Industry needs to develop universal standards for designing safety, privacy into connected devices, before government regulations force it upon us.
As consumers start to connect more and more aspects of their lives to the Internet, a troubling concern arises—if every part of our lives become “smart,” are we safe? Cisco Systems predicted that there will be 50 billion connected devices by 2020, which means there will be 50 billion ways a hacker can infiltrate a consumer’s network and steal their personal data.
In all the rush to design groundbreaking IoT innovations and release new products, two important factors have been pushed to the back burner - security and privacy. As we’ve seen in recent headlines of hacked cars to compromised Internet-connected baby monitors, the implications are real and present.
In my earlier post, “IoT Security Calls for Action,” I outlined ways that engineers can address the security challenges of IoT development through a combination of interoperability, education and proper design. To take this discussion a step further, two key areas warrant more investigation. First, how can we create universal standards and frameworks for the developer community? Second, how can we design with security and privacy in mind from the initial design and system architecture to provisioning for system updates into deployed products?
Creating universal standards for compatibility and security
Standardization has long been an issue countless industries have had to face. Take for example the automotive industry. When the automobile was first introduced to consumers, each manufacturer built their vehicles with completely different specifications, causing havoc for repair shops, consumers and manufacturers alike. Beyond being inconvenient and inefficient, the lack of standards became dangerous when consumers were unable to operate or maintain a car other than their own.
When it comes to the introduction of Internet-connected devices to the market, similar issues arise. The industry is fast growing, with many players entering the field using completely different playbooks as they develop their products. To complicate matters, IoT solutions and devices are usually not just one product, but a myriad of systems that include hardware and software from multiple vendors. The security of the overall system is only as strong as its weakest link, and a multi-vendor environment can open up a host of additional vulnerabilities. For example, if someone can command your smart window shades to close without your permission, tell your garage door to open or move your surveillance cameras to an angle with low visibility, then they can very easily break into your home and walk away with your valuables.
[Learn more about Handling Top Security Threats for Connected Embedded Devices at ESC Boston]
To keep consumers safe and avoid having regulations mandated upon the market by government agencies, we, as part of the developer community, must adopt consistent standards that manufacturers and developers alike can follow to make systems more compatible and secure. Cross-industry collaboration among vendors is key to creating uniform communication protocols and ensuring products can work seamlessly and securely together.
Designing with security, privacy in mind
There was a time when homes were built with the understanding that average homeowners would not need much more than a deadbolt on their front door and a guard dog in the backyard to keep their households safe. Fast forward a few decades, and this was no longer the case. Many homeowners found themselves dealing with the very real security threats posed by urban crime, and in an effort to protect their homes and valuables, they installed metal bars on their windows to deter burglars. The design flaw here was that the bars could easily be removed by those trying to enter the home and had the unintended and life-threatening consequence of trapping residents inside in the event of a fire. If security had been factored into the initial design of the home, residents would not have been forced to rely on solutions that were not only ineffective but dangerous.
Today’s connected device developers find themselves in a similar boat when it comes to security. IoT devices are coming onto the market in all shapes and sizes, and when it comes to a gas range stove, state-of-the-art refrigerator or self-driving car, designing for security can become incredibly complex. For example, if a consumer is having trouble updating the software for their washer and dryer and needs to bring it into a local retail store for an update, it is a completely different situation than if they are having trouble with their lightbulb or alarm clock. What if a vulnerability on thousands of products is detected? The mobile carrier industry dealt with this difficult situation just this year with the Android Stagefright vulnerability, which affected more than 950 million Android devices.
And it’s not just security that’s a growing concern for consumers and corporations alike, it’s privacy too. If everything becomes “smart,” the device environment gathers a lot of information about people inhabiting the space and interacting with the network. With more and more instances of personal data being breached from Internet-connected devices, such as hacked Internet-connected cars, refrigerators or baby monitors, consumers, companies and governments are using a cautious and scrutinizing eye.
Developers and manufactures need to put measures into place to properly secure devices and ensure that private consumer data is stored safely. This is easier said than done, but there are a few ways we should be going about it from a design standpoint. To effectively design for security and privacy in new device development, security must be addressed as part of managing the entire lifecycle of a device It must be factored in as developers consider the initial product design and operational environment and while provisioning for system updates. Developers need to keep in mind that the product needs to be secure in addition to the development environment. That being said, it isn’t always possible to have security in consideration from day one — not every project involves new device technology. In fact, IoT can be a complex conglomerate of legacy technology, so when it comes to security and privacy, it’s important to focus on ways to incorporate or manage device security and safety when you don’t have the luxury of designing with it in mind from the outset.
There is no denying that the IoT is well on its way to helping bring new innovations and levels of connectivity and productivity to our everyday lives. We have a long, bright future ahead in the world of IoT development. The stark reality is that If we don’t put measures into place to solve these difficult development questions around security and privacy, people will continue to create insecure devices, and consumers lives may be put at risk. Consequently, we may see an increased level of regulation in our industry, which ultimately prohibits manufacturers, developers and consumers from having access to innovative new products. To keep up with growing demand for connected devices and ensure security and privacy are of the utmost priority, the developer community needs to come together to establish consistent standards and incorporate proactive security and privacy measures into product development lifecycles. By working together, we can deliver on the promise of a truly connected world.
--Mark Skarpness is Vice President and General Manager of Embedded Systems, Open Source Technology Center at Intel.