Why Not IoT Security?

Just about anyone today can recognize that we are on a downward trend with respect to the security of our computer systems. Not only are we undergoing drastic changes in how systems are compromised, but the nature of those compromises is also changing for the worse. Cybersecurity flaws are exploited by various governments as well as criminal elements, and criminal elements are becoming more organized. The overall pace of compromise is growing, as is the cost levied against us all as our information is stolen, our credit cards copied, and our credentials reused by attackers. We have become more dependent on the Internet than ever to deliver our movies, our music, and to order the things we need. If we are going to continue to use the Internet, as we do today, for the next decade, we need to rethink the importance of security in everything we design and build.

Fortunately, much of what affects the market today stems from problems we have already solved. While we are not likely to fix the problems we do not yet know of, we can certainly do something about the ones we can recognize, especially ones we have already recognized and fixed. And there is much more of this than you would think, particularly when building, configuring, and delivering system software.

And particularly if we are dealing with the Internet of Things.

IoT devices are remarkably similar to consumer-grade networking equipment. They are installed in people’s homes, by people who are non-technical, and just want the stuff they bought to work. And yet, we seem to be convinced that we need to recreate the same flaws in IoT equipment that we solved with networking equipment years ago.

For example, IoT equipment is frequently delivered using old, out-of-date system software, homegrown protocols, and non-existent encryption. We can and do better than this in other areas — there’s no excuse for this today. As of 2018, we deliver networking equipment with unique administrative passwords. We implement strong encryption. We require HTTPS. We can implement secure solutions — we just decide not to.

IoT projects can and should draw heavily from established software development practice. We need to implement strong code practices to ensure secure code production (as we do with other attributes, like performance and usability, of course), as we have been doing for years in other domains. This is a pure software engineering practice. We can use code reviews, secure coding practices, and automated analysis tools to help ensure appropriate design and implementation.

After all, we understand and have been working with secure coding standards and rigorous development processes for decades. As a community, we know how to do these kinds of things, we just choose not to do them in our IoT applications. That's right, choose.