Because many IoT devices lack proper security, there has been a lot of talk about best practices when it comes to the protection of your private information when using such devices. While the number of IoT devices are expected to increase substantially in the coming years, and cyber threats are a growing concern, why are these devices still not secured?
IoT Security: It's Not Too Late to Get It Right
On January 27, 2015, The Federal Trade Commission issued a report on proposed best practices for businesses to protect consumer privacy and security in the Internet of Things (IoT) world. Among other things, it addressed what reasonable security for an IoT device should be, advocating secure processes known as “security by design.” Legislators may be calling for manufacturers to earn the trust of consumers by delivering securing IoT devices, but until we address the reasons why these devices are not built with security in mind, not much is likely to change.
While it still may be in its infancy, the Internet of Things is already here. According to the FTC, Internet of Things is expected to expand from 25 billion devices by the end of this year to 50 billion by 2020, which begs the question – why are these products lacking in “reasonable security?”
Most of IoT products are built on Open Source operating systems and software, which often consists of old (and hence vulnerable) pieces of code rarely checked by the manufacturer. Properly securing them is expensive and time consuming, and would put a major drag on the fast track to market these products are on, especially if companies incorporate these best practices for security by design recommended by the FTC:
- Conducting a privacy or security risk assessment;
- Minimizing the data they collect and retain; and
- Testing their security measures before launching their products. Second, with respect to personnel practices; companies should train all employees about good security, and ensure that security issues are addressed at the appropriate level of responsibility within the organization. Third, companies should retain service providers that are capable of maintaining reasonable security and provide reasonable oversight for these service providers.
- When companies identify significant risks within their systems, they should implement a defense-in depth approach, in which they consider implementing security measures at several levels.
- Companies should consider implementing reasonable access control measures to limit the ability of an unauthorized person to access a consumer’s device, data, or even the consumer’s network.
- Companies should continue to monitor products throughout the life cycle and, to the extent feasible, patch known vulnerabilities.
Implementing these practices would definitely deliver much more secure devices, but it would totally change the economics of developing and bringing IoT devices to market. Perhaps a few more breaches like Anthem will mobilize consumers to force manufacturers to implement Security by Design. Hopefully we don't need more catastrophic breaches to force manufacturers to be more security conscious. If the above list seems daunting here are a few things manufactures can do right away that would start to move the needle:
- Decide to make security a priority, and fund it!
- Hire an embedded security expert on your team and ongoingly employ penetration testers to check up for new vulnerabilities. They can save you a lot of bad PR, loss of revenue and potential product fix / recall.
- Dont neglect legacy products (even if they are a few months old). Many users still use your unsupported products in their homes and businesses, potentially hindering their security.
- Perform a thorough code review – if you are leveraging Open Source code then you need to take responsibility for the security and integrity of that code.
- Involve and educate consumers about security and build mechanisms into the device that will help consumers make the right decisions regarding privacy and security.
- Include instructions for secure usage - in layman's terms.
The good news is that IoT devices have a much more manageable attack surface to contend with. The combination of Security by Design and making it easy for consumers to adopt more secure behavior can provide us to get Internet security right in the IoT era. Let’s not have 2015 be “The year the IoT breach…” We can prevent this from occurring, if we act now.