People aren't taking IoT security seriously, claim experts


Security is very much a central issue for the Internet of Things, experts claimed at Paris' Connected Conference last week.

A multitude of connected devices automating our day-to-day lives is useful, but it also gives an unprecedented and ever-increasing digital window into our homes, as well as introducing multiple new threat vectors for attackers to exploit.

Estimates have pegged the number of IoT products on the market to shoot up to 30 billion within five years. According to Freescale's Alex Candela, "at least 50 per cent of those new IoT devices are going to be developed by startups".

This has the potential to raise numerous problems. For many Startups, security is often not a principal concern, as Hugo Fiennes of Electric Imp points out. When it comes to IoT security, he claims that "people are not taking it seriously yet."

"A lot of the time in startups, the issue is that you have a limited amount of money, a limited amount of time, a limited amount of resources, and security's not the thing that's going to make or break the company at that stage."

The fact that many companies are being forced to choose between security and getting to market quickly could lead to problems later down the road, according to Fiennes.

"People are often much more concerned with shipping than they are with actually making sure their product is secure", he claims. He believes there's a dangerous attitude of "ship first, make it secure later", without realising that "it's almost impossible to do that".

Secure updates are a major source of concern for professionals in the IoT space. Fiennes drew on the example of 2014's Heartbleed bug: despite the confidence of sys-admins with fully-patched servers, affected systems "went from fully secure to fully insecure in the space of one announcement".

Regular updates to device firmware are crucial for responding to new threats such as Heartbleed. Many products, however, are released with no system for delivering them. Fiennes was emphatic about the risks of this strategy, stating that "If your device can't be updated automatically, it is insecure, period".

Fiennes is of the opinion that self-updating software is a necessity for IoT vendors, because, as he puts it, "users don't upgrade things". To illustrate this point, he asked the tech-savvy, professional crowd who had updated their router's firmware in the past year, with around five people responding in the affirmative.

The solution, he says, is to simply cut the user out completely. By placing enabling clauses in their terms of service, companies' devices can simply upgrade their own firmware at the earliest convenient opportunity.

However, he cautions that this requires a level of trust between users and vendors. While some companies have less-than-sparkling security records, Fiennes mentioned Belkin as a company that has a good attitude to the problem.

With one of their products, it was discovered that although they were signing firmware updates, they were putting the key in the update itself. Since then, however, they've taken steps to secure future products by offering bug bounty programs, liaising with security experts, and trying to rebuild their image.

One of the most dangerous aspects of IoT is the vastly increased number of attack vectors it introduces. IoT evangelist Liam Boogar warned that the danger of intrusion gets exponentially greater "the more we create new nodes".

Threats can come from anywhere, too. Fiennes mentioned a common question when dealing with IoT security: "why would someone hack my toaster?" As he explains, however, it is no longer simply a toaster. If it has A/C power and a network connection, that device is a node.

"It doesn't matter that it's a toaster", Fiennes says; "The person who hacks it may not even know it's a toaster". For an attacker, almost any powered, connected device can be used for malicious tasks such as broadcasting spam, sending DDoS packets or building a secure tunnel into the rest of your network.

Hackers have a well-earned reputation for ingenuity, and Fiennes recommends keeping an eye on exactly what it is they're doing. He states that hacker conventions like Defcon and Blackhat can be a great source of insight for developers.

Fiennes advises IoT creators when visiting these kinds of conferences to look around and see what people do to other products and think "could someone do this to mine?'" By analysing the methods used by real potential intruders, companies can get increased visibility over their product's security flaws.

The security of the Internet of Things is an issue that's only going to get more and more prominent, as an increasing number of connected devices enter the market. However, by ensuring that they're abiding by best practises and maintaining a strong security focus, companies can prevent threat actors from exploiting their product.

Adam Shepherd

Adam Shepherd has been a technology journalist since 2015, covering everything from cloud storage and security, to smartphones and servers. Over the course of his career, he’s seen the spread of 5G, the growing ubiquity of wireless devices, and the start of the connected revolution. He’s also been to more trade shows and technology conferences than he cares to count.

Adam is an avid follower of the latest hardware innovations, and he is never happier than when tinkering with complex network configurations, or exploring a new Linux distro. He was also previously a co-host on the ITPro Podcast, where he was often found ranting about his love of strange gadgets, his disdain for Windows Mobile, and everything in between.

You can find Adam tweeting about enterprise technology (or more often bad jokes) @AdamShepherUK.