European Custom Installer

System Integration for the Connected Home

Security for the IoT – Is There a Role for Standards?

  • PDF

by Alan Grau, President and co-founder of Icon Labs

Alan Grau

From the Consumer Electronics Show in Las Vegas to Embedded World in Germany, the IoT is moving beyond market hype and early deployments to broader deployments. For better or for worse, the IoT is here to stay.

Companies are launching IoT products, services and platforms at an astonishing rate.  Secure vulnerabilities are being introduced at an equally brisk pace.

In July of 2014, HP Labs did a study of 10 popular IoT devices and found that the security was shockingly bad. The researchers studied 10 devices, looking at the end-to-end security capabilities of these devices including privacy protection, authorization, encryption, user interface protection, and code security.

House hijacker

They found that 70% of the devices had at least one MAJOR vulnerability!  By the time they completed their study, the researchers identified over 250 vulnerabilities, an average of 25 security vulnerabilities per device.  Security was clearly an afterthought - or worse - for these devices.

Things are slowly starting to change for the better.  Hardware companies are including security in their platforms, adding crypto accelerators, secure key storage, random number generators and other enabling technologies.  Still, security is still lagging in the IoT devices being produced.

[PHOTO RIGHT, CAPTION] Consumer electronics are increasingly becoming targets of hacking attacks. These attack vectors range from vulnerabilities built into the devices when they left the factory as well as improperly set up home networks and device security set-up issues.

Adding to the challenge, even the most tech savvy consumers have little ability to know which brand of IoT device provides strong security.  An OEM may claim “built-in security”, but that phrase alone means little. Various products from the same manufacturer may have differing levels of security. Even worse, the manufacturer may discover and created a update for specific security vulnerabilities but is not able to get the solution into the products that are already in consumers’ homes!

Standards for IoT

IoT standards groups are emerging to address issues of interoperability, communication protocols and, even security.

Security standards can serve two functions.  First, they provide guidance to companies in the development chain building the devices.  They help set requirements for the chip manufacturers, RTOS companies, independent software vendors and the OEMs.  Properly written, they define the required capabilities and provide testable guidelines for measuring the efficacy of security implementations.

The second function of security standards is to help consumers know if they are safe. As these standards are created, care should be taken to ensure they provide a method for consumers to evaluate the effectiveness of product security. Is the security up to date? Are the latest updates successfully installed and implemented into their devices.

This will undoubtedly be a long process, but it is the ultimate goal of security standards.  Consumers rely on Underwriters Laboratories (UL) or CE safety ratings. Security standards should serve the same function.

A security standard that defines a measurable, and ideally testable, specification would serve this function quite well. Testing for security is always a challenge as it is impossible to completely test for the lack of security vulnerabilities. However, standards that ensure compliance with security best practices can create a useable standard.  Devices that meet this standard can be trusted by consumers to provide a reasonable or acceptable level of security for common use.

Locks

[PHOTO LEFT, CAPTION] To properly protect a device or system from cyber-attacks, a variety of different modes need to be implemented depending on how critical the security risk is.

Creating a Security Standard

Cyber security is hard.  Enterprise and IT organizations have been focused on cybersecurity for a long time and still data breaches and cyber-incidents are both commonplace and on the rise.

The IoT adds new challenges for cybersecurity.  Devices are smaller, with fewer resources available for security. They are often located outside of the security perimeter and are can often be probed by would-be hackers with impunity.

Hackers may be able to purchase or steal a device and access the firmware, allowing them to disassemble the source code and look for vulnerabilities. What works today may not work next year as hackers devise and implement new attack strategies.

Given these challenges it’s clear that it will take more than a standard to create a world of highly secure IoT devices. But this does not mean security standards are not important.  A standard can provide guidance to developers. Conformance to a well-defined standard can ensure that devices follow best-practices for cyber-security and include fundamental security capabilities in all IoT devices.

While security standards are being developed, OEMS need to begin building security into their devices to get started in creating the Internet of Secure Things.

+++

Alan Grau is President and co-founder of Icon Labs, a leading provider of security software for IoT and embedded devices.  He is the architect of Icon Labs' award winning Floodgate Firewall.  Icon Labs was named a 2014 Gartner “Cool Vendor” and 2015 Gartner “Select Vendor”, and is focused on creating The Internet of Secure Things by providing a security from for even the smallest IoT devices.

Alan has 25 years’ experience in telecommunications and embedded software marketplace. On December 29, 1992 Alan co-founded Icon Labs, an embedded systems software development company whose clients include Motorola, Lucent Technologies, Intel and Tellabs. Prior to founding Icon Labs he worked for AT&T Bell Labs and Motorola.  Alan has an MS in computer science from Northwestern University.

You can reach him at alan.grau [@] iconlabs.com