Insecure Things – The coming shakeup in IoT security
Internet of things (IoT) devices have a terrible reputation for security, but is that fair?
Yes. Yes they do, IoT devices do deserve the bad rep and then some. They are highly insecure, and the IoT market isn’t incentivised to change.
Just make them secure already
“Why can’t ‘they’ just make it secure!?!” – My Dad
The answer is ‘market forces’. Market forces dictate that a winning consumer IoT solution must be:
Cheap
- Constrained hardware and software with reduced security functions.
- Rigorous testing is expensive.
Working quickly
- Simple, fast and secure onboarding is super hard.
- Although Apple has perfected this art, they charge premium prices.
- It is far more common that simple onboarding translates into poor security.
Easy to operate
- Smart phone integrated. Most likely off the shelf software, cheap and insecure.
- User may want to monitor their Kittycam from the Seychelles.
Easy to upgrade
- Desirable, but is often cost prohibitive, so devices are never patched.
- Requires a backdoor to allow remote upgrades.
- Who pays to upgrade the software? Consumers expect lifetime security for a one-time purchase.
Monitored
- IoT devices report on utilisation patterns to inform product development.
- Or, the low price point may incentivise the vendor to sell your data.
- Either way – it’s spyware.
As you can see, vendors have no financial incentive to prioritise security.
Industrial IoT (IIoT) is also known as Industrial Control Systems (ICS) and Operational Technology (OT). Although similar market drivers are at play here, these solutions are sold at high premiums to Oil & Gas, Pharma and Utility Sectors – so there’s less room to hide behind price.
We are missing an external ‘shaping market force’.
Coming Legislation
The rapid and widespread integration of insecure IoT leaves our economy, critical infrastructure and society quite vulnerable. It turns out that the EU and US are mightily concerned about this. They want to make our IoT devices ‘secure by default’.
The EU Cyber Resilience Act (CRA) was announced in 2022 and expected become law in 2024. Here are some key points from the act:
- Security assessments prior to assigning CE certification, and during product lifetime.
- Regular security updates by default throughout the product lifespan.
- Mandatory reporting requirements.
- Stiff fines for beaches of the act – up to 15 Million euro or 2.5% of global turnover.
The EU aren’t alone here. The new US National Cyber Security Strategy [2] also takes aim squarely at IoT device manufacturers. Their strategy document doesn’t mince words.
“Internet of Things (IoT) devices, including both consumer goods like fitness trackers and baby monitors, as well as industrial control systems and sensors, introduce new sources of connectivity in our homes and businesses. However, many of the IoT devices deployed today are not sufficiently protected against cybersecurity threats. Too often they have been deployed with inadequate default settings, can be difficult or impossible to patch or upgrade, or come equipped with advanced – and sometimes unnecessary – capabilities that enable malicious cyber activities on critical physical and digital systems.”
So we’re good?
This legislation, and other complementary legislation like NIS2 and DORA, will improve security.
However we need to note that control systems have an extremely long lifecycle, up to 20+ years [3]. Thus incremental improvement here will be negligible. Age-out of insecure equipment is not an effective strategy in IIoT / ICS environments.
On the consumer side, this will help, but will still take a few years. In the mean time we should all take care to reduce our reliance on IoT vendors, they’re just not incentivised to protect you. Yet.
[1] https://en.wikipedia.org/wiki/Cyber_Resilience_Act
[2] https://www.whitehouse.gov/wp-content/uploads/2023/03/National-Cybersecurity-Strategy-2023.pdf