According to a 2020 report by Palo Alto Networks, 98% of IoT data traffic is unencrypted. This statistic is mind boggling given what we know about the risks. To appreciate the scope of this problem, it is vital to understand encryption is only a single link in a long chain needed to secure IoT, data, and our world.
Comprehensive IoT security requires an integrated group of device management services, including secure device commissioning, certificate management, a mechanism for providing firmware updates over the air, and strong authentication and authorization capabilities. Guess what? If 98% of the data isn’t encrypted, most people don’t have access to these services either.
The bad news
Where to start? IoT fundamentally changes the cost of collecting and acting upon data in an increasingly data-centric world. However, most everybody is focused on the opportunity, conveniently ignoring security. Security is secondary, a cost-center with a difficult-to-measure ROI, but IoT presents real, growing, systemic, and terrifying dangers.
The 2016 Mirai botnet attack targeting CCTV cameras almost brought down the internet, and was the work of teens. The code behind the attack is freely available on the internet.
Things are not improving. Avast recently described IoT threats using terms like “surging” and “dropping kids in a candy store,” saying it will get worse.
Vulnerabilities exist from the devices to the networks to the cloud. The devices contain flawed code and libraries like the Ripple 20 IP vulnerability.
Current encryption approaches are limited. A device’s data is only encrypted until the next stop in the network, so if a network is compromised, so is the data potentially.
In 2020 the UK, US, and Europe all implemented IoT security legislation. Although well-intended, not wanting to over-regulate, they focused on the basics and guidelines.
Even legislative hard requirements like firmware updates over-the-air can be problematic. Firmware updates can patch devices correcting flaws like the previously mentioned Ripple 20. Still, the firmware mechanism must be secure. Too often, this is not the case.
Speaking of firmware, many of the proprietary low-power wide-area networks like LoRaWAN and Sigfox lack the bandwidth to deliver firmware updates.
Today, many IoT solutions are black-box proprietary efforts. We don’t know the code inside the device. Often containing accidental vulnerabilities like Ripple 20 or intended backdoor vulnerabilities.
An additional issue is many enterprises lack the knowledge, capabilities, and resources needed to address these challenges. It is often IT’s job to protect IoT, but the commonalities mostly end with the letters. IT is web-centric, centralized, with nearly unlimited computing resources with users near most computers.
IoT devices are remote, physically vulnerable, with other constraints like bandwidth, CPU power, and energy. Increasingly ubiquitous, the use-cases don’t support the economics of human interventions.
Finally, muddying the water are the increasingly litigious legal issues. Recently 30,000 companies lost data due to an email hack. The hacked technology provider is only partially responsible. How much? It will take millions of dollars, years, and many lawyers to find out.
IoT solutions are similarly complicated, raising the question of who will spend money to fix something they may or may not share responsibility. Like car manufacturers, some may decide it is just cheaper to fight and settle or shift blame to another party than do the right thing.
The good news
It needn’t be this way, and with a bit of luck, some macroeconomics, Adam Smith’s Invisible Hand, and common sense, IoT can be secured.
IoT adoption did not meet early expectations. Why? Perhaps the market and the technology weren’t ready, but two undercutting challenges were bad connectivity options and poor security. This is changing.
The world now has two telecom-centric global connectivity solutions perfect for most IoT solutions. NB-IoT is ideal for applications like smart metering that need to send small amounts of data, while LTE-M is better for solutions requiring more data and bandwidth. LPWA networks operated by telecoms provide essential security benefits, including robust authentication mechanisms, comparatively longer encryption keys, and enough bandwidth to deliver firmware updates.
Many IoT solutions will have lifespans of a decade or more, making firmware updates key to maintaining security.
Telecoms have also significantly contributed to a second non-network standard, the Open Mobile Alliance’s Lightweight M2M.
LwM2M provides IoT solutions with a standardized framework to manage connectivity, report data, secure IoT solutions, and provide firmware updates. Gartner recommends manufacturers focus on LwM2M to rationalize their cellular IoT development efforts.
LwM2M provides an end-to-end security framework optimized for IoT’s challenges.
Of particular note is OSCORE, an encryption standard just for IoT and part of LwM2M. OSCORE saves energy, a vital ROI consideration for battery-operated IoT solutions. More importantly, OSCORE encrypts data end-to-end, so even if a network has been compromised, the data is secure.
Finally, LwM2M is a standard. Many experts have contributed to making sure things like the FOTA mechanism are as secure as possible, but as flaws are discovered, and they will be, many will contribute to resolving the issue. We cannot say this of proprietary non-standardized approaches.
In a few short years, IoT and AI will be everywhere. The 20th century ran on oil. The 21st century belongs to knowledge and data. IoT’s value increases as data velocity increases. New efficiencies are created as the data in one ecosystem, like transport, is leveraged by another, like smart cities.
Imagine a delivery drone requesting permission to land at your house and a city light immediately coming on. Data, IoT, and AI will need to work seamlessly together to make that happen.
We are not far away, but we must first answer the pressing questions of how we secure these solutions and securely share the data while respecting data privacy.
The opportunities and dangers are real.
What can you do to protect your devices, data, and the world? It starts with awareness, prioritizing security, and insisting on standards.
(This is a slightly modified version of an article originally published in CPO Magazine. The original article can be found at https://www.cpomagazine.com/cyber-security/iot-security-iot-neednt-be-the-internet-of-threats/)