The Internet of Things has been growing relentlessly for over a decade now. Is it, however, an already developed and mature phenomenon? Or maybe this rapid growth was actually a destroying force and now the IoT does not have what it takes to secure its position on the market? And what is left to do for the IoT in order to grow even more and – more importantly – settle for long? In this article, we will try to answer these questions looking at the IoT from the security perspective.
As a concept, IoT has been known for almost 20 years now, but only recently have we observed a great surge in its growth. Sadly, the golden rule for protecting systems from vulnerabilities is to keep them rather simple than unnecessarily complex and unfortunately as the IoT is getting bigger, it is obviously getting more complicated. The more complex the architecture, the more difficult it is to secure all the potential holes in it.
The problem is also augmented by the use of proprietary protocols which leads to vendor lock-ins and fragmentation of IoT technologies. It’s true that security does not confine only to protocols. After all, data can be stolen in many different ways. The reasons behind it may be trivial such as phishing, weak passwords or system glitches, or they may be quite sophisticated like developing a covert channel for optical transmission of data and hacking surveillance cameras equipped with LED lights, or stealing data byte after byte in TCP’s header every time a payload is sent. It’s hard to deal with all the aspects of security but it goes without saying that if the industry had at least simplified protocols and tools able to overcome heterogeneity of types of devices, IoT security mechanisms would also be more straightforward and easier to implement. Many organizations and standardization bodies have been joining forces to try and unify the fragmented IoT environment through creating a technology that would answer the needs of the industry and become a standard everyone uses. One such standard that has recently been gaining popularity is Lightweight M2M (LwM2M) by OMA SpecWorks.
The standard is used for device management, service enablement, as well as telemetry. It has been designed especially for resource constrained devices such as sensors or actuators and it works efficiently over NB-IoT, LTE Cat M1 and other radio networks, low-power wide-area networks, or sensor networks. It is worth mentioning that the standard is constantly evolving and can be used not only for low power devices, but technically for any device communicating over IP. What’s more, in its latest 1.1 version release, LwM2M can even handle a non-IP data delivery, among many other additional features. The standard also boasts high security requirements with Datagram Transport Layer Security (DTLS) (which is based on TLS) utilized by Constrained Application Protocol (CoAP) which is effective against IoT security threats. If you want to know more on how IoT security is handled in LwM2M standard, be sure to check out AVSystem’s whitepaper “Overcoming security challenges and gaining interoperability with LwM2M device management”.
Apart from the use of proprietary technologies, one can say that IoT security issues come down to two things: economics and “overoptimistic” security design which stems from loose regulations or time-to-market pressures.
In the case of economics, the reason behind the lack of security lies surprisingly in the great popularity of the IoT which results in uncountable numbers of projects, many of which don’t last really long. In device management Firmware Over-The-Air (FOTA) is a crucial feature thanks to which you can send updates and patches and thus maintain security. Unfortunately, failing companies leave devices without any possibility for updating firmware or software. It is then only a matter of time until a bad actor gets access to these vulnerable devices. It doesn’t stop here though. After gaining control over unattended devices, the next step is to use them to gain access to the entire system they are connected to.
Furthermore, among those starting companies many were made to be sold within 1 to 2 years – strictly for profit. For this typical money-oriented startup business model, security – being simply uneconomic (because expensive) – seems to be just a pain in the neck not worth wasting time on.
While there are many stages in IoT deployments, we often tend to forget that not only device manufacturers are responsible for security. Network operators and application developers, as well as service providers, all take part in creating an IoT ecosystem. Usually, different companies within a project are responsible for different stages of the deployment. When designing the architecture, nobody wants to take responsibility for security (or again waste money on it). This completely negligent attitude results in deployments with security flawed, say, at a network level or an application level. Not to mention how dreadful it is to think of the worst scenario – no security at any level at all.
The need for regulations in this regard is best reflected by IoT security breaches. Breached devices create serious financial exposure – according to a survey conducted by Ponemon Institute[1].
This year’s annual Cost of a Data Breach Study was sponsored by IBM and conducted by Ponemon in order to measure exactly how much lost and stolen records could cost companies around the world. The study found that the average cost of a data breach globally is $3.86 million, a 6.4 percent increase from the 2017 report. This time however, it turned out that one of the main factors contributing to the increase was the extensive use of IoT devices. Seeing how costly it is, device manufacturers, application developers, and all the others involved in designing IoT architecture would be better off investing in security. Victims of DDoS attacks know it best and have been increasing their cyber-security budgets after having been attacked by threats such as infamous Mirai botnet attacks.
Another consequence of IoT security breaches is loss of customer’s trust. Consumers are not willing to buy IoT services so enthusiastically when they hear how faulty their devices security might be. While living in a smart home can certainly be convenient, the majority of people are afraid that their devices can be hacked. It’s not convenient anymore to live in a house where your microphones are bugged, cameras taken over, and even your refrigerator or a toaster are no longer trustworthy. While this might seem like a bit of an unrealistic scenario, many consumers believe that it actually might be the case if they decide to make their homes smart. This lack of trust, however, doesn’t discourage them to go with these IoT solutions anyway. Last year’s Cisco survey conducted on 3000 consumers found out that most of the people don’t trust IoT security and even so they still find it too convenient to resign from using smart devices. It’s hard to understand where does this “IoT Value/Trust Paradox” come from. At the end of the day however, the belief among customers that the responsibility for securing devices does not lie on them is very strong.
Fortunately, there are a few answers to these IoT security threats. While consumers may not be aware of dangers smart devices pose, in the IoT industry and business world security has been recently a very hot topic. One of the possible IoT security solutions is the use of standards mentioned earlier.
There is also another solution, though it’s a one that may take a while: education. Just like back in those days when the Internet was becoming popular, governments are realizing how high the stakes are and starting to educate both consumers and businesses about the risks that the lack of security may pose in the IoT. The education goes hand in hand with standardization and tighter regulations initiatives. We can observe it in data protection regulations, awareness programs, and courses organized by various universities and institutions across the world.
While the industry is definitely in need of quick answers, education (being rather a long-term approach to the problem) is something that can be conducted alongside other solutions such as obligating companies to set IoT security requirements and building IoT ecosystems around established standards.
The Internet of Things became one of the hottest things in the business world almost in the blink of an eye. Up until recently, however, its growth has been somewhat asymmetric with security being severely neglected. Fortunately, the realization of the potential the IoT has, has led to the acceleration of the process of dealing with IoT security threats. As a result, it seems that it takes much more than inability to pinpoint the party in charge of IoT security or inefficient economics to take the Internet of Things down.
For more on latest IoT news, check out a video with AVSystem CEO, Slawomir Wolf at IoT Expo in San Jose where he announced AVSystem’s partnership with PTC Thingworx and talked about LwM2M 1.1 and its role in IoT device management.
AVSystem – shaping the world of connected devices
[1] Ponemon Institute is a research center dedicated to privacy, data protection and information security policy.