In IoT Security - Why We Need to be Securing the Internet of Things, we saw that security in IoT is absolutely critical. Without proper security, vulnerable devices can threaten the privacy and safety of consumers, businesses, and governments alike.
In Internet of Things Security Issues and Barriers to Change, we saw that there are many issues with IoT security right now and these issues aren’t easily fixed. We face a myriad of significant barriers that inhibit making the necessary changes.
So what are some possible solutions? How should consumers, businesses, and governments be thinking about security in IoT?
Better security practices at the consumer level are extremely important. Not only is your own data, privacy, and safety at risk when you don’t take the proper security measures, but you can also negatively impact thousands of other people. This is exactly what happened with the Mirai botnet attack described in Internet of Things Security Issues and Barriers to Change.
Software updates help address newly discovered vulnerabilities, keeping your devices as safe as possible. While it would be nice for all your devices to update themselves, many require permission from you the owner (a necessary precaution against nefarious updates from third-parties), so you need to be on top of it.
You might be tired of hearing you need to change your passwords, but too few people actually do so on a regular basis. When passwords are stolen, it’s often without the awareness of the victim. That password might not be used immediately either.
One of the biggest barriers to change is a lack of incentives for manufacturers to provide better security in IoT. Make sure to buy products from businesses that take IoT security seriously, incentivizing the rest of the market to follow suit.
When buying an IoT product or service ask: does the seller plan to offer updates to the device over time? How long will those updates be offered, is it close to the lifespan of the product? Is there a program for reporting any vulnerabilities that are discovered?
Is it really reasonable for consumers to stay on top of updates or to change passwords on dozens of devices every 6 months? Probably not. While the consumer practices above are important for security in IoT, it’s ultimately on the shoulders of businesses to create the necessary changes.
There may not be strong financial incentives to be proactive on security, but businesses need to be aware of the consequences of their actions (or lack of actions) when building IoT products and services.
Security in IoT isn’t something that can be bolted on at the end, it needs to be considered at every step of the development process and beyond.
IoT security presents a unique challenge because there are so many devices and, consequently, so many possible points of attack. The old paradigm was that devices could be considered safe as long as they were behind a firewall, but no longer.
Now, devices need to be secure in and of themselves. Sometimes devices can’t be behind a firewall because of the nature of the IoT application. Or, threats can even propagate from within the apparent “safety” of the system (e.g. as one device in a home network becomes compromised then begins affecting other devices on that same network).
As such, security needs to permeate every aspect of an IoT system. Hardware. Software. Connectivity. Everything.
Make sure that all data is encrypted. If the system does get compromised, this means the data can’t simply be read in plain text by the hackers. This may seem obvious but, sadly, it isn’t practiced enough.
Also, don’t store data on customers that you don’t need. If you don’t need location data, don’t store it. Not only does this limit the damage if you are attacked successfully, but it also makes you a less valuable target in the first place.
Even if you’ve made security a priority and you’ve taken precautions to protect data, you can still be hacked. There is no such thing as perfect security. Just as security measures continue to improve, so too do means of attack.
All of your products and services should ship with reasonably current software. That is, software that isn’t outdated and doesn’t have known vulnerabilities. However, new vulnerabilities will be discovered over time.
As a business, you need a plan to find these vulnerabilities and to address them when they’re exposed. Have some way for people to report vulnerabilities that they find. Use automated, secure, over-the-air updates to address these vulnerabilities. Plan to provide support for IoT devices over their entire lifespan (as many as 15–20 years) instead of just the standard 3–5 years.
In general, you need to have a plan for how you’re going to respond to a breach of security.
For a cool look at cybercrime and why businesses should share their information on attacks, check out the above TED talk from Caleb Barlow of IBM.
The practices I describe above would go a long way in helping to address the current issues with IoT security. But will consumers and businesses actually follow these practices? Without the proper incentives, I think it unlikely.
One of the duties of government is to address market failures, creating incentives (positive or negative) where they don’t currently exist and ultimately benefiting everybody. By creating regulations to penalize businesses that don’t take IoT security seriously enough, the government can positively influence the market.
An argument against government regulation is that such regulations might stifle innovation. This may be true, but as new technologies continue to evolve and develop a greater potential for harm, it might be beneficial to slow the rate of innovation and gain greater safety and privacy.
We have nutrition labels for foods so that consumers can make more informed decisions about what they’re buying. Similarly, the government could introduce an IoT security rating or label to help consumers better understand the IoT products and services they’re considering for purchase. Something like a Five Star Rating simplifies decision making, making it easier for consumers to make choices that support improved security.
However, such a rating system might also prove to be ineffective. As explored above with businesses, there’s no such thing as perfect security in IoT and everything changes at rapid pace. What happens when a vulnerability is discovered in a product/service with a five star rating? Is it downgraded? This might be hard to do if it’s a physical product in stores.
Ultimately, there is no single solution or answer. The Internet of Things will create challenges that we have never faced before, and those challenges will constantly evolve with time.
The best things we can do is to realize that the nature of IoT is importantly different from what we’ve experienced in the past. We need to understand that security is extremely important to everyone, and think critically about how to secure our future.