What’s the security shelf-life of IoT?

The FTC released a staff report in late January that took a comprehensive look at the emerging “Internet of Things” and security, including secure APIs, authentication, and product updates, was a key theme.

I’d like to briefly explain why I believe IoT security is so important and why the IoT ecosystem presents a unique set of factors that give rise for special attention to security.

As discussed in the report, IoT devices come in a variety of forms and shapes, but they have a handful of similar attributes that make security an even greater challenge:

  1. While the functionality of IoT devices varies greatly, nearly all are powered by small, multipurpose computers (typically Unix-based) that can be reprogrammed to perform a variety of functions that go beyond the device’s original intended purpose.
  2. Many home and personal IoT devices available today have limited (or no) interfaces by which an individual can monitor device status or receive alerts in the event of surprising network activity and intrusion.
  3. In addition to the operating system, the same embedded chips and drivers underlie many different IoT products made by multiple different IoT manufacturers, meaning a vulnerability found on one device can often be exploited across a larger class of devices.
  4. Growth and diversity in IoT hardware also means that many devices introduced in the IoT market will be manufactured by new entrants that have very little prior experience in software development and security.
  5. Market dynamics underlying IoT is quite different from those found in the PC or Smartphone market. While IoT encompasses big and expensive devices like cars and smart televisions, there are also a large number of small and extremely low cost light bulbs, blankets, webcams, and routers – which might not receive the same level of warranty and support. Manufacturers may not be as incentivized to fix or patch vulnerability on a $30 webcam that they would on a $500 smartphone or $1000 laptop.  

This combination of factors could give rise to a highly exploitable environment, putting individuals, and the internet as a whole, at risk.

The issue of support and patching is already rife in the smartphone market. For example, the open-source operating system originally developed by Google also powers many non-Google smartphones. When a consumer buys a branded phone from a carrier, the manufacturer customizes the core operating system for their needs. This OEM operating system will vary slightly from Google’s original operating system and any updates or security fixes released for the original OS may not immediately be applied to the OEM version without additional time or effort. As such, many phones available in stores today aren’t able to run the latest version of the operating system.

This fragmentation in the market has reportedly resulted in some 60 percent of phones vulnerable to a security bug affecting Android smartphone users that, due to supply chain issues, will likely never see a patch. This includes brand new phones available for purchase at a store today. BusyBox and Contiki, the open-source operating systems modified to power many of the IoT devices in use today, run similar risks of fragmentation.

Recently, researchers identified a critical vulnerability that affects some 12 million consumer routers currently on the Internet. The vulnerability is unique in that it affects the underlying embedded chipset and driver that powers some 200 different model routers from 50 manufacturers. The original chip manufacturer (AllegroSoft) patched the bug in 2005 but given the supply chain logistics, many router manufactures have not provided updates for the devices currently in the wild (meaning many are still vulnerable with no workaround). In the researchers’ demonstration, a brand new shrinkwrapped router was immediately vulnerable out of the box.

If consumers are already exposed to security updates and end-of-life issues in more mature markets for routers and smartphones, one has to wonder what the security implication will be like of this new and rapidly emerging market of IoT.

For example, a refrigerator was once just a refrigerator with one purpose: cooling food. Now that we live in an IoT world, embedded inside that refrigerator is a full-fledged network computer which could potentially be exploited to launch a DDOS attack against the consumer (or some external) network. As the technology behind the household items we buy evolves, so must the way we think about the long-term effect to consumers when they purchase them:

What will be the level of security and support while under warranty? If a critical vulnerability is discovered, will an update be provided? What happens after the warranty expires? Should modern refrigerators have a shelf-life, much like the food contained within?

These questions will need to be addressed if we want IoT to succeed.

The author’s views are his or her own, and do not necessarily represent the views of the Commission or any Commissioner.

Comments

"This combination of factors could give rise to a highly exploitable environmental".
That's a polite way of saying that IoT vendors seem unlikely to spend enough time, money and resources on security. "Market dynamics underlying IoT is quite different" - that is, t's an ultra low cost business. Security and product reliability won't be priorities over time to market and price.
This is truly scandalous. When things that don't need to be computers - like fridges, TVs and light bulbs .- become computers and start to fail like computers, then consumers (and their advocates llike the FTC) should rise up. It's essential consumers are made aware what's going on when there is precious little sign that a thing is a UNIX computer. Let's remeber that even with overt computers and software, businesses are notoriously bad at keeping users informed, especially of information flows in social networking, big data, smart cars, smart metering and so on.
Which brings me to an aspect of the IoT dynamic not touched on here: monetizing information. It's abundantly clear that the real value to business in IoT is data. It's why data companies like Google buy gadgets like Neat. So the moral obligations for information security of are really acute when the computerization of mundane objects is much more for the covert benefit of business than for consumers.

Hi Ashkan,

a few comments regarding your blog post.

Regarding item #1 I would like to point out that many IoT devices run operating systems that are far less heavyweight than Unix/Linux. In order to run Unix variants you need to have a certain amount of resources (such as RAM and flash) as well as certain hardware features, like memory management units (MMUs), but particularly many IoT devices are not equipped with a lot of RAM and flash memory and many not even have an MMU (like all the Cortex M class processors).

Of course, those can be re-programmed as well since they are microprocessors. You actually want the ability to reprogram to ship software updates during the lifetime of the device. What makes some of the IoT devices less generic is not the processor but the actual sensors and actuators they have attached to them. A device that measures temperature cannot suddenly become a remotely controlled camera.

Regarding item #2: It is true that one of the characteristics of IoT is the limited user interface. This makes provisioning and configuration by users more complex but I doubt that a display would it make any easier to show 'surprising network activity and intrusion' since this does not even work on desktop PCs either. Most of the surprising security vulnerabilities are nowadays learned via the mainstream media. The most recent of those are, for example, malware on harddisk drive controllers and the Gemalto SIM-card security breach.

Regarding item #3: If you use the same components (such as operating systems, drivers, etc.) in many devices then a security incident in one of them will have a much broader effect. I agree with that part. On the other hand, if you let every company develop their own operating system, drivers, security protocols then I doubt it will lead to improved security. As you stated in bullet #4 not every company has enough resources to develop everything on their own. I believe there is value in open source implement developments that get enough attention (in terms of developer efforts, and testing) so that a protocol implementation or an operating system can be used on a large number of IoT devices. This makes it easier for new innovative companies to focus on what they can to best and they do not need to spend their time on implementing networking stacks and operating system features.

Ciao
Hannes

Pages