Monday, March 27, 2017

Why the security of IoT is lacking, and what is being done about it

In my tech briefing, I will focus on the security of the internet of things (IoT) and why companies do not go to any great lengths to make secure devices. The biggest reason isn’t necessarily that companies don’t think of securing these devices, but that it is a secondary concern. Because the adoption of these ‘smart’ devices is so rapid, companies are moving fast to push out products without the same rigorous security testing that is conducted on more mature products like smartphones or servers.

AT&T’s Cybersecurity Insights Report surveyed more than 5,000 companies worldwide, 85% of which were in the process of deploying IoT devices, and only 10% of those surveyed felt confident that they could secure them. Many of these companies are much smaller and do not even have security professionals on their payroll, instead using third-party electronics that may or may not have been tested for security.

Devices considered in the IoT range from washers and dryers to thermostats. Recently the most popular devices are those like Amazon's Alexa-powered Echo in-home speaker. Devices like these are extremely attractive, making virtually everything just one voice command away. It is also devices like these that can be the most vulnerable.

Amazon has around 250 devices that are certified to work with Alexa, and Amazon has encouraged a rapid development of these devices. All companies need to do to get this certification is write code and submit it to Amazon for review. Although they do require physical testing, they allow that testing to happen at third-party locations. Once Amazon reviews the code and the products are physically tested, they give a decision on giving it the "Works with Alexa" stamp of approval within 10 days. Even though devices can go through the process to get this stamp of approval, they do not need to to be able to be used with Alexa; it is more of a certification that helps market their product.

One of Amazon's competitors in this market, Apple, only has around 100 devices that can be used with its HomeKit. In order to be certified for use with HomeKit, devices need to use a special HomeKit chip, and specific WiFi and Bluetooth chips. Their method can be substantially more expensive, can take 3-5 months, and device makers are not allowed to publicly announce they are seeking HomeKit certification. These restrictions tend to be off-putting to developers, however those that do endure the process believe it is well worth it. CEO of Nanoleaf (a smart lighting system), Gimmy Chu, said, "they found issues with our product before we released it that we didn't find in our testing. We know that after we have the certification that it's rock solid."

Amazon acknowledges that unlike Apple, it can't guarantee the security of third-party devices. This strongly backs the aforementioned reason for lack of security being to simply get devices on the market, even if it means security taking a back seat. The good news is now that it is a very well-known issue that many devices are not secure, larger companies like Belkin are starting to respond to and patch these issues. This won't be something that can be fixed overnight, and going forward, hopefully companies will start to put security before profit.

Sources:

Defining the IoT Security



Posted by at

3 comments:

  1. Alexandra GomezMarch 28, 2017 at 10:07 AM

    I found that "The IoT threat to privacy" article resonated the most with me, especially the following statement "the most dangerous part of IoT is that consumers are surrendering their privacy, bit by bit, without realizing it, because they are unaware of what data is being collected and how it is being used." I'm amazed at the efforts and progress constantly being made in the IoT field, but I do agree that there is a huge lack of security and that this needs to change. Since it looks like not all companies who are deploying IoT devices have some type of security plan, I think it is also up to the consumers to educate themselves and learn what this means to them and how it affects them.

    ReplyDelete
  2. UnknownMarch 28, 2017 at 2:17 PM

    I definitely agree that these devices should be more secure. Consumers need to start to be more conscious of the security or lack of security the devices they are buying have and determine if a potential breach is worth whatever this device is doing for them. While companies are making strides in fixing security issues, if consumers demand a certain amount of security companies will be more likely to have good security in their devices from the beginning.

    ReplyDelete
  3. UnknownMay 3, 2017 at 1:07 PM

    It will be really interesting to see how companies like Apple and Amazon perform against each other in the IOT market in the future. I can see Apple's security procedures becoming a big draw for potential new business, but it's also reasonable to assume that these devices will wind up being more expensive as the process for developers is more extensive and demanding. Given that much of the general public is not actively wary of the security issues of IOT, do you see Apple's secure features or Amazon's lower prices on compatible devices succeeding in the future?

    ReplyDelete

Subscribe to: Post Comments (Atom)