Securing Billions of IoT Devices Poses Mind-Boggling Challenges
The Thread Group, which is developing an open protocol for creating a wireless mesh network for the home that will support more than 250 devices, said the Thread standard will include encryption for traffic traveling over the network layer. However, officials also noted that they expect any systems using Thread will also have their own security capabilities. AllSeen's Ben-Zur told eWEEK that it's important to focus on security now rather than later. "Fundamentally, the issue of security—and also privacy—[has moved] to the forefront of the conversation" regarding IoT, she said. "That's one thing that we really haven't seen being talked about enough." Security experts were mixed about how important a role consortiums will play in securing the Internet of things. Some argued that the focus of these groups is more on communication than security.Comodo's Gilchrist said a protocol that would work in the IoT in a similar way that Secure Sockets Layer (SSL) did for the Web would be useful. However, he said that given the wide diversity of devices that will make up the IoT, there won't be a single paradigm that will cover everything. In addition, multiple consortiums tend to result in multiple standards, but as they did with WiFi, the standards could merge into a single standard. "If you're lucky, one [standard] will be clearly superior, and everyone gets behind it," Gilchrist said. Dell's Ferguson said standards will be key moving forward. "Once something becomes a standard, you can build in management," he said. That said, there are security measures and other steps that can be taken now. Ferguson is a proponent of putting sensitive data that is on devices into a secure virtual container, separating it from the rest of the device and making it difficult for a hacker to reach. "You can't contain the person, but you can contain the data," he said. The security experts also pointed to other steps that can be taken, from simply building more security into software and hardware, using managed services—Ferguson likened it to using a safety deposit box at a bank for valuable documents—using tokens or other means to improve authentication, and having the capability of not only keeping hackers out of the systems but being able to detect them when they get in. IoT device manufacturers should adopt security aliases and should report security issues, and managing applications needs to be easier. For example, enabling more software to be automatically updated would take the responsibility out of the hands of users who might not be experts in such things. Qualys' Rios—who said he loves the IoT despite the security problems—pointed to the case of a couple in Houston who was using an Internet-connected baby monitor. Someone hacked into the monitor and yelled at the couple's daughter. The company that made the baby monitor had developed firmware to address the vulnerabilities that had opened the device to hackers, but the couple—who had bought it through resellers—never learned of the firmware. He contrasted that with smartphones, which are automatically updated and increasingly resilient. "I think the Internet of things will eventually get to that model," Rios said, noting that the focus of device and software developers is not on security—yet. "If you still see incidents like the baby monitor hack or smart building hacks, they'll start looking at it more closely." Of increasing importance will be these manufacturers getting context—learning what has been done in the past regarding security so that they don't make the same errors as those made a decade ago. Rios said he continues to see embedded devices that contain simple, embedded passwords. It used to take hackers a long time crack these passwords, he said. Now it takes minutes. "There's no need for that," Rios said. "That's a lesson learned 20 years ago. There's no need to do that again. ... Hackers do have that context. We can't let people off the hook. ... If we don't get context very quickly in the IoT world, these devices will get crushed." Education also is important, the security experts said. Teaching software programmers while they're still in school the importance of security in what they develop will help ensure that security is built into products down the road. Ferguson noted that engineers who build bridges need to be certified. Maybe those who make software need certification, as well. "People are becoming program literate," he said. "They need to become security literate." Despite all the security issues that are coming as the Internet of things grows, most of those interviewed were optimistic about the future. Octoblu's Ramleth stressed the need for IT professionals to take the steps needed to be as secure as possible but not to fret over it. Otherwise, "how do I go on with life, because you can't just shut down," he said, adding that if a security problem arises, "don't panic." The benefits of the IoT will outweigh the risks, Ramleth said. Rios and Ferguson both pointed to smartphones and tablets as examples of devices that offer high levels of connectivity and security. Ferguson said he wouldn't go into a Starbucks and plug most IoT devices into the coffee shop's WiFi network, but he wouldn't hesitate to do so with a smartphone. Rios agreed. "We have a long way to go, a really long way to go," he said. "But if you look at the iPhone and Android devices, they're good examples. They're not perfect, but they're very good. We have a long way to go, but I think we'll get there." Ferguson said the tech industry has solved some big problems in the past. Security around the Internet of things can be solved, as well. "Don't underestimate what software developers can do," he said. "We went to the moon in eight years, so I think if we have the will, we can do it."
"If we think the problem can be solved by consortiums, we're grossly underestimating the problem," Qualys' Rios said, noting he has yet to hear about an IoT protocol for security.