The outcry over security compromises involving ‘Internet of Things’ (IoT) devices has led to much hand-wringing over the potential future of the market. But every cloud has a silver lining – all this attention will only accelerate technical and market solutions for IoT security.
Several models of IoT devices were compromised by hackers via their internet connections towards the end of last year and recruited into a botnet used to propagate denial-of-service attacks on mainstream websites. Consternation ensued, including the invention of a new term: ‘Internet of Insecure Things’.
There’s some good news
For current and prospective makers of IoT products, the good news is that these incidents and the resulting media outcry have done much to raise awareness, whilst the attacks themselves were propagated on noncritical parts of the internet.
We are optimistic that governmental regulatory bodies, independent testing and certification laboratories, and product companies can move forward from these incidents to address these issues of the IoT in a practical but effective way. For example, it is our expectation that governments will find ways to hold product companies accountable for the security of connected devices through requirements to disclose security incidents and known vulnerabilities to their shareholders, as has been mandated by the U.S. Securities and Exchange Commission since 2011. This in turn will incentivize product companies to address security through better engineering and cyber insurance – and the need for insurance will give rise to standards of testing and certification.
Digital security has come to be seen as the major gating factor to the success of the IoT. But lack of security in IoT devices is generally not due to lack of leadership or engineering capabilities – rather, it is a market failure. The devices in question are insecure because it currently doesn’t make economic sense to implement an appropriate level of security. But brand-conscious leaders of companies that manufacture connected devices are starting to consider the ‘annualized loss expectancy’ associated with security risks. Most importantly, product stakeholders are quickly becoming aware that improper security is no longer a negligible risk to their brands.
With some straightforward strategy in hand, device makers can reduce this risk and meet customer expectations without undue impact on their business models. At Cambridge Consultants and Synapse, we have distilled our collective experience in developing secure connected consumer products into a handful of key things to think about.
Firstly, security is always a trade-off, and the only way to minimize the downsides is to strike the right balance early. Digital security and privacy live on a spectrum, from complete openness to extremely powerful cryptographic protection. Heightened security will always come with downsides, including:
- User experience – establishment of authenticity and provisioning of cryptographic systems always introduces extra steps for a device’s user, which can be cumbersome. A device’s responsiveness can be reduced by the need to establish session keys for every communications transaction, and the need to remember passwords is always a downside for a user.
- Product cost – often, the ability to do complicated cryptographic mathematical operations, or the need for secure storage of sensitive information, can introduce significant increases in the cost of silicon in a product’s bill of materials.
- Power budget – cryptographic considerations for battery powered devices can also mean a processor must stay awake for a longer duty cycle, and more data must be sent over a wireless link. In turn, a larger battery will be needed or the device will not operate as long before recharging is needed.
- Cost of development – proper design of digital security can constitute a significant portion of the engineering development cost for an otherwise simple device.
However, digital security is just one trade-off of many that must be made in designing a product and, as with all such trade-offs, the cost can be greatly minimized by making these decisions early in the design cycle – during initial requirements gathering, and during early-phase feasibility studies and proof-of-concept work. For digital security, in particular, it is very important for business stakeholders to work closely with the engineering design team to understand the technical implications and map them to potential business risks.
A second issue is the tendency of product stakeholders to focus on certain aspects of security at the expense of others. When evaluating business risks, it is important to maintain a broad perspective across all concerns, such as:
- Data at rest – protection of private information stored on a device. Designers should consider protection from both software attacks and physical attacks.
- Data in motion – protection of private information whilst ‘in flight’ over communications channels. Designers must take care to protect internal communications busses as well as external networking protocols.
- Manufacturing – protection of private information throughout the supply chain.
- Privacy – prevention of unwanted identification and tracking of users via otherwise innocuous data, such as network addresses.
- Future-proofing – a commitment to maintaining an ability to respond to security incidents with firmware patches, and a mechanism for deploying patches to devices in the field.
- Security architecture – hardware and software design that provides security in layers using techniques such as internal firewalling and memory protection to deny full system access should a subsystem be compromised.
Thirdly, it is important to understand that integration is better than invention when it comes to security. While a system designer should never assume that a tested pre-existing software or hardware package is 100 percent secure, it is a general rule among those responsible for secure product engineering that newly designed hardware and software components are much more likely to have security bugs. To the greatest extent possible, we integrate well-tested off-the-shelf hardware and software when building a consumer product, and minimize the amount of new engineering, especially in components that are critical to security.
Finally, although we have strong in-house quality assurance capabilities and a solid understanding of how to test for security, we also believe that bringing in outside experts for security audits and system testing is a very effective way of establishing and maintaining product security. We maintain relationships with partners who bring this specific expertise into the product development process.
As product designers, we believe the days of ‘security through obscurity’ for connected consumer products are decidedly over. Product designers can no longer ignore the risk that a potential security compromise poses to their brands. The good news is that recent incidents have raised awareness of the issue across the market, which levels the playing field for all manufacturers – and ‘design for security’ can be achieved with minimal downsides if considered early in the process.