With the expansion of Internet of Things services and the growing number of cyberattacks and threats, safeguarding IoT devices and networks has never been so important. Lawmakers like Senator Mark Warner (VA-D) recently wrote to the FCC, FTC and the Department of Homeland Security, calling the proliferation of insecure IoT devices a threat to network safety. “Because the producers of these insecure IoT devices currently are insulated from any standards requirements, market feedback, or liability concerns, I am deeply concerned that we are witnessing a ‘tragedy of the commons’ threat to the continued functioning of the internet, as the security so vital to all internet users remains the responsibility of none. Further, buyers have little recourse when, despite their best efforts, security failures occur,” Warner wrote.
IoT security experts like Brian Scriber, principal architect of security at CableLabs, is on the same page when it comes to the urgency of IoT security. With an estimated 20bln devices online 4 years from now, IoT security is a critical security requirement, he said. CableLabs is actively working toward solutions for handling both the heterogeneous security models of existing devices through advanced networking technologies and in future devices through standard bodies and industry coalitions in security considerations. The goal is to protect the privacy and security of cable subs, to enable trust in IoT technology and to protect the network infrastructure supporting subscriber services, said Scriber. When networked devices are subverted to participate in DDoS attacks, the ability to trace traffic to the corrupted devices is key, he said. Encryption of data is the primary means of assuring confidentiality. Scriber noted since many IoT devices are constrained in processing power, it has become easy for manufacturers to overlook the need for confidentiality, arguing that the processing, storage and power costs for traditional PKI exceed device capabilities. However, even disposable IoT devices today are capable of using PKI thanks to Elliptical Curve Cryptography (ECC), Scriber said.
ECC enables faster encryption than traditional methods have allowed—all while maintaining the same level of security assurances as traditional (RSA) cryptography, he said. This allows not only for confidentiality, but can also be used to deliver integrity through non-repudiation (a device cannot deny it received a command/message) and message origin assurance (through signing or credential exchange), he said. Technology aside, IoT security is very much an economic matter. In the IoT environment, the markets move very quickly, and manufacturers are focused on product release schedules, marketing messages, software, reducing the overall bill of materials, and on supply-chain management, Scriber said. “Security holds a tenuous grasp on a seat at that table, a seat which is often backed by the risk-management departments rather than by the product management departments,” he said. Markets respond to consumer demand, and it’s only recently that consumers have started listing security as one of their motivators when purchasing home automation, according to Scriber.
Meanwhile, privacy in the IoT environment faces similar hurdles. “As long as consumers aren’t demanding it, the support will continue to struggle,” Scriber said. That said, “we are seeing changes in both consumer requests and in companies devoted to protecting consumer privacy,” he said, citing initiatives like CableLabs unit Kyrio’s PKI offerings and groups like LetsEncrypt helping to drive privacy in web interactions. He noted that privacy in IoT devices will be a popular topic at CableLabs’ upcoming Inform[ed] IoT Security conference in NYC in April. The Open Connectivity Foundation (OCF) is one of the top IoT industry groups, with more than 200 major global manufacturers and software developers (including Intel, Qualcomm, Samsung, Electrolux and Microsoft) joining forces to develop secure and interoperable IoT solutions. CableLabs and operators including Comcast and Shaw are part of the initiative, Other industry groups like UPnP, the AllSeen Alliance, and OneM2M have merged into the OCF organization.