Analyst Angle: Why the standardization of IoT security cannot come soon enough
IoT device manufacturers are governed by a keen consumer demand for desirable features and intuitive functionality. Security concerns, in stark contrast, have been given relatively little thought — especially among lower-end consumer IoT products. However, striking a more equitable balance between ease of use and security is critical to the long-term success of not just these vendors, but the IoT industry itself.
Manufacturers that err on the side of delivering more user-friendly experiences – and who take security shortcuts to do so – continue to leave dangerous gaps in the safety of our connected devices. For example, many IoT products automatically open ports on home routers and firewalls, making it simple for consumers to remotely access these devices from the internet but also presenting an all-too-easy attack surface for those with malicious intent. Hackers have been increasingly exploiting these gaps to propagate ransomware, malware that hijacks devices for botnet-based DDoS attacks, and more. So far, there’s no indication (nor realistic reason to believe) that these attacks will ebb.
One of the greatest challenges to IoT security is the infrastructure through which firmware updates – which provide security safeguards against the latest threats – are uploaded to devices in the field. Increasingly, vendors are pushing automatic updates to bolster security on their devices situated in our homes, but this still leaves a vast number of IoT products that either require manual updating or will simply never receive updates.
There are several reasons for this: delivering updates requires a thoughtfully implemented and supported infrastructure to develop, store, and send new files and firmware to deployed devices. Unfortunately, manufacturers often support their products for only a limited time span, and those no longer in business offer no continuing support whatsoever. In cases where vendors are not active and update URLs lapse (and can be registered by anyone), other entities can and will collect and utilize device traffic for their purposes.
To solve these issues and bolster device security as the IoT becomes increasingly mainstream, standardization and reinforcement of best security practices must be non-negotiable. Vendors across the industry must feel pressure to adhere to effective security measures, thereby protecting their customers from being all-too-convenient targets for hackers. At the same time, the industry must introduce standards so that IoT devices utilize similar technologies, allowing support even for devices from defunct manufacturers. Today, many vendors use open source operating systems such as Android, or Linux/Unix-based solutions like BusyBox; others create custom, closed source firmware to control their devices. And, devices using the same open source operating system can still feature major differences in implementation, which lead to surprises and dangerous vulnerabilities.
Programs designed to address this need are arriving. The ARM Platform Security Architecture represents a standardized framework for vendors to adopt and use in order to get on the same page as to how IoT devices are secured. Similarly, the IETF has released a draft document on the Manufacturer Usage Description Specification (MUD), which standardizes communication between IoT devices and security devices like firewalls and routers, governing their requests for access. MUD specification can, therefore, ensure that even vulnerable devices have their access restricted to only those services that are necessary. A current project by the National Cybersecurity Center of Excellence utilizes this technique, seeking to mitigate IoT-based DDoS attacks by limiting device access through MUD specification. Vendors are also finding success by moving beyond reactive practices and utilizing signature-based (and other) approaches that employ the same advanced technologies that hackers use, from artificial intelligence to proactive recognition of behavioral anomalies and predictive security techniques.
With standardized IoT security frameworks and implementations on the horizon, vendors should position their businesses — now — to take advantage of these technologies as they become the norm in the industry. Moreover, IoT vendors should fundamentally embrace security as a concern every bit as crucial to the long-term business success of their products as usability is because, ultimately, our overall experience with a device will only be simple if it’s secure as well.
Louis Creager is IoT Security Analyst at zvelo, a provider of cybersecurity solutions for web content, traffic and devices.