Some good advice on the challenges of securing the IoT

Profile picture for user Neil Raden By Neil Raden July 11, 2019
Surfacing the issues around securing the IoT.

The first thing I read today was a blog  on the Sigmadots site titled “Six Challenges of Securing IoT. It is a good short article that gets to the point. What is wrong with it is the first paragraph:

We’re either on our mobile devices or on our laptops or watching our smart TVs, waiting for our smart microwave to finish popping our smartly packaged popcorn kernels. In our cities, intelligent streetlights, traffic lights, and smart cars guide our travels.

The remainder of the article supports the premise of title, and I’ll cover all 6 points, but before I get to that, I’ll respond to the writer’s (there is no byline)  comment on the above quote. My brother is a disabled Vietnam veteran. He has neither smartphone (he just visited here a few weeks ago, he has an old flip phone), nor a a smart TV, nor a smart microwave, and he lives in a spiraling downward post-industrial town with no intelligent streetlights or smart cars. He certainly doesn’t live in a smart home, he lives in subsidized housing courtesy of the VA for his service.

There is a point here. Those of us in the technology industry believe everyone is like us.  Twenty percent, or 66,000,000 of the US population  does not have a smartphone. And smart traffic lights? That’s a promising idea, but how many cities and municipalities will have the budget to implement it? And the main drawback is that most vehicles still on the road lack the communication and software to interact with the smart lights anyway. This pervasive mentality in the tech industry disenfranchises a lot of people, overestimates the value of their innovations and underestimates the potential ethical issues they create.

That’s the end of my soapbox, at least in this article.

The rest of the article is pretty good in addressing the issue of Challenges of Securing IoT. I’ll review each. The six categories are:

You cannot protect what you cannot find

Connectivity is ubiquitous. A smart home system could include everything from locks and thermostats to coffee makers and ovens. Offices are similarly plugged in with myriad devices included in their comprehensive building management systems.

The contention is that the number of devices is overwhelming and, therefore you can’t find them all. And if you can’t find them all there will be leaks, some innocuous, some downright dangerous. Though it seems logical, I’m not convinced you can’t find them all. It’s actually quite easy to find the devices connected to a WiFi network, and if you don’t want to go through five easy steps, there are even “apps for that.” An wired networks? How could you not find devices attached? I can see the need for monitoring wireless networks for devices attaching and detaching, but I still don’t see the connection between the number of devices and the risk – they aren’t all connected to one network

Strong focus on device specialization, not protection

Although systems on chips are increasingly more powerful, they are highly specialized to fulfill specific tasks. For example, a window open-close sensor has been designed to have a very small footprint … the device itself is generally not designed to ensure its own security

His recommendation is to have security features installed on the chip’s operating system. This makes a lot of sense but how many chip-sensor are there, how many operating systems and how many protocols? I prefer to see a more systemwide protocol controlling the security of all the device on the network.

Lack of standardization

Think of a home network that simultaneously connects an alarm system, a Nest thermostat, Google or Amazon voice assistants, IP cameras from one or more vendors plus an ever-increasing variety of white goods and home entertainment systems.

Protocols can include IP and Wi-Fi, Bluetooth, Z-Wave and Zigbee as well as several proprietary wireless security and home automation protocols.

No thanks, but he makes a good point. As I said above, the better solution are universal and agnostic to all the protocols. I suspect at some point the providers of these items will get together and develop a common security protocol.

Communications vulnerabilities

Every device has been designed by its manufacturer to be remotely updated and upgraded. If they haven’t been diligent, those doorways can be accessed by threat actors using a variety of wireless connectivity options mentioned above: simple Wi-Fi, cellular, RF, broadband, and low-power, wide-range (LORA) communication.

Securing the device communications gateways is critical to any system.

Undeniably true, but what is the fallback if the manufactures are lax in doing that?

Securing privacy

Devices are collecting ever-increasing amounts of information – as basic as the IP addresses with whom our IoT devices are communicating to the state of our health. With the advent of 5G, even more data will be able to be collected and stored. Without proper security measures in place, every piece of data we generate, whether intentionally or passively, will be open to be used for identity theft, financial gain, and even potentially hacking our health.n Implementing security like a firewall can be critical to controlling what goes in and out.

That’s a pretty dreary assessment, and it’s pretty accurate. We have created a mess with this and we need to figure it out. It’s not just about gathering data about your habits and preferences to more effectively sell things to you. It’s about interfering in elections, sending swarms of drones deflect missiles. But for a solution, a firewall? Surely that’s not the solution as firewalls are breached every second of the day. And once something is “in the air,” it doesn’t have a firewall.

The invisible line between IoT and IT

The next time you want to play a challenging game, walk around your home or office counting chips.

Image of code and cyber security

The point he is making is how many there are and how many points of entry they provide to bad actors. We’ve already established that.

Ensure you have a business continuity infrastructure and backup system in place for those cross-over attacks. Creating a universal, unified, and distributed barrier to cyberthreats across every type of device, operating system, and chip is critical to true protection.

Locking the stable after the horse is gone gambit. I was hoping to get more insight into what’s coming in IoT security. I’ll keep looking.

Overcome the challenges, strengthen protection

Use of new methodologies such as blockchain and distributed computing that reduce inherent risks by distributing the central databases and servers can create a comprehensive security, mesh-based network infrastructure that will go a long way to mitigating these risks.

Now he’s lost me. Here is blockchain in the last paragraph with no connection to the rest. As far as I know, a distributed architecture still connects so I don’t see the point.

My take

A good article for surfacing the issues but, sadly, a little thin on solutions.