On January 27, 2015, the Federal Trade Commission (FTC) issued a report on proposed best practices for businesses to protect consumer privacy and security in the Internet of Things (IoT) world. Among other things, it addressed what reasonable security for IoT devices should be, advocating processes it calls “Security by Design.” Legislators may be calling for manufacturers to earn the trust of consumers by hardening IoT (i.e. embedded devices), but until we address the reasons why they're not already being built with security in mind, not much is likely to change.
From a technology perspective, one of the main reasons why IoT devices are insecure is because most of them are built on Open Source operating systems and software, which often consists of old (and hence vulnerable) pieces of code rarely checked by the manufacturer. Fixing this problem would place a major drag on the fast track to market IoT products are currently on.
As much as I applaud the FTC for making security a priority, its recommendations are light years away from where the current IoT security bar is. If implemented in full, the added cost of Security by Design could have such an impact on the economics of bringing these devices to market that it could either a) make them cost prohibitive to consumers or b) no longer offer attractive returns to manufacturers.
Hopefully it won't take a major IoT breach to mobilize manufacturers to implement Security by Design. And bear in mind - while the IoT may still be in its infancy, the Internet of Things is already here. According to the FTC, Internet of Things is expected to expand from 25 billion devices by the end of this year to 50 billion by 2020, which begs the question – when are we going to get serious about IoT security?
Security needs to be woven into the fabric of all IT systems – end of story. While we may be a ways off from what the FTC recommends, there are still plenty of things consumers and IoT manufactures can do to start moving the needle in the right direction. If we get serious about security now, we can prevent the scenario that occurred in the enterprise where time and time again, productivity and convenience trumped security.
We can't undo mistakes already made in the enterprise, but we still have a chance to get IoT security right. If manufactures won't do it on their own, then maybe they need to be legislated into it (an option the FTC thought was ‘premature') or perhaps the private sector can mandate security standards along the lines of what the credit card companies did with PCI.
However it unfolds, if we don't create the needed groundswell to implement IoT security, then we are part of the problem. So with that in mind, here are a few things that manufacturers can do to start to move the needle:
- Perform a thorough code review: If you are leveraging Open Source code then you need to take responsibility for the security and integrity of that code. Even if manufacturers can't fix all the problems right away, they'll know what they need to do.
- Hire a coder that understands security and can address security issues through each phase of development.
- Hopefully the first thing that coder will do is to –SANITIZE ALL USER INPUTTED STRINGS! And stop hardcoding 'hidden' administrative credentials, which are sure to be found and exploited by hackers.
- Involve and educate consumers about security and build mechanisms into the device that will help consumers make the right decisions regarding privacy and security.
- Include instructions for secure usage – in layman's terms.
- Partner with a VPN server vendor that makes products for home use.
And consumers need to do their part as well. Hackers count on consumers to make their job easy for them by engaging in insecure online behavior. Everyone always thinks, “Who would want to hack me?” but today, hacking is more business than personal. If a consumer chooses to use an IoT device that collects information, they should quiz their vendor on their data protection policies, pay close attention for firmware upgrades and carefully inspect any email sent by the vendor with a link in it or asking them to download something.The good news is that IoT devices have a much more manageable attack surface to contend with. The combination of security by design and making it easy for consumers to adopt more secure behavior can provide us to get security right in the IoT era. Let's not have 2015 be “The year the IoT breach.” We can prevent this from occurring if we act now.