Security in the Age of IoT, an Opportunity
(Note: the views here are my own and do not necessarily reflect those of my past, current, of future employers.)
Whether you realize it or not you are surrounded by IoT (Internet of Things) devices, which are broadly defined as any non-computer device that is connected to a network or the internet. And they are multiplying.
As I write this article I am sitting at my second home in the glorious White Mountains of New Hampshire, a place that one would think would be somewhat devoid of technology, and even here there is no escape. Within the condo there are several smart TVs (Netflix, Hulu, etc.), a cable modem, an access point / router / firewall enabling all of the devices to connect to our Time Warner cable connection, and a PlayStation 3. Within the typical office network you can add devices such as access points, printers, security cameras, and access control systems to the mix.
And there are many other types of IoT devices available and in general use by individuals and companies that I haven’t mentioned yet such as “smart” appliances such as refrigerators, temperature or climate sensors, remotely controllable thermostats, and security systems.
The security issues with these types of devices typically fall into two buckets:
- Devices that ship with default credentials, including those that can be accessed over the internet such as routers of firewalls. The issue here is that these devices, if shipped with insecure settings by default, may be accessible and reprogrammed by unauthorized individuals or machines (scripts or bots).
- Devices that ship with software (firmware) that is non-upgradable or difficult for non-techies to upgrade. The issue here is that firmware may contain bugs or security vulnerabilities that can then be exploited, and it is very hard if not impossible to upgrade the firmware to versions where these have been mitigated
From my perspective there is a huge opportunity here to solve the real issue of managing security related to IoT devices. The obvious market for such a solution or suite of solutions would be the enterprise. However, I think that there is also a huge opportunity for the consumer space. This would be a great offering for a vendor to bundle into their existing home / security offerings (I’m looking at you Comcast).
The main challenge here is that that the problem of managing IoT security is hard to solve, which is likely why it hasn’t really been solved yet. You have to deal with hard to access devices (which is why a solution needs an on-premise component, even if it’s managed in the “cloud”) and a large number of IoT device vendors that the solution needs to both know about and have the ability to upgrade and / or properly secure. Addressing that will require a lot of work and would be helped by cooperation with third party IoT device manufacturers, which isn’t a given.
I can see a consumer solution being bundled into a device that is already present in homes and is connected to the a solution providers network already: the modem (either DSL, cable, or fiber, doesn’t matter). This device would have to be able to find, identify, and be able to “log in” to the IoT devices present on the home network, likely all connected via WiFi.
The enterprise solution could either be deployed as a stand-alone appliance or integrated as a software solution or upgrade to an existing appliance such as a firewall (I’m looking at you Dell Sonicwall).
So there you have it. An idea for a solution that has yet to be truly addressed to a problem that will only get worse. There are already reports of IoT devices being “hijacked” to participate in distributed denial of service attempts. However there has yet to be an event that awakes this topic into the general public’s consciousness. Hopefully the problem is solved before such an event occurs.