TechSpot

It's time for an IoT security standard

By Jos
Nov 1, 2016
Post New Reply
  1. The writing has been on the wall for some time. Worse, the recent DNS attack that brought down portions of the Internet strongly suggest that previously predicted concerns have become unpleasant realities.

    The problem? Security, or the lack thereof, for the billions of things getting connected to the Internet. Unfortunately, enormous percentages of smart home security cameras, connected DVRs, industrial equipment controllers, wearables, medical equipment, cars, and many more devices are being put online with little to no security protection.

    As a result, many of these devices are subject to hacking, in some cases, with potentially life-threatening results. And to make things worse, many are also vulnerable to be unwillingly overtaken and silently re-used in other types of cyber-attacks, like the DNS attack that rendered many popular web sites unreachable a little over a week ago.

    This nearly complete lack of security has been talked about by some tech industry observers for years. But despite all the talk, little real action is being taken on an industry-wide basis.

    Given the seriousness of the problem and its potential impact not only on our daily lives, but also on the security of critical infrastructure and even national security, it’s surprising and somewhat shocking how much inaction there has been. After all, devices that plug into the wall to get power require approval before other companies will sell them in the US, so why shouldn’t any device that gets “plugged” into the Internet require an approval process as well?

    Devices that plug into the wall to get power require approval before other companies will sell them in the US, so why shouldn’t any device that gets “plugged” into the Internet require an approval process as well?

    Many of the early electrical safety certification tests developed by UL (previously Underwriters Laboratories) were developed for the safety of consumers, but the impact on electrical power utilities was likely considered as well. In the exact same way, IoT security standards need to be developed both for the safety of an individual using a device, as well as the potential impact on the newest utility in our lives: the Internet.

    To be fair, not all IoT security issues involve the possibility of immediate physical harm that electrically powered devices have, but some do. Plus, the potential societal disruption and associated physical threats that an IoT-driven security problem can cause could be much more widespread than any individual device could create.

    Of course, the challenge of creating any kind of security standard is determining what exactly would be included and how it would be measured. Security is a significantly more complicated and nuanced topic than the spread of an electrical charge, but that doesn’t mean the effort shouldn’t be undertaken. It’s just going to take a lot more effort from more people (and companies).

    Thankfully, there are several efforts being driven by individual companies to help address some of these security concerns. Chip IP company ARM, for example, whose technology is at the heart of an enormous number of IoT devices, recently added new levels of hardware security to its line of Cortex M microcontrollers. In addition, concepts like a hardware root of trust, trusted execution environments, biometric authentication and more are all being actively deployed by a variety of component and device vendors that feed into the IoT supply chain. While they won’t solve all security issues, leveraging these technologies as a starting point would seem to be a pragmatic approach.

    In addition to setting those requirements, determining who administers the testing would have to be resolved. Logically, companies like UL and other members of the Nationally Recognized Testing Laboratories (NRTL) Program would be good choices. A strongly related development would also have to come from those companies who sell and/or install these types of devices. Technically, UL approval is not required to sell a device in the US, for example, but practically speaking, retailers and others who sell these devices are unwilling to accept them without some kind of approval for fear of potential insurance risks. An IoT security standard would require a similar level of support (and initial willpower) to be effective.

    It’s certainly naïve to think that a single type of security standard could possibly stave off all the potential security threats that IoT devices are now raising. But it’s equally naïve to believe that nothing can or should be done about the problem. The task won’t be easy and early iterations may not be great, but it’s clear that the time has come to do something. Let’s hope some industry associations and other parts of the tech ecosystem have the guts to get an IoT security standard started and the will to stick it out.

    Bob O’Donnell is the founder and chief analyst of TECHnalysis Research, LLC a technology consulting and market research firm. You can follow him on Twitter . This article was originally published on Tech.pinions.

    Permalink to story.

     
  2. wiyosaya

    wiyosaya TS Evangelist Posts: 1,035   +269

    Wow! An IoT security standard? What a novel idea.
     
    BSim500 likes this.
  3. BSim500

    BSim500 TS Guru Posts: 198   +272

    Exactly. Some of us have been calling for sensible security in every single "New IoT novelty device is the future!" article. As usual "calls for security" are now springing up only after incidents have occurred. A good start is a sensible appraisal of what actually needs web access vs what's given web access by default purely for the sake of a "smart" marketing checkbox.
     
  4. Peter Farkas

    Peter Farkas TS Addict Posts: 214   +67

    We need such a standard, but sadly I don't think it will arrive until people start dying because of hacked IoT/OT devices...
     
  5. fktech

    fktech TS Booster Posts: 111   +34

    Tell me who doesn't change the IP addresses of every appliance that is plugged in at your home? Web cameras, washing machines, dryers, Blu-ray players, computers, TVs, etc., set to not routable IP addresses, routers set to securest settings, wifi turned off on devices then hard CAT wired, router wifi turned off when not in use, computers off too, wifi locked down....

    Maybe the US consumer needs some training. Sounds like a business opportunity. I'll come to your house and perform a complete electronic security inspection.
     
  6. war59312

    war59312 TS Booster Posts: 117

    I agree, until people die or people go to prison over this stuff, it ant gonna happen.
     
  7. Phr3d

    Phr3d TS Booster Posts: 236   +42

    The UL comparison is accurate - like internet, electricity was an 'overnight' sensation, and had few dangers until Billy Bob and his bean-counting numbskulls started selling "cheaper" vaccuum-cleaners door-to-door that set people's houses afire with no obvious recourse.
    The Billy-Bob bean-counter committee is always poised to sell a product cheaper, and we as a society, fall prey to that over and over, generation after generation if the technology exceeds our understanding (Yugo, anyone?)

    Yeah for a standard, but until someone Knows a friend or relative that was 'harmed' by their cheapo Billy-Bob knock-off, they won't know to look for "conforms to IoT Standards" on the box anyway. Cheap or Knock-off are Seldom your friend, but good luck getting That word out and appreciated.
     

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...