Sorting out the ugly details of IoT security
I get at least one if not handful of pitches a week from people who want to write guest articles about the lack of security in the Internet of Things. They all start the same:
“By 2020 there will be 10 gazillion IoT nodes connected…” The best ones make a few specific recommendations about using authentication and encryption.
It’s not enough. Some of the big thinkers in our industry discussed the issue as part of a panel sponsored by the Association for Computing Machinery on the future of the Internet that marked 50 years of the Turing Award.
Reading a transcript, I wondered aloud if we need a working group to define a set of basic security/privacy standards and a simple certification test for them. A logo could let consumers and business users know the products support at least fundamental capabilities.
In the event of a significant hack, the tools might even be useful to identify what holes need to be plugged. As a starting point, perhaps it is enough to require multi-factor authentication and encryption based on a hardware root-of-trust.
It’s a concept worthy of an English major (me), but it has a long way to go to pass muster among engineers (you). So I invite your feedback.
The first really great piece of feedback is already in from Nick Feamster, a professor of computer science at Princeton and a 2016 ACM Fellow. He was also one of the big thinkers in the Turing panel.
Feamster was generally supportive of the concept of a sort of Underwriter’s Labs of IoT security. But he noted the devil is in the details:
First, who is the certification body? Should it be entirely composed of members from industry? If so, which stakeholders are involved? Second, what requirements should go into the certification program? Being overly prescriptive may backfire in light of the rate at which technology (and attacks) progress. Third, consumers may not appreciate the value of certification, particularly if meeting the requirements of certification increases the cost of a device. Finally, how will the certification standards be implemented? As much as a certification lays down rules of the road, the process must also make it as easy as possible for vendors to adhere to it.
OK, so there are a few ugly details to get sorted out. The good news is some groups are already at work on some of these kinds of issues.
Continue to the next page on Embedded's sister site, EE Times: "IoT security: What we need next."