For years, IoT security seemed like solving a problem that didn’t exist. Not anymore says ESET’s Cameron Camp, who was at this year’s CES.
For years, IoT security seemed like solving a problem that didn’t exist. Not anymore. Even the consumer-oriented crowds at CES are asking about security. In an audience that focuses fanatically on the latest gadget features, they’re starting to ask about security in the same breath – how to keep it all safe.
Market pressure has long been the dominant force driving the consumer market. Your product had to get to market quickly to absorb the huge engineering expense of ramping up fast. And if you didn’t you were out of business. Now security is working its way into the design phase, which is starting to move the rest of the development process toward a security-focused product cycle.
“The good news is there are starting to be more security-focused reference designs that you can draw from.”
The good news is there are starting to be more security-focused reference designs that you can draw from – so you don’t have to reinvent the wheel anymore. This is great news, as you can bake security in with a steep drop in cost, meaning you can just integrate rather than invent.
If you adopt some of the existing designs, you still have the ability to differentiate in the marketplace based on being more secure, yet without hiring a room full of kernel developers and cryptographers, which you couldn’t afford anyway.
Speaking of market differentiation, customers are now factoring security in more squarely to their purchase decisions. Since some consumers are willing to spend a bit more (though not as many as we’d like to see) if they can choose a more secure product, it’s easier to make the case to management that security needs a place at the design table.
IoT here at CES could be more squarely labeled – as some have – Internet of Everything (IoE), meaning that if there is security at the atomic level of the thousands of tiny sensors and computers surrounding the workplace, house, and car of the future, having each of those acting more securely would seem to be a strong step forward for securing things as an entire ecosystem.
But as the sensor count expands exponentially, the potential attack surface also expands, and all scammers need is one hole in the armor to get in and do damage. Never mind the threat of your home network devices turning into an amazingly powerful army of DDoS drones few can defend against; simple chinks in the armor can result in big problems in other areas. If scammers can gain access to your home’s local network, they can impersonate trusted computers – and the firewalls will think they’re to be regarded as safe.
Protecting these swarms then relies on the strength of the weakest link in the chain. This quite frequently means your 10-year-old Wi-Fi router that’s never had updated firmware, but it could come from anywhere in the network really.
To guard against this, there should be some standardization within the industry. It would be difficult to make this compulsory, but if there were a suite of guidelines that were widely accessible by would-be developers launching an IoT play, it would help the whole ecosystem.
Hopefully, 2017 will the year when this kind of framework takes shape, meaning it will be much easier to just plug-n-play some kind of security best practices schema and bake it into a product. In the meantime, we hope the marketplace favors those companies and products that start with a security focus and then add features you will buy, instead of the other way around. This will help us all to continue to be safe online and help our technology serve us, not turn us into victims.