I went to the IoT Security Conference in Boston to find out what industry thinks the state of IoT Security is today. This was the second year for this conference, which is an off shoot from the much larger IoT World conference held annually. The idea was that security is a large enough subject it deserved its own forum. The format of the conference was to start out each day with a keynote speaker and then to split into two tracks, each made up of speakers and panels.
DHS opened the conference with one of the best talks and a plea for help. They discussed their problems working with IoT companies and how neither side really knows how to work together. I found their honesty in acknowledging this as a problem, and their admission of inability to fully understand the issues they faced, rather refreshing.
Even more impressive DHS talked about how they are improving the situation. DHS is becoming an IoT incubator using an efficient light weight process and extremely favorable terms. They even presented some already existing success stories to show their commitment to making this work. They seemed to be very serious about cultivating better and deeper ties to the tech community. Doubly good, DHS was not the only govt. agency there for this purpose, the state of Utah was also there pushing their program under USTAR called RIOT, Robotics and the Internet of Things.
There were several companies at the conference trying to push their IoT frameworks such as Microsoft with Azure. It seemed like most of the frameworks were pushing much of the work into the respective company’s cloud infrastructure. I do not inherently have a problem with using cloud infrastructure when it makes sense. It can increase security and ease of upgrades, however it does not address any of the problems inherent to IoT devices. If anything, it adds more attack surface and causes more of that surface to be publicly exposed.
GE gave the best talk about process. The short version is IoT should follow the accepted software and security development practices every other part of the software industry has already adopted. In tech we tend to all feel we are special and unique snowflakes. While I value and appreciate all that makes us and our ideas special and unique, it is important for us to keep reminding ourselves of the ways we are not special nor unique. Industries are built on standardization and rigor allowing us to concentrate our innovation and creativity in the places that make our products, while leveraging existing industry standards and rigor as much as possible.
There was one talk that identified an IoT problem and proposed a solution to it. It started with a paper on general security problems in IoT. The speaker then focused on one problem, secure comms. He wanted a low power/cost solution that would also hold up after the hopefully soon advent of usable quantum computers. While this problem is not unique to IoT, the limitations their low power and relatively long life spans impose exacerbate the issue. This researcher proposed a new crypto system to alleviate the issue called himmo and provided a white paper to back it up.
Another common issue brought up was regulation regarding data and privacy. There was talk about who owns the data generated by IoT devices, and what if any expectations of privacy users should have. This was made even more poignant at the time based on the revelation of the amount of data a Canadian company was collecting on its users most intimate acts. This perfectly exemplified the issue talked about including of data crossing national borders. The varying levels of regulation in different countries around the world greatly complicates the efforts of companies to comply with their legal obligations. While this is not inherently IoT specific, the amount of data devices collect, their ubiquity, and their ease of movement raises this concern to another level.
The technical concern that struck home the most to me is how dangerous these device are. They are a collective threat unlike any we have seen before. Again recent events demonstrated this with the Krebs On Security DDoS by IoT devices. The danger these devices expose us all to individually is bad enough, the danger they bring to all of us is immense.
The shear number of IoT devices out there is staggering. It is only dwarfed by the number of IoT devices that will soon be out there. This is a market that is growing at a fast pace, and shows no signs of slowing down anytime soon. This point got made time and again at the conference. Sadly people either left it at that with no real solution, or moved on to other things, such as trying to sell their product.
Some of the other technical problems brought up included:
- Iot Device life spans far exceed normal devices (many devices have well over 10 year life spans, e.g. scada on the industrial side or thermostats and fridges on the home side
- Long up times: it is hard to upgrade devices that never reboot
- Device security: people have physical access to the devices in their houses so you have to assume all devices could be compromised
- Different concerns of home vs commercial vs industrial IoT devices
- What happens when companies stop supporting a device or go out of business?
- Who is liable for unsecured IoT devices (owner vs maker)?
The highlight of the conference was a talk by the city of Boston’s New Urban Mechanics. This group provides a model that should be spread to every city. They are actively working to bring citizens, government, and private industry together. They allowed the citizens of Boston to identify the problems then were able and willing to follow those problems to the their natural solution regardless of where that might lead. While their talk was not IoT security focused, their model, if expanded, seems like it should lead to better security for devices everywhere. As a public entity they are not driven by short term profits. As part of a major city government, they can drive real business, especially as they branch out into more cities. This talk, more than anything else at the conference, gave me hope and excitement going forward.
My overall experience with the conference was mixed. At the time, I left feeling disappointed that there was no real understanding of the problems we face. However, upon further reflection, (and review of my notes) I do not feel as disappointed. There are a lot of problems in the world of IoT security, and people are only starting to recognize them. The conference itself is the clearest evidence of this growing awareness which will lead to more work pushing solutions.
The state of IoT security, as I now see it is that IoT devices are a major threat to us both on an individual level and as whole, in ways not before imaginable. These devices are cheap, ubiquitous, and long lived. Many never get updates or their update process is inherently insecure. They are always on, and most are not following industry security best practices. They are not embracing the already tried and true solutions that could be easily adopted to them. Their low power and price means they can not have all the defenses we have come to expect in computers leaving them more vulnerable. This is amplified by their embedded nature exacerbates the issue by causing us to treat them like their non-smart predecessors instead of the computers they really are.
So what should we do about this? While I do not have all the answers, I do have some ideas I will lay out in my next blog post.