The troubling lack of focus on securing the IoT
The massive growth of Internet of Things (IoT) devices over the next one to three years should give us pause. As companies rush to get to market first, are we seeing a “dumbing down” of basic device principals that we have been working with for years, particularly enhanced security and privacy. With so many distinct applications, device scope and diversity represent a unique security challenge that so far has not been met.
I estimate that 85 percent or more of current IoT devices deployed in the real world do not have adequate security installed, and it’s likely that the vast majority of those will never be upgraded (or are not even capable of being upgraded). That means not only do current devices being installed pose a risk, but over the next one to two years, the vast majority of devices that will be deployed also pose a risk.
It’s a bit better in the Enterprise of Things (EoT) world, where devices generally are more costly and able to be enhanced for manageability, reliability and security. But in the price-sensitive market for consumer IoT devices, there is a real lack of security focus.
Build security into IoT devices, don’t add on later
The real challenge, whether EoT or IoT, is going to be deploying devices that are designed using platforms that have an inherent security capability built in — not one of adding security after the device has been created. The add-on approach has never worked well in the past, and this market will be no exception.
What are some of the key security components needed in any platform?
- Trusted execution environment at the hardware level
- Secured UI (if used) to prevent hacking
- Secured storage to keep data encrypted
- Firmware and OS-secured lifecycle management
- Protected communications capabilities and connections, including VPN
- Key management and provisioning of device ID and login
- Ecosystem of development tools and methods that enable good security design practices
- Case-specific profiles and recommendations for best-of-class implementations
We have gone through all of this before in the mobile world, especially in the enterprise market, and unfortunately many IoT vendors have not learned that lesson. It will be critical that emerging devices, whether consumer- or enterprise-focused, be able to show a clear security and privacy capability or face ultimate rejection in the marketplace.
Indeed, devices that add a secure platform will have a major competitive advantage. And those that don’t will face market backlash and potentially legal consequences for any security breaches.
Adding security to IoT devices adds value
Some have argued that adding security components will make IoT unaffordable in a price-conscious market. I estimate that a truly secured capability adds a marginal amount (5 to10 percent) to the cost of hardware, and, therefore, cost should not be a primary inhibitor to adding secured internal infrastructure to any IoT device, particularly ones that are mission critical and/or are not priced as throw-away consumer devices.
So, it’s more philosophy and not understanding the importance of security that causes some makers to not take security seriously. The added cost is trivial compared to the value it adds.
Upping the security of IoT/EoT is not that hard. Most current-generation IoT devices are built using commodity microcontrollers that are not inherently designed with the security components built into mobile phone-derived SoCs (e.g., trusted execution “vaults,” encryption engines, VPNs). With a long history of security enhancements over the years and a compelling need to compete in security features, it’s much more appropriate to utilize “downsized” mobile SoC technology than trying to reinvent security in software on chips not inherently designed with the same number of security subsystems.
As a result, downsized mobile SoCs have both a competitive advantage in system capability, even if they may cost somewhat more, and have already-proven security features that microcontrollers generally can’t match. This gives them a major advantage in the next generation of security-conscious IoT devices. And I expect that most new IoT, and especially EoT, designs will incorporate one of these as the platform of choice rather than simpler microcontrollers.
IoT device makers can’t ignore security lessons
Bottom line: We’ve learned much over the years designing smartphones and making them far more secure. And we should not ignore those lessons as we move on to the next phase of mobility — IoT and EoT. Leveraging all of the capabilities in hardware designs and software from smartphones makes the most sense if security is to be taken as seriously as it should.
With the many varied and growing number of reference designs using platforms designed as modified smartphone chips making it to market, I expect a surge of these devices to be powered by a more secured environment. And this is to the benefit of all of us being affected by IoT/EoT. Anyone building or deploying such technology should make sure they are built on one of these smartphone-derived platforms and not on a simpler and less-secure device.