Designing IoT security: Experts warn against cutting corners

Secure IoT device development approaches are changing

Christian Renaud

Security does not appear to be a top concern for IoT companies that decide to work with a vendor or partner to design or add IoT capabilities to products -- but that is about to change.

"We meet with many potential customers, but I can't tell you the last time someone walked in here and led with a question about security," said Mitch Maiman, president and co-founder of Intelligent Product Solutions (IPS), which offers a full range of connected product development professional services. "People may say they're interested in security, but they aren't walking in the door asking for it yet. They haven't realized how important it is, but they will."

Mitch Maiman

One reason for the lack of concern, Maiman believes, is the cost of designing IoT security. "It's very much akin to cars in the 1960s," he said. "Everybody knew that seatbelts were an important safety item and could save lives. But, until laws came along in 1968 saying you needed to put a seatbelt in the car in the U.S., it wasn't being done. Why? People said they wanted safety, but they weren't willing to pay for it. Human nature hasn't changed -- not even 52 years on."

Why security should be baked into IoT device design

Tanuj Mohan

Security really is "an essential part of IoT that needs to be designed in from day one -- it can't be an afterthought," said Tanuj Mohan, founder, CTO and chief product officer at Enlighted Inc., an IoT company with a platform for smart commercial buildings and healthcare facilities. "IoT bridges two worlds. If you look at security in one domain only, you might miss something."

Imagine, for instance, someone wants to rob your building. The culprit needs to know if it is occupied or not. They will also want to find out if the building is configured with wireless occupancy sensors that, when motion is detected, report the activity to the central system -- which is, ideally, fully encrypted.

Mark Milligan

"If I'm sitting outside and see that none of these devices have spoken for the past 15 minutes, I know there's no one in this space," Mohan said. "The building is totally empty, and I can go break in. I'm joking, but you can have the best security, encryption, software and go through all the processes but still miss the fact that there's a leakage because the sensors only speak when there's motion. It doesn't matter that the data is encrypted because I don't need to see its contents to tell that the building is empty. If you're looking at security in silos, you'll miss the big picture completely."

Because IoT devices are interacting with the real world, "you're not only dealing with a network security challenge," said Mark Milligan, senior vice president of marketing at Enlighted. "Looking at the whole picture and starting with security is essential because of things' interaction with the real world."

Consequences of failing to design IoT security into devices

It's very much akin to cars in the 1960s. Everybody knew that seatbelts were an important safety item and could save lives. But, until laws came along in 1968 saying you needed to put a seatbelt in the car in the U.S., it wasn't being done. Why? People said they wanted safety, but they weren't willing to pay for it. Human nature hasn't changed -- not even 52 years on.

Another example of an IoT attack involves something as simple as a remote switch for a building's lightbulbs. "From an IT security vantage point, it's not a big deal," Mohan said. "But, if you have a hacker sitting in the parking lot during the weekend playing with those messages and turning lights on and off every second, by Monday morning, they can burn out every one of them because they aren't designed to be turned on and off that frequently. After tens of thousands of on and off cycles, you'll come back to a dark building and need to replace every light fixture -- which could take weeks."

This is a physical denial-of-service attack. While some could point out that no IT compromise has occurred, the light outage would likely have a major effect on business. "With IoT, you need to be aware of things like your coffee maker talking to the water supply," Mohan said. "A hacker could attempt to flood the entire building by making coffee that keeps spilling out. Simple hacks like that happen all the time in the IoT world."

Legislating IoT security by design

Laws mandating IoT security are emerging, and an IoT security breach will make companies liable to suits from individual consumers. "A big security breach could put a company -- even a big one -- right out of business if it's far-reaching enough and hits lots of consumers who have legal protections around security," IPS' Maiman said. "It's so important, but not everyone has realized how exposed they're going to be -- if security isn't first and foremost."

In order for designing IoT security into the manufacturing process to be taken more seriously, Maiman thinks it will take an example of a large company going down due to a security lapse. "Imagine a breach where data for millions of customers -- think Experian -- is exposed and ends up in the wrong hands. Even a company that big could go down," he said. "Or they'd need to have such an exorbitant insurance policy protecting them that it would endanger their profitability. We'll need to see an example of a company getting severely damaged to ring the bell for everybody else in the industry. It's coming."