Why is IoT security still such a problem?

Talk about privacy by design and regulation has so far failed to yield results

Research reports illuminating the poor security of Internet of Things (IoT) devices appear with what might be described as alarming regularity. We hear tales of poor password control, read descriptions of security breaches, and then we often hear calls for regulators and governments to do more to stop devices with poor security getting onto the market. With security problems so widely publicised, why isn’t the problem getting fixed, and where does the responsibility lie for taking action?

Why does the problem persist?

John Moor, managing director of the IoT Security Foundation, tells IT Pro there are three why IoT device security, or lack thereof, is still such a prevalent issue. The first is market economics; vendors are reluctant to invest in ongoing security support for devices that might have a life of ten years or more in a business or industrial setting. 

Another is lack of regulation. “The general consensus is that regulation is needed, however it is very difficult to get right,” he explains. “Set the bar too low and it weakens the intention and may give a false sense of security. Set the bar too high and it will stifle markets and innovation.” 

Moor’s third reason was, sadly, ignorance. “Some vendors do not understand the security implications of adding connectivity to their products,” he says.

Vendors aren’t the only ones with skin in the game, though. Governments can choose to take on a regulatory role, and those buying IoT devices also have a measure of choice in how they make purchases and in which devices they decide to buy. 

The role of governments

A significant challenge for governments and regulators is the international nature of purchasing. Even in a business environment, an IoT device is quite likely to be bought off the page from an online seller. The device may have been made in a country with a different regulatory framework for IoT devices – or none – and the online seller may not be based in the same country as the purchaser.

While it has been argued this complexity makes regulation nearly impossible, Moor disagrees, saying: “This is challenging but doable. Governments can mandate responsibilities for domestic markets regardless of the source or point of purchase. For example, an importer of products can be regulated to ensure basic security features exist before making them available for domestic markets.”

Kevin Curran, IEEE senior member and professor of cyber-security at Ulster University, takes this point a stage further, arguing for a baseline of security compliance. “As the industry evolves, the need for consistency becomes more important to ensure interoperability and security for the system as a whole,” he says. “Tackling this issue at the root is key, so enabling manufacturers to ensure all devices meet basic security requirements in the development phase will help to allay fears that an organisation can be easily exploited through a single point of vulnerability.”

The UK Government’s proposed new law, sets a baseline. It’s aimed at manufacturers of consumer IoT devices, but, says Paul Stone, security delivery manager at Context (part of Accenture Security): “Nearly all elements of the Code of Conduct apply equally to consumer and business IoT devices.” Despite this he is sceptical about take-up, saying: “I have yet to see any manufacturer publicly commit to the guidelines even though it could be in a manufacturer's interest to do so, as a way to differentiate themselves from competitors.”

What should end users do?

Moor believes that businesses should be proactive, ensuring the suppliers of IoT devices have good security practices in place and demonstrate an acceptable level of commitment to security.  Stone also puts the onus on business buyers, saying: “Businesses purchasing IoT equipment should demand evidence that the manufacturer is taking product security seriously. This could include requiring products to undergo testing by a third party and public commitments to follow standardised security guidelines, such as those published by the UK.” He thinks such action is powerful, adding: “Ultimately a business demand or requirement for good security will be more effective in driving up standards than intermittent enforcement by a regulator.”

It’s possible that if this kind of behaviour became widespread it might force industry change. Indeed Curran was optimistic that we will see a change before too long, saying: “the standardisation of IoT security will need to catch up with other already developed technologies, but with the rapid adoption by businesses due to increased remote working, this will most likely happen at a significant pace.”

Featured Resources

Consumer choice and the payment experience

A software provider's guide to getting, growing, and keeping customers

Download now

Prevent fraud and phishing attacks with DMARC

How to use domain-based message authentication, reporting, and conformance for email security

Download now

Business in the new economy landscape

How we coped with 2020 and looking ahead to a brighter 2021

Download now

How to increase cyber resilience within your organisation

Cyber resilience for dummies

Download now

Recommended

Splunk debuts a new suite of cloud security solutions
Security

Splunk debuts a new suite of cloud security solutions

22 Jun 2021
Nvidia Jetson chips make IoT devices vulnerable to attack
vulnerability

Nvidia Jetson chips make IoT devices vulnerable to attack

22 Jun 2021
Cryptocurrency crimes have increased 12-fold since 2016
cryptocurrencies

Cryptocurrency crimes have increased 12-fold since 2016

22 Jun 2021
University Medical Center Mainz taps IBM to secure health care data
cloud security

University Medical Center Mainz taps IBM to secure health care data

21 Jun 2021

Most Popular

How to find RAM speed, size and type
Laptops

How to find RAM speed, size and type

16 Jun 2021
What is HTTP error 400 and how do you fix it?
Network & Internet

What is HTTP error 400 and how do you fix it?

16 Jun 2021
Ten-year-old iOS 4 recreated as an iPhone app
iOS

Ten-year-old iOS 4 recreated as an iPhone app

10 Jun 2021