Here are almost a dozen ways to improve IoT security

Canary was designed with security in mind from the ground up.

In the last few weeks, I’ve had some of the most encouraging discussions I’ve ever had when it comes to security and the internet of things. As part of that, I’ve gathered several ideas about how we improve IoT security.

I participated in a discussion about IoT security at the Techonomy conference two weeks ago where folks discussed a label or seal for devices that would indicate their level of security. The thinking was that the industry could develop a Five Star rating or maybe a nutrition-style label for explaining to consumers how secure a device is and where their data goes.

Also in that conversation, we talked about the need to get government to coordinate around the internet of things in a more unified manner.

Betsy Cooper of the UC Berkeley Center for Long-Term Cybersecurity said that the creation of a dedicated IoT agency might make sense under an existing department, but noted that established government fiefdoms would never relinquish their power (and budget) associated with the internet of things, so it is unlikely to happen.

For many IoT experts, it’s clear that security should be something that government takes control of either through regulation or a series of clear rules with punishments for companies that are careless with their products or consumers’ data. But it is also clear that the government wants no role in the security challenge.

Fears of stifling innovation loomed larger than fears of the Mirai botnet and the risk of an army of old-school connected devices used to attack networks. Chris Rill, the CTO of Canary (maker of a connected security device), isn’t waiting for the government. Devices that have good security are so important to a consumer brand that he is prepared to spend $30 more per device to build a secure product.

Secure products can only protect that individual device, though, which is why the network itself and the traffic flowing across it matter. Nicole Eagan, CEO of security firm Darktrace, made the pitch at Techonomy that artificial intelligence and bots could battle malicious bots. Darktrace already uses AI to monitor network traffic in enterprises, and Eagan said that within the next half year we will see the technology applied to a smart hub or router.

So what does this mean? A report out this week from BITAG, the Broadband Internet Technical Advisory Group, tries to wrap it up in a neat package. BITAG is a group of engineers helping make sense of technical issues that span industries. Their report on IoT security offers dozens of scary stories about security and privacy weaknesses already apparent in the connected world.

It also offers some solutions, and none of them involve the government. Some of the solutions have already been discussed at length, such as requiring people to change default passwords and requiring devices that are connected to have the ability to update over the air.

But it goes a bit further. For example, when it comes to updates, the report leans in favor of the device being able to authenticate the update before downloading it and implies that automatic updates as opposed to user accepted updates are the way to go. The report acknowledges that users may dislike the new functionality and those updates may also introduce bugs.

It also suggests that companies making connected gadgets commit to updating the product for the life of the device, with a clear delineation of what that time frame will be. This is an idea that is common in enterprise IT and would be a sobering best practice if employed for consumer devices. For example, if you knew your latest Android phone or Nest thermostat would only get software and security updates for two years or five years respectively, that may change how you view the price or functionality of the product.

Right now, when it comes to connected products there is no discussion about the expected lifespan, which feels a bit disingenuous especially because their “dumb” counterparts have decades-long lifespans in some cases. It’s ridiculous to think that your “smart” products will last that long. Even if they do cost three times as much.

Many of the other recommendations seem poised for a router company to really benefit. They include being able to see what devices are on the network and alerting users to odd traffic patterns. The report also points out that in the connected home with devices already talking to each other, there is no firewall behind the network, which means that devices are at risk. One option to help limit the risk from this is to put devices on a separate network. Create a guest network for as many devices as you can.

Finally, the report offers a big vote for encryption of data at all points of its progress. No data should be sent using clear text whether it’s location data for getting weather information or Wi-Fi passwords. There’s a lot of innovation happening in encryption for resource-constrained devices that can help here. Chip technology from ARM is one option, but even encryption from a company like SecureRF or WolfSSL could help.

We still have a long way to go, but it’s clear that the industry is waking up to the problem. It’s a shame the government is so passive about it, though.


Did you like this story? Want more? Sign up for Stacey Knows Things, a newsletter covering the internet of things, to get this essay and more.