Homes are increasingly becoming connected with the internet of things (IoT) devices, bringing new applications, interactions and a new level of experiences to consumers.
With this connectivity come legitimate questions and concerns about IoT device security as the industry is fragmented and the vulnerability risks posed by poorly designed or extremely outdated connected products.
Even though IoT opens up new and exciting opportunities, it also poses a serious threat to security amid industry experts expecting IoT to fuel economic growth and contribute as much as $11tr per year to the global economy.
People would not have forgotten the massive denial-of-service attacks in 2016, known as ‘Mirai’, which caused US-based internet-infrastructure provider Dyn’s domain services to become unreachable, resulting in service outages for its clients due to hackers taking advantage of exposed cameras and DVRs.
With 5G being rolled out worldwide, 10 terabyte-sized DDoS attacks are going to become a reality.
What will happen if an IoT device is infected with ransomware and hackers get full control? Although threats have proliferated, security technology is also advancing rapidly.
Industry experts said that more than 20b IoT devices are going to be connected this year to the internet and mostly without security standards, leaving massive potential for hackers to take over devices and use them for cyberattacks.
Arguably the biggest challenge facing the security, privacy and safety of the IoT is the lack of transparency regarding security quality of connected devices as there is no unified standard for connected gadgets despite many governments and organisations developing security guidelines for the IoT sector.
Security is need of the hour
The need for security by design has become crucial as tech companies continue to roll out numerous IoT devices for consumers and enterprises.
Speaking to TechRadar Middle East, Brad Ree, Chief Technology Officer for IoT solutions at Internet of Secure Things (ioXt) Alliance, a security alliance of leading consumer product manufacturers, standards groups, compliance labs and government organisations, believes that there will not be a universal security standard as there are multiple standard organisations co-working on different market strategies, each of them having slightly different approaches but the core underlying principles are all going to map the same thing.
The ioXt Alliance has more than 200 tech companies, including Google, Amazon, Comcast, from the US and Europe primarily focused on improving consumer electronics security, initially, and commercial building controls, mobile and managed networks.
“IoT is so broad and so there will be market specifications and go-to-market approaches will be different. Consumers will see one stamp of certification but underneath that, there will be customised profiles and that is where we harmonise all the different requirements,” he said.
However, he said that device security must start with secure hardware and for that security must be built-in.
“Why we started with consumer electronics is that there were no standards and a lot of botnets were attached to the cameras and with potential regulations from governments starting to take place, how the industry can lead the way.
“We took the security and best practices of what our large manufacturers are doing and harmonised that into one set of baseline security requirements,” Ree said.
The ioXt Alliance has just built its unique profile for different market requirements and has defined a core set of eight principles around security, transparency and upgradability.
One of the main issues of the current IoT devices is that it comes with pre-installed passwords and not configured to receive or run software updates.
Ree said that the eight principles of ioXt are no universal passwords, secured interfaces, proven cryptography, security default, automatic security updates, verified software, security expiration data and vulnerability reporting program.
“We are in the process of finalising certain standards on certain devices and the first set of consumer electronics and mobile devices will hit the shelves in the third quarter of this year,” he said without giving the names of the devices as it is confidential.
More devices to be certified
Ree added that devices may be certified through ioXt-certified test labs or through the world’s first bonded manufacturer certification process, which leverages the global hacker community to validate compliance claims.
By working together, he said that they have established baseline security requirements, setting the stage for testing and compatibility certification and compliance, and built global standards for the IoT world.
“We have an Android profile and in the process of launching profiles for smart speakers, cameras and thermostats. We were engaged with Apple a little bit but they choose to go their own way,” he said.
Moreover, he said that they are working very heavily with lightning and building control companies for certification of products and profiles.
“We work with ZigBee and Z-Wave, both on our board, for IoT protocols,” he said.