The Internet of Things is moving ever closer to an Internet of Everything, with more devices and dinguses connected to, and controlled via, our worldwide network of networks.
The last decade or so has seen an explosion of new ways to monitor, track and operate a growing range of tools and appliances, but as this marketplace bloomed, security issues were all too often an afterthought.
Companies with long expertise in building everything from lightbulbs and fridges to cars and railway systems suddenly found themselves also in the networking and software business, and perhaps inevitably focused first on getting things to connect, only later tacking on security provisions when hijacks, data leaks and other fails embarrassed them into action.
As the field reaches a more mature stage, there is finally more focus on getting the security right as a basic, rather than an extra.
It’s almost 40 years since the famous Coke vending machine at Carnegie Mellon University first started reporting its stock levels and temperatures via the Arpanet in 1982, several years before the term internet took off.
A steady expansion into other areas of life curved upward sharply as smartphones entered the pockets of just about everyone in the wealthier parts of the planet, allowing anyone with the right app (and ideally the right credentials) to log into their smart doorbell to see who’s outside the door, or turn up their heating as they head home from a hike.
Away from the consumer sphere, ever more advanced “things” are going online: surgeons can operate on patients on the other side of the planet using precision-guided robots, the position and inventory of vast cargo ships can be tracked and managed from a computer in a dark basement, and armies are replacing human soldiers with remotely-controlled drones.
Over the years there have been all sorts of scare stories surrounding emerging IoT technology.
They tend to be about nanny-cams being hijacked by trolls who want to frighten children, or cars and fridges being taken control of remotely by researchers, but also include less visible dangers like the Mirai botnet, which infected possibly millions of IoT devices, most of them cameras and routers, and used their collective power to launch massive DDoS attacks.
In most cases, these issues have been down to poor security practices: hard-coded admin passwords, software vulnerabilities (made worse by difficult if not non-existent patching processes), and sloppy encryption practices.
As device makers become more aware of these dangers, and the reputation damage that can result from a breach, improvements have slowly been made, but it’s only very recently that any sort of consensus or standards have started to emerge.
One group pushing hard in this direction is the ioXt Alliance, tagline “internet of secure things”. Since it was founded in 2019, the group has built up an impressive roster of members, including giants like Amazon and Google and a number of VPN firms.
Their certification program for hardware has covered everything from switching equipment and air conditioners to smartphones and routers (of course, there are a few fridges and lightbulbs in the mix too).
Most go down the self-certification route, confirming that they meet the requirements without external validation, but a lab-tested path is also available.
In the last few weeks, this range has been expanded to include mobile apps, with a special focus on VPNs. This marks a fairly major step-change, with the security certification of mobile controller apps as well as the devices they control meaning both ends of the chain are measurably more secure.
The initial line-up of certified apps is dominated by VPN software, but several controller apps are also listed, including the Hubspace smarthome management app marketed by Home Depot. Doubtless more will follow.
The ioXt Alliance focuses on 8 key areas in their “pledge”. These include some concepts familiar to most in the security world, such as using only unique passwords, properly proven cryptographic methods, properly signed software, transparent vulnerability reporting, and automatic (and timely) updating.
A vaguer requirement is to ensure all interfaces are “appropriately secured”. The list also demands an attitude change to “security by default”, banishing the days of tacked-on protection to the past and making sure secure methods and approaches are baked in from the start.
Finally, they also require product makers to provide an expiration date for security updates, putting an end to the problem of devices unexpectedly becoming obsolete thanks to the provider deciding to drop support, although it may not help much with the issue of providers going out of business.
Buying a fridge or a thermostat used to be about capacity, style and build quality, but consumers now have to worry about their devices suddenly no longer being secure enough to use, or even stopping working completely, if control systems are shut down or updates are no longer issued. The requirement to set a life-expectancy will be at least some help here.
Standards built by consensus among a group of experts are required in most fields of life, but especially so where something as complex and problem-prone as the internet merges with so many aspects of everyday life. Groups like ioXt, and the standards they generate, hold established players to account for making sure they do things right, but also provide precious guidance for newcomers trying to enter a market.
Putting an end to unreliable products pushed out by cowboy outfits, or indeed by well-intentioned-amateur producers, should benefit everyone. So should ensuring that the big players follow established rules and regulations. As the internet and the physical world become closer intertwined, we need groups like this to build out the structures on which our lives will depend.
If you would like to assess the risk IoT poses in your organization, contact the experts at TBG Security. Our cybersecurity risk assessment team can guide you through the process of hardening your environment, so you don’t become the next victim thanks to someone along the way taking their eye off the IoT ball.