Device manufacturers and consumers will play a pivotal role in the security of IoT devices.

The dawn of the age of the Internet of Things (IoT) has come, with many of us still awakening to the possibilities for new products and applications it brings. IoT seems set to transform our jobs, our cities and homes in ways both marvellous and mundane. But all this promise of change comes accompanied by concerns over new privacy and security risks.

Much focus is placed on privacy, yet many IT professionals worry about the security of devices for another reason: once compromised, such devices can be, and indeed have been, used to perform attacks on the underlying infrastructure of the Internet. The manufacturers of these devices and the consumers that use them have thus come to occupy a novel role in the future of Internet security. Informed action is needed to ensure that all parties are aware, to as great an extent as possible, who plays which role.

Manufacturing the IoT

Light bulb manufacturers used to produce light bulbs. Today they’ve become Internet companies and most don’t realise it yet. This shift has introduced a host of new requirements in terms of privacy, security and technical interoperability that need to be met quickly. At this stage, however, many companies are not yet aware of the fact that these are things they need to be thinking about.

So, on the one hand, there’s the problem of a general lack of awareness about the impact of IoT. This is quite pervasive. A recent Ofcom report points out that, in the UK, companies and end users are often unaware of IoT implications for privacy. Such blind spots can have bad consequences. According to Zingbox, over 70% of healthcare IT decision makers express an unwarranted level of confidence in the security of Internet-connected medical devices. But if an insecure device connects to a network people are relying on for health purposes, the repercussions could be serious. While not directly aimed at devices, the recent WannaCry attack showed how vulnerable our healthcare has become to IT security incidents.

On the other hand, there’s the problem of how companies will adapt to new demands. Many face a transition from being in the business of selling products in one-off transactions to providing long-term service. Whilst the latter approach might be routine for technology companies, such subscription models are relatively new in many industries, and uncertainties may well arise with regards their viability. Companies can go bankrupt or products will be discontinued and what happens then remains to be seen. There’s a distinct possibility that millions of end-of-life devices remain in use despite no longer being kept up to date, a situation that can only lead to more trouble.

While these issues still wait to be fully resolved, the role of the customer is also important. In the absence of willingness to enrol in subscription services, many devices still require that users take action to download and install updates. Botnet attacks which utilise ‘zombie’ computers to carry out an attack are difficult enough to detect as it is, because the takeover is done without the knowledge of the device owner (Ofcom research, page 6). And more often, the owner of the device it not directly impacted by the results of the attack or he does not realise his own devices are part of the problem.

What does a solution look like?

With problems mounting in the wide space of the IoT, it is unlikely that there is one single solution to them all. But we can certainly try and do our thing to secure the areas we are responsible for and importantly try and help others that may have less experience in or on the Internet.

Perhaps one path to take is to stimulate greater public awareness about the potential hazards associated with IoT devices and the damage an insecure device can cause to others. Security is a major cost component, a cost that the public must be willing to pay. At the same time, we need to help customers recognise the quality of devices. One of the solutions under consideration in Europe is an “IoT Trust Label”, which would work like energy labels, enabling consumers to make informed decisions. Representatives from inside the industry, together with public policy makers, are currently investigating the requirements for such a system to be implemented across the EU.

As regards the transition many companies are likely to face, here it may be instructive to look at how the traditional Internet community has worked over the years. Through necessity, the Internet industry has developed novel approaches to setting standards and addressing stakeholder concerns. This has resulted in the so-called “multistakeholder model” that is built on openness, transparency, and participation from all stakeholders. Where adoption of these solutions and standards are often voluntary, they see almost universal adoption as they are regarded “best for everybody”. The mutual benefit to protect the network and services we all collectively rely on for our business has led to a unique form of industry self-regulation, a model that we hope can also be applied in an Internet of Things.

Another key element is that when there is an incident or vulnerabilities are identified, there is a quick full disclosure of the root cause. This is key not only to maintaining trust but also to safeguard other network operators and manufacturers who may share the vulnerability. The reporting and investigation of incidents and accidents in the airline industry, for example, has been proven to be very effective, to the extent that a similar “just culture” approach is now becoming the new standard in healthcare. And these working examples could probably also be applied to parts of the IoT landscape, where small design mistakes or manufacturing errors can have serious and far reaching consequences. All of this is in stark contrast to today’s reality, where attempting to reveal a security vulnerability to IoT manufacturers will often generate legal threats and incident investigations are centred on identifying the party liable to the damage.

Finally, in as much as the IoT is about things that are connected to the Internet – many of the associated issues may not be quite as novel as they first appear. There are established, open communities that have been working on network and ICT security, privacy, network abuse and related issues for decades, including RIPE, the IETF, IEEE and W3C. These communities have developed a base of standards, documentation and knowledge that will developers who are working at the intersection at these issues. They also welcome the unique perspective of people working in the IoT field to inform their policy and standards development discussions.