Analyst Angle: The “race to the bottom” security problem of IoT
The good news
The Internet of Things is just beginning to take off, and the growth is happening separately in both the consumer and smart home space, as well as in vertical and industrial markets like cities, factories, campuses, and worksites. McKinsey Global Institute estimates the worldwide market for IoT will reach U.S. $11 trillion per annum by 2025.
As the technology matures and learns from some initial security lapses, the need to design robust security policies into IoT products and systems is now blatantly clear. Not only are IoT products increasing the number of physical attack vectors into our networks, but they are also often placed in more vulnerable locations, such as outdoors and publicly accessible places. As a result, there is a general consensus among IT professionals, security experts, industry consortia, and regulatory bodies that a multi-layered approach is best.
- Security-first design
- Secure elements on the endpoint hardware
- End-to-end encryption of all data traffic
- Security at the gateway level
- Analytics and heuristics to detect malware and attacks
We’ve been pleased to see this rapid industry progression to a consensus on best-practices. And to stave off regulation, industry groups are even starting to self-regulate through bodies like the IoT Connectivity Alliance or the IoT Security Foundation, among others. But while all this progress takes place (you knew there was going to be a “but,” right?), there is a lingering problem: a race to the bottom that is still taking place at the end device level, especially on the consumer side.
The bad news
The “race to the bottom” that is simultaneously taking place is a classic one: it’s all about making the cheapest device to win sales, and that means cutting corners as much as possible. And security is often one of the corners that gets cut.
Because industrial IoT projects often include so very many end-devices (whether sensors, actuators, cameras, or whatever) the costs of each end device scale industrial buyers scales up quickly. A savings of a few dollars per unit can end up representing thousands of dollars. Sometimes, buyers aren’t aware of the security risks, but other times they are aware, but the business model only makes sense at the lower cost – so the temptation to sacrifice good security is real.
Meanwhile, on the consumer side, the scaling issue is not as important. But consumer awareness of the risks of a device with bad inherent security is very low. Consumers, thus, don’t tend to shop on this factor. They shop on Megapixels, features, user reviews, but mostly price. When comparing one $80 IP cam with PTZ, MP4, and 2MP against a $70 MP4 IP Cam with PTZ, MP4, and 2 MP, which do you think is carried out of Best Buy or Walmart at a faster clip?
We could blame the vendors. We could scold them for producing risky devices that lack inherent secure elements, lack adequate processing to encrypt their traffic, or lack even a default UI that forces the user to set a custom password. But they are just responding to market signals. The market wants cheaper products. Cost dominates the purchasing decision. So supply meets that demand.
Another trend that puts unsecured IoT products out into the world is the Silicon Valley/Startup “Minimum Viable Product” (MVP) philosophy. The notion here is that in the IoT market, companies want to get the first mover advantage, and want to launch innovative products before their competition, so instead of waiting until your product is fully mature before launching (as, say, Apple Computer might do), startups will launch a product when it is minimally ready, and then iterate on that product with later, more fleshed-out versions (like Google did with Android, or just about any project on Kickstarter). The security problem, of course, could occur when the MVP is launched without security. Then, even if subsequent versions improve, there are still a bunch of vulnerable nodes out there in the real world. The problem is in the definition of the word “viable.” Is an unsecured node really a viable product? Not if the company has long-term profitability in mind. This problem, happily, is solving itself with greater awareness among the established vendors, among the startup community, and among the VCs and analysts who evaluate these products.
The path from here
The upshot is that secure, intelligent IoT products are increasingly available and that the industry is getting better at designing security into IoT from the ground up. That will never make it perfect, but it will make it much better. It’s like the difference between an unlocked bicycle, and a bicycle with the seat and front tire removed and secured with a good lock. With the former, you’re asking for trouble, and with the latter, your odds are much better. But despite overall improvements, low-security products are still out there because the market still buys them. So buyers, planners, system designers need to all be willing to pay more for secure products and to purchase on this factor as an equally important one to cost.
Meanwhile, in the consumer space, it’s a little harder to squash the risks. It is confoundingly difficult to educate consumers about the security they should be seeking in their IoT products. In this case, we will need to see either some government regulations requiring minimum standards or industry-based solutions like a “Minimum IoT Security Certification” stamp logo that consumers could easily recognize (in the way that the Wi-Fi or Bluetooth logos means that a product meets those standards.) We need to make the task of shopping for secure IoT products very easy for consumers, and then the market forces will do the rest.
I will be introducing IoT Forum members and tech scouts to many cutting-edge IoT security startups on May 17th at IoT World in Silicon Valley. Details at www.sv-iot.com.