Ripples from Internet of Things create sea change for security, liability
Companies take steps to set standards for protecting software security
By Roger Yu, ThirdCertainty
Fact about Dick Cheney: When he was vice president of the United States, Cheney so fretted about someone remotely hacking into his heart defibrillator that he had his doctors disable the device’s wireless feature.
Cheney’s prescience about unprecedented exposures arising from the Internet of Things has been borne out.
Manufacturers are foisting Internet-connected medical devices, automobiles, TVs, gaming consoles, webcams, thermostats, utility meters and household appliances on consumers faster than hackers—both white hats and black hats—can identify the intrinsic coding flaws.
About 70 percent of the most commonly used IoT devices contain password, encryption, authentication and other vulnerabilities, according to a 2014 Hewlett Packard study. HP reviewed 10 of the most popular IoT devices and uncovered an average of 25 software flaws per device.
The good news is that the tech sector is cognizant of these new risks and is moving to establish baseline stability for the Internet of Things.
It may take a while. A cabal of IT security startups and entrenched tech giants has emerged as the source of proposals to shape a stable foundation on which IoT can stand. Ideas range from software patching to assembling innovative wireless networks dedicated to IoT devices.
“You can think of a future where … there will be tons of sensors around our physical environment,” says Chenxi Wang, vice president of cloud security and strategy at cloud encryption vendor CipherCloud. “It can collect data about our movement, even our body temperature. Privacy is a big issue. Safety could be an issue when those devices are operating critical tasks, like driving a car.”
IoT devices tend to have limited networking and storage capacities. So there’s little room for traditional security software, says May Wang, co-founder and CTO of Silicon Valley-based ZingBox, a startup that provides IT network security services.
“It’s hard to deploy per-device security measures,” says May Wang, no relation to Chenxi Wang.
What’s more, IoT devices often come from small manufacturing concerns on tight budgets. Security routinely takes a back seat to marketability.
“(Manufacturers) realize security is an issue, but they have time and expertise constraints,” May Wang says. “It’s like ‘We’ll get our product out first and worry about it later.’”
Heavy reliance on outsourced software modules to build IoT devices doesn’t help. Opportunity abounds for security flaws to creep in at numerous points of production. “Knowing every touchpoint of the supply chain—who supplies software, where did they come from, what the security postures are—is a big problem,” Chenxi Wang says.
A drive toward more standardization of IoT security software is needed, and plenty of companies are pursuing it to varying degrees of success, she says.
May Wang observes that “we have yet to see any convergence on any one standard.” Even so, two leading efforts include:
• Thread Group. Launched in July 2014, this Google Nest Lab working group’s goal is to provide security certification for IoT products. Thread also is backed by Samsung, ARM Holdings, Big Ass Fans and Yale Security.
• AllJoyn. Led by Qualcomm, this open-source project seeks to create a framework for IoT devices and apps to communicate more securely and easily.
Another approach is to launch new dedicated IoT networks. Today in the U.S., IoT data mostly travels on existing wired and wireless networks operated by the Big 4: Verizon, AT&T, Sprint and T-Mobile. The giant carriers serve as “dumb pipes,” responsible solely for transferring data, while passing the buck for security to other vendors, says May Wang.
Yet, most IoT devices transmit only tiny bits of data, such as heart beats or an alert that a sprinkler needs to be turned on. So a network built to move IoT data reliably and securely at a competitive price has a place. Initiatives pursuing IoT-dedicated networks include:
• The LoRa Alliance. Led by semiconductor maker Semtech, with backing from Cisco and IBM, this group is developing a “Low Power Wide Area Network” specification for wireless battery operated devices. Communication between such devices would take place in “gateways” spread across different frequency channels and charging cheaper data rates.
• Sigfox. This French company builds wireless networks that connect IoT devices in Europe. By running in the unlicensed 902-megahertz band in the United States, Sigfox sidesteps the need to buy spectrum licenses. Sigfox is expanding initially into San Francisco with $115 million in investment backing from Telefonica, SK Telecom, NTT DoCoMo and Eutelsat.
“Right now, we’re just thinking about IoT devices at home,” May Wang says. “And they may be better off using current cellular networks. But I think there could be alternative cellular networks that are compatible to current networks that will serve well for some industries, such as oil and gas.”
With supply chains and corporate networks getting ever more complex, the heavy lifting to tap into the true promise of IoT has only just begun.
“It’s going to be a continuous battle. But once we have ‘good-enough’ IT solutions, it’s going to ease a lot of concerns,” she says. “A lot of people are not that alarmed yet about IoT devices. And there will have to be a user-education process.”
More on the Internet of Things:
Samsung’s SmartTV foreshadows Internet of Things eavesdropping
Healthcare data at risk: Internet of Things facilitates healthcare data breaches
‘Impenetrable’ encryption arrives to lock down Internet of Things