IoT security: How to do it (mostly) right

The Internet of Things could get out of control pretty fast. We’re still pretty far from self-aware homes trying to procreate, but as Gigaom Research analyst Craig Foster noted in his recent report on IoT security, the dangers are already very real. Take a look at the maritime industry. Earlier this year, hackers tilted and shut down an oil rig, and many tanker crews disable their own electronic tracking and guidance systems to avoid interception by tech-savvy pirates. Yes, ships carrying more than 100 million gallons of oil are running blind. If the energy security and environmental concerns of that example doesn’t bother you, consider this: Any finalist in the Qualcomm Tricorder XPrize Competition — all consumer-grade devices — will be able to diagnose the following conditions, at a minimum:

  • Anemia
  • Urinary tract infection
  • Diabetes
  • Atrial fibrillation
  • Stroke
  • Sleep apnea
  • Tuberculosis
  • Chronic obstructive pulmonary disease (COPD)
  • Pneumonia
  • Otitis (“ear infection”)
  • Leukocytosis
  • Hepatitis A

That’s highly sensitive information that could be very valuable to criminals and rule-bending marketers. Widely distributed consumer devices like the Tricorder are also perfect targets for hackers. They store or transmit valuable personal information, generally over consumer-grade networks, with enough aggregate volume to make significant hacks worth the effort. Pair this with inevitable automated prescription dispensers and you have a fraudster’s dream. And while it hasn’t happened yet, the Homeland pacemaker assassination hack is indeed very possible.
The good and bad news is that despite its velocity, the IoT is very, very young. No one can say with any degree of confidence what the plumbing beneath connected devices will look like in five years. We don’t know which of the various device connection protocols will win, how certain categories of devices will be regulated, or how any of this will be secured. Again, that’s good news for hackers in the short term, but it’s also a call to action for the rest of us to make things right before they get too dangerous.
So what can a solitary device manufacturer or app developer do? Quite a lot. Here are three places to start.
Take it seriously. The first step is acknowledging that risk exists. Very few companies in the IoT world started out that way. Nike made clothes. Coca Cola mixed sugar and water. In most cases, business opportunities just happened, and the infrastructure followed the money – features first, safety second. Security isn’t a big concern when you’re plugging an anonymous heart rate monitor into a PC, but tie that heart rate to a phone number and a blood sugar tracker and in aggregate, you have something you need to protect.
As Foster pointed out, many businesses are unwilling to accept suggestions about how to shore up networks and devices, because it’s still not a big deal. Target thought that way, ignoring repeated alerts from its security team before the meltdown of 2013. Don’t be Target.
Use what you know. This new breed of sensor-based devices is different from what’s come before, but it’s not that different. Translate established practices like secure boot and sandboxing that are already part of your other development efforts, and if you’re using common communications protocols, be sure to apply the same types of security that you do there. Government and industry regulations are generally slow to catch up to the pace of hardware development, so to cover yourself, implement your best approximation of existing mobile or Web-based compliance measures as a stop-gap. You’ll close most of the big holes, and you’ll show your regulatory agency that you’re one of the good ones.
Shape the industry. At this year’s TechEd, I asked several members of the Windows Intune staff what they were doing to address the IoT issue. Their answer was “participating in standards discussions, leading where it makes sense, and listening when it doesn’t.” Not ver flashy, but you’ll never hear a vendor give better advice.
If your industry already has a regulatory body, you’ll certainly want to push tech issues there, but the IoT needs volunteers to help drive standards. Organizations like the AllSeen Alliance (the security-focused partner of the Linux Foundation’s Alljoyn) are setting standards that will extend far beyond any one industry or use case. It’s important to know what’s coming, and even more important to help guarantee that tomorrow’s standards will actually work for you.