The issue of IoT security and the technical fallout from compromised ‘things’, raises many questions. For example: what are the legal implications to having your devices hacked? Could the owner and producer of a connected IP camera be liable for damages caused by a botnet? Is the owner of the device responsible for patching devices with security updates?
So, who’s going to fix all of today’s IoT security shortcomings? Will it be the ISP? The device maker? The owner? For the ISP, solving IoT security – or simply carrying the cost of all of this extra traffic – is a potentially huge cost to bear, for virtually no benefit. As such, they likely won’t rush to address this problem.
Or will the job fall to the device makers? Given the margins on these miniscule sensors are so small that any security fix would eat into the profits – we shouldn’t expect the device makers to address this problem.
Can Governments Govern?
Industry commentators such as Bruce Schneier, among others have called for greater government regulation to address this problem. While this approach could be a solution, it would be wise to examine if we want to get governments involved? For the most part, governments have struggled with security issues and some would argue the Internet has rapidly evolved due to lack of government involment.
Cross Sectoral Collaboration
So what’s the solution? One option to consider is industry collaboration. Within the IT and Telecoms industry there is a strong track record of the industry working together to get things done. For example, back when the internet was scaling, the internet routing table used to be a list that got updated and emailed to everyone. That worked fine while the internet was mostly academic institutions, but when it fell apart dramatically in 1989, BGP, or Border Gateway Protocol, saved the internet.
BGP is sometimes derided in the industry as being a terrible solution (and the three guys who invented it agree – they expected it to hold for a couple of months until something better came along). They were working at competitors Cisco and IBM but they approached the problem more like academics than commercial rivals and came up with a hack that was written on three napkins. More than 25 years later, BGP is still in place because it’s good enough to do the job.
In fact, the tech sector is replete with industry examples where companies come together for a greater good. For example, the IETF where BGP was invented, the Wi-Fi Forum, or the GSMA. While it’s in all of our interests to see what positive incremental steps we can try in order to fix the problem, it’s clear that no single vendor, ISP or government can solve this problem. It’s not sufficient to mandate standards or legislate against security vulnerabilities. Every stakeholder in the IoT needs to consider the risks inherent in legions of well-connected devices swamping or – as is more likely – balkanising the internet.
One positive step to addressing this issue is at the access network level. We believe IoT device connectivity needs to move from a default ‘open’ state to a ‘rule of least privilege’. Instead of that embedded IP address talking to a system it isn’t supposed to, or shouldn’t, it’s only granted the minimum access like talking to three designated endpoints in order to perform its function.
Another approach is a layered defence in depth, albeit inverted from the usual defending from outsiders. Where IoT devices utilize a home gateway or router, let it be a different SSID (Service Set Identifier) or VLAN (Virtual Local Area Network) that can be controlled. If on cellular, make sure that custom DNS and IP ACL controls are available to ensure that access is available to only the necessary APIs or endpoints. The ability to control and configure access to the connected device at the network layer provides a depth of security that would overcome much of the botnet challenges encountered by service providers recently
In conclusion, initiatives to fix the problem with IoT and security need to be driven by individual firms or via collaboration between industry and government. Right now, the very least we can do is not to make the situation worse and to start to implement some greater degree of defence in depth or ultimately face a classic tragedy of the commons.
Keith O’Byrne, Head of Solutions, Asavie – In his role Keith consults with carriers in USA, Europe and Asia on next-generation IoT and mobility solutions. Keith has over 18 years of security and IT experience advising some of the world’s leading organizations on their Infosec posture and network design. Prior to Asavie, Keith worked with BeTrusted, Baltimore Technologies and Scottish Provident. Keith was CISSP accredited in 2001 and has earned a host of IT/Networking vendor certifications from the usual suspects. In his spare time Keith’s a bit of a pistonhead, and is at his happiest tinkering with the oldest and newest of engines.