffic that could indicate malicious activity?
So, theoretically, securing these three separate areas will result in a secure, robust end-to-end system for the user and service providers – so where’s the problem and why hasn’t this already been done?
Jeff Schiller from the Boston Unix and Linux Users Group advocates that the “Price-to-Care Ratio” is about how price reflects the amount that people care about something, and, in turn, what they’re prepared to pay. Security is a negative deliverable. Users only see it as important once the system has already failed and their data misappropriated. They need to be more security conscious, made aware of it as a key feature, and understand why it’s required.
Unfortunately, IoT safeguards are eventually going to cost us all more, because security adds expense due to longer development times, and increased complexity. But this doesn’t have any apparent benefits and, if not done correctly, can create a more convoluted user experience. It’s not generally seen as a feature that makes a product or service better, which is a problem in itself – manufacturers need to turn security into a positive, thus justifying the estimated 25 per cent additional cost associated with the time and resource investment to provide improved data safeguards.
IoT Security – Factored in from the Start
It’s also vital that security is baked into a product from the very beginning, rather than added at the end as an afterthought. Safeguards can no longer be considered an afterthought; adding security near the end of a development project rarely provides the robust protection industry and consumers require.
An example of a hardware solution which could help solve the problem is the integration of Trusted Platform Modules (TPMs) – hardware which verifies whether or not the software it’s running has been tampered with, notably from manufacturers such as Atmel. On the software side, there are several existing transport layer security protocols, one of the most obvious being Open SSL.
While developers will often use Open SSL as a secure transport protocol, they’ll often not consider the question of updates ‘in the field.’ So when a new vulnerability is found – such as Heartbleed – then devices can’t be patched. It’s a fact that 56% of all implementations of SSL are at least 50 months old, which leaves them open to a raft of well-known exploits. These updates should be automatically applied, rather than relying on how well-informed the end user is.
The Premium Necessary for IoT Security
Ultimately, the Cost to Care Ratio can only be resolved if manufacturers are prepared to dig deep to provide solutions. Corporations must accept their data responsibilities, including educating end users, who themselves need care enough to pay the premium necessary for IoT Security.
By Andrew Hogan, Embedded Software Engineer @ ByteSnap Design
*This article first appeared in Electronics Weekly