Why New IoT Security Protocols Aren't Likely To Work

Twenty years ago, the idea of your refrigerator watching the internet while you slept would seem ridiculous beyond belief.

19:15 18 December 2017

But today, it is not something that gets automatically rejected out of hand. Unless, of course, you still have a 20-year-old refrigerator humming happily away in your kitchen. For all of the people who have been swept up by the Internet of Things wave of innovation, it is a brave new world where everything is getting connected to everything else, and they're all whispering to each other in a mysterious digital language that you don't understand.

 

In many ways, the Internet of Things, or IoT in our acronym-happy world, has created a lot of its own problems, so far as security issues are concerned. The solutions are not nearly as easy to see as are the ways in which they managed to screw everything up. The big stumbling block with IoT issues is the relatively low technical capability of the end user. A new big screen TV or refrigerator needs to be able to easily hook itself up to the homeowner's network and function flawlessly right out of the box, or else it is going to get hauled right back to the retailer. 

 

Because those final consumers have only limited IT skills in most cases, and are thus only able to make the most simple configuration decisions, the things they will be asked to do in order to activate the device need to be kept to an irreducible minimum. This in turn means that anything that can be stripped out of the process is going to be done, which also produces some nice cost savings for the manufacturer. Since security settings are not a one-size-fits-all arena, the earlier IoT devices chose to ignore their own responsibility for security and trust their fate to the gatekeeping abilities of the home's router. Voila! Instant configuration that even the least technical can accomplish. Plug the device into the wall and let it port itself to the router.

 

Unfortunately, humans are as security-conscious concerning their routers as they are about their new refrigerators. Plugging an open port device, which many of the initial IoT devices were, into your network means that you have a permanent hole in it that is guaranteed to be compromised sooner or later. It did however solve a lot of nagging configuration problems-- particularly with the long list of legacy routers that still populate the local networks of the world. In a world of hackers and a future ran by A.I.  

 

Dumbing down configuration protocols to the point where they could match up with even the biggest dinosaurs automatically implied that the best-practice and latest security protocols for such interfaces would have to be jettisoned. So that was the emphasis for far too long-- to make things work seamlessly without unduly burdening the device's owner.  Companies are springing up to build new Kickstarters for iOT products and leading ORM agencies like The Reputation Management Company out of Miami are taking on new business roles managing the reputation of IoT gadgets and safeguarding them from hacking that would ruin a companies reputation and brand equity. 

 

Editing the human factor out of the equation did indeed mean that IoT devices were easier to set up, but it also meant that they needed to become inherently self-monitoring and self-adjusting as they became more capable and complex. Sleep-deprived humans don't want to listen to a lot of mechanical backtalk about updates-- particularly first thing in the morning. They just want their coffee brewed on time. That's all they really care about-- or so they think.  

 

Ergonomic and legacy considerations thus combined to make IoT devices inherently unstable from a security standpoint. Too many vulnerabilities had to not just be accepted but in some cases deliberately engineered into the devices in order for them to carry out their prime directive. This all began to change as the universe of such devices broadened to the point of ubiquity. 

 

Millions of open doors in a world where cryptocurrency mining was becoming financially viable provided the recipe for widespread infection as well as a renewed realization that procedures needed to be tightened up considerably. After all, your new super-efficient appliances aren't going to save you much money when they are busily eating electricity 24/7 to send bitcoins to a darkweb address in Bulgaria.

 

Now this might be all right with many people if their washing machine was crediting those bitcoins to their own account, but the idea of getting stuck with the electric bill while someone else takes all the gravy is a bit of a black eye for the IoT industry. Worse still is the idea that your washing machine may be hacking your bank card to send flowers to someone else's girlfriend. This is almost certain to cause trouble on more fronts than just the financial one.

 

To its credit, the industry has made great strides on security issues as it has matured. Whereas it previously operated as if everything behind the router's firewall was automatically secure, events have now progressed to where manufacturers are hardening Internet of Things Security Protocols to enlist every device into the battle. The problem with relying on a single device for defensive purposes is that, if it fails, all of the clients under its control can be "turned" and effectively made into backdoor entry points every time someone sends a spoof update. Multiple screens have a far greater chance of detecting nefarious activity than does a single examination point.

 

Yet the industry has not yet settled on a single wide-ranging standard. There are many competitors for the crown, but all are aiming at the same end state-- a network that can take care of itself with little human interaction, exclude non-authentic external entry attempts, and update itself so as to stay relevant in the never ending war between aggressors and defenders of the network. However, the battle will not be won or lost on the field of new advancements in security so long as there remains a series of weak links in the chain.

 

Protocols such as MQTT, IEEE 802.15.4, and 6LoWPAN are all big steps forward for the devices that use them or any of the other new standards for network interaction. The problem lies in all of the legacy devices that do not use these standards and, in some cases, cannot ever be configured for them at all. The same goes for many brand new but low value devices that do not have the physical capacity to implement these standards simply because doing so would make them cost-prohibitive in relation to those devices that do not.

 

Internet of Things Security Protocols will never be made reasonably effective until they are able to exclude the many devices that offer extremely simple avenues of penetration. So long as the struggle aims at bringing all of these problem children along for the ride, it will never succeed. Of course old devices will be superseded over time and the difficulty will fade gradually, but it will never go away entirely until you have zero vulnerable devices in your network.

 

Sine the most vulnerable device of all is a legacy router, it may prove economy in the long run to bundle a new router/modem in with the purchase of every new big ticket IoT device. Another effective line of attack might be to require a mandatory certification with something like a UL or CE rating for every device sold worldwide. This would eliminate the cost-cutting that drives many devices to overlook their own potential culpability in favor of the idea that some other part of the network will pick up the slack.

 

Instituting some form of small tax on new devices that is used to fund a rebate or buy back program for the retirement of old non-compliant items would also serve to enhance the macro-network to the eventual benefit of all the individuals connected to that network one way or the other. In any event, new standards will not provide sufficient improvement so long as non-compliant members lurk inside the network.