The IoT in 2018: Four reasons to excited, four reasons to be worried
Confusion about security technology and practices will erode the potential utility of the IoT
News about serious security breaches and zero-day vulnerabilities in systems has unfortunately become commonplace, and the attacks are coming closer to home both figuratively and literally: The Triton penetration demonstrates that even a sophisticated industrial safety system exposes attack surfaces, and warnings about session key reuse in Wi-Fi systems show how accepted authentication protocols can be made vulnerable.
Security breaches and zero-day faults will not vanish. If anything, the complex systems and interfaces associated with an IoT application present untold attack surfaces that make the IoT a particularly inviting target. Consumers using connected products seem to recognize the risk but value the services they receive so highly that they’re not willing to disconnect. A recent Cisco survey of 3,000 consumers suggested that consumers see a high value in the IoT but have very little trust that their data collected by the IoT is secure. In fact, 42% said that the IoT is so integrated into their lives that they would have difficulty disconnecting temporarily or permanently. Of course, consumers may well change their tune in the event of a serious breach.
For development organizations, security (and its twin, privacy) are the threat hanging over most IoT implementations. Fundamentally strong hardware-based security mechanisms for encryption and authentication are necessary but not sufficient precursors to strong security and to more robust platforms providing a root of trust for system software and applications. Although vital, even that increased level of trust needs more sophisticated methods for detecting and deflecting attacks, but the Triton compromise shows that even those monitoring systems are only one facet in a broad approach to security.
For many IoT development organizations, however, the challenges in implementing security arise from multiple sources including cost, data volume and velocity, and more, according to Gemalto’s recent study involving 1,050 IT and business decision makers and 10,500 consumers. One source of confusion about security suggested in this survey should be of particular concern to every stakeholder in an IoT application. Among security challenges, 26% of decision makers and 41% of consumers in the Gemalto study said that it is not clear who is responsible for security (Figure 10).
Figure 10. A Gemalto survey reveals IoT security challenges as viewed by corporate decision makers (left) and consumers (right). (Source: Gemalto)
In a separate study of decision makers, Vodafone found that each participant in an IoT application shared some measure of responsibility for security (Figure 11) – recalling the basic premise behind the ARM Security Manifesto (link to that page in this article). Indeed, security is a complex undertaking with multiple facets – not only in technology and protocols but also in the way consumers, developers, and providers approach the connected product.
Figure 11. In Vodafone’s survey, respondents indicate that each participant in an IoT application bears some level of responsibility for security. (Source: Vodafone Group)