Build or Buy: Securing IoT Is Harder Than It Looks for Device Manufacturers

08/08/2016 12:36 | Updated 08 August 2016

Since the summer of 2015, television drama Mr Robot has stoked interest in the activities of activist hackers and prompted speculation about the plausibility of the attacks carried out by Elliott Alderson and his fsociety comrades. The season two opener featured an attack in which various smart home devices - from music system to television, shower to alarm to thermostat - were maliciously manipulated to the point that the victim abandoned her home. Discounting the suspension of disbelief required to accept that all the devices are seamlessly integrated - raising wry smiles among the IoT community - how realistic is this scenario?

The news headlines are rife with examples of IoT vulnerabilities being exposed, from Forbes reporter Kashmir Hill taking control of a home having simply googled for open ports to the AuYou Wi-Fi Switch being withdrawn from sale on Amazon after a review revealed "laughably easy to crack" encryption. Meanwhile, the search engine Shodan provides immediate access to thousands of unsecured IoT devices - including baby monitors.

Data supports the idea that IoT has a security problem. The Open Web Application Security Project's (OWASP) list of the top 10 IoT vulnerabilities highlights insecure interfaces and inadequate authentication and encryption. Meanwhile, Symantec found that none of the 50 IoT devices it examined enforced basic security techniques such as strong passwords or mutual authentication, or protected against brute force attacks.

The lack of security in many IoT devices has two main causes. On the one hand, there are hardware issues. Some smart home devices lack powerful processing capabilities, and even simple TLS (HTTPS) encryption can represent a prohibitively heavy load for very resource-constrained devices. Processing limitations can also make deploying patches for vulnerabilities problematic.

More significantly, IoT device manufacturers may think that 'doing' the web or cloud is easy. In fact, it becomes challenging when you need to protect user privacy while delivering high levels of security and flawless operation at a scale of millions of devices, across different service and access configurations. Most IoT device manufacturers are hardware specialists, with little prior expertise of creating software or managing large volumes of user data, and are not equipped to deliver secure IoT.

It would be wrong to think of IoT devices - particularly in the smart home - as essentially trivial. If your smart fridge were linked to your Google Calendar, any failure to validate SSL certificates could allow man-in-the-middle attacks to expose your Gmail credentials. Then it's more than your Whole Foods account at risk: all kinds of theft and fraud are possible. Meanwhile, the popularity of smart health devices raises the possibility of other sensitive data being exposed if not adequately protected.

Unsurprisingly, consumers are worried about security, particularly of devices in their homes: in a survey by Fortinet, 68 per cent of homeowners globally were concerned about data breaches. This will be exacerbated as the number and range of IoT devices available continues to scale massively. From durable, persistently connected products such as lights and alarms to consumables and apparel, there are expected to be 38.5 billion connected devices by 2020. With fragmentation already creating issues, an agreed security standard will be needed.

Securing connected devices requires commitment and vigilance from all sides; the IoT landscape is a broad panorama involving people, devices, systems, network connections, and, at the heart, the cloud platforms which provide the smarts for household products. These platforms must protect customer data through strong authentication and encryption, and adhere to standardised data exchange protocols. At the same time, consumers must take responsibility for their data by using strong passwords and promptly downloading updates.

But perhaps the greatest onus falls on the device manufacturers themselves. They must provide regular security updates, and educate consumers as to the importance of best practice. Even more importantly, they must decide whether to "build" or "buy" security. Manufacturers take the DIY approach at their own risk; building world-class capabilities in a completely new discipline is more complex than many anticipate. They may be better off striking partnerships with cloud software and real-time data experts, allowing them to concentrate on product design.

In 2015, the US Federal Trade Commission noted that "perceived risks to privacy and security [...] undermine the consumer confidence necessary for the [IoT] technologies to meet their full potential." The smart home is just one element of a potential connected world of "smart everything". But a chain is only as strong as its weakest link. If security challenges cannot adequately be met in the home, imagine the complexity when entire cities - including power stations and factories - become connected.

In Mr Robot, Elliott Alderson explicitly exploits 'easy' vulnerabilities: obvious passwords, open back doors, etc. As the world inevitably becomes more connected, risks will accompany benefits; the starting point for security must always be best-practice encryption and protocols. Just as in the 'real' world, there will be break-ins - but they become much less likely if you lock all your doors and windows.