With the IoT industry calling for common standards and infrastructure it’s fair to say that the industry is very much in its infancy; certainly not mature anyway.

But with uncertainty comes fragmentation and with fragmentation comes vulnerability leading, more often than not, to headlines.

The Internet of Things has moved from a concept to a buzzword to tangible devices businesses and consumers can take advantage of. Be it cameras and sensors hooked up to AI computing to work out footfall in public spaces, or a range of Narrowband IoT devices such as cameras, trackers and sensors for consumers and enterprise – the trend is only going up.

Now that 5G has been added to the mix of connection protocols that include Wi-Fi, Bluetooth, 4G and Zigbee to activate these devices, the attack verticals for ‘hackers’ has also grown.

“Security often is an afterthought and sometimes it's almost as though it was never thought about at all” said Paul Ducklin, Senior Security Advisor at Sophos, “If you take kids’ smartwatches, for example, they cost 20 bucks to buy, so you can imagine how much money is left over for security.

“But once the product is out in the market, it's too late to add security as an afterthought and that's a serious problem. We draw attention to this and people ask what they can do. We suggest that they should stop using it, because there's this massive bug that means anybody can figure out where your kids are and the device doesn't have any way of getting updated.”

“I think a lack of competence is worse than security being an afterthought” added Bernard Parsons, CEO and Founder of Becrypt. “Many companies that are manufacturing IoT devices simply don't have the necessary levels of competence when it comes to security.

“There's no reason to believe that, because you're an IoT manufacturer, you're going to have the in-house expertise to do a good job of architecting security within your system. What is the driver for a manufacturer to go through the extra cost and time required to implement security even if they want to?

“I think this is where we have a situation which is best described as a market failure from a security perspective. There are two issues here, one is information asymmetry, where, as a buyer of IoT components, I can't tell the difference between good and bad so it's very difficult for me to differentiate between someone who's investing in security and somebody who isn't. That provides an advantage to the company that's not investing, as they go to market quicker and they'll be cheaper.

“The second issue is negative externalities, where the real losers in this are not the manufacturer or even the consumer; both parties could be happy because they got things cheaper because no one invests in security. But if a fridge, for example, becomes part of a huge botnet network, and we see a denial of service attack, then the people that lose out are third parties, whether it's Netflix, CNN or Twitter.

“When you have those characteristics within a market, it leads to market failure, and the only way that you can intervene and change that is through regulation.”

Juggling standards

Security regulation is certainly a focal point for governments across the world but for IoT manufacturers, as Bernard points out, with investment in security comes higher component costs; hardly a reward for doing right by their end users.

Silicon Labs senior director of product marketing for IoT Security, Gregory Guez said that the motivation to add security may be found outside regulation.

“We're at a time where there's going to be a big shift with new security rules (SB327), where the State of California will mandate that all IoT connected devices need to come with reasonable security features. Things like making sure devices don't have universal passwords, executing trusted firmware, came into action at the beginning of the year.

“I think that's going to be a game changer. We are going to see some big lawsuits happening and companies who feel they can make a product without thinking about security are going to have to start taking it more seriously from the beginning of the design. It can no longer be an afterthought.”

“The UK Government is looking to introduce guidelines that they want manufacturers to voluntarily sign up to. The National Cybersecurity Centre worked with the DCMS to come up with these secure by design principles that, if adopted by manufacturers, would move things forward quite substantially” added Parsons.

“To date, nothing has happened voluntarily, so we will now move through to an era of regulation and that’s what will ultimately create the drive for the manufacturer to invest in security.”

Securing the things

Experts agree that the best route of security is to install it at a physical level but reiterate that cost and profitability are big factors when manufacturing devices.

“The best way to maintain the integrity of a system is to have a hardware route of trust” added Parsons. “If you want to have a secure boot process in a platform where you can verify the firmware hasn't changed from a known good state, the only practice really that can withstand any reasonable attack is where you have a hardware-based route of trust.

“Within ARM based platforms, you're talking about TrustZone, while within Intel based platforms, its TPM (Trusted Platform Module). Ultimately it comes back to some fairly straightforward and basic good practices and a good starting point is that route of trusted hardware.”

“If you look at connected home devices for instance, it has being growing so fast and a lot of people have been focused on time to market and releasing products rather than being concerned about security” said Guez.

“The lack of standards has been allowing them to proceed without really taking security into consideration, and that’s been a tough battle for us. “We would go to a customer and start talking about security but first there is a cost, because we integrate a lot of hardware that increases the price at the SOC level, but on top of that there is also a layer of complexity.

“If you're thinking about the consumer market, where everything is driven by time to market, I think security could actually delay your product, maybe by a few months or even longer. I think some companies have been worried they would lose out to their competitors, just because their product takes a longer time to be produced and released.”

However, with a security hole still in hardware of devices, questions can also be asked of the systems that enable the vast majority of devices. As Duckin points out, there is more than one area where devices can be ‘got at’.

“Sometimes the bugs or the problems are in the device, sometimes they're in the cloud service that the device uploads its data to, and sometimes they're in both.

“If the data being uploaded is being stored on a cloud server which is completely unprotected, once you've figured out where to look, what URL to go to, what endpoint, you could see the data by changing a number in the URL.

“That can be fixed but do you want to carry on trusting that cloud provider when they've made a blunder that big? The other problem is that there may be something fundamental about the device that means that, even if they harden the cloud service side, the device itself is still insecure.”