I am excited about the Internet of Things (IoT) phenomenon that we have been going through over the past few years. Some old timers might even bring up X10, from who knows how long ago, but for my generation, I feel like the Nest thermostat was really the intro of IoT to the mainstream. I see the value of IoT devices and I have a few IoT devices at home myself. This list has only grown over time. There are two major concerns with IoT devices that are always in the back of my mind: 1) Security, and 2) Privacy. I will focus on Security for this post.
Currently, I am serving more in an entrepreneurship role, but ever since I graduated with a Computer Science degree, about 13 years ago, I have experienced numerous roles that have spanned pretty much the complete gamut of the roles needed to make IoT devices function. This has included hardware development, software development, “DevOps,” and web and API server administration.
The challenge with security is that rarely is it taught in formal education at the right level of detail, and generally, it is not the primary focus. Furthermore, if you think about all the roles involved in these projects, pretty much each and everyone one of the roles has the potential to introduce or exacerbate security issues. Also, given the complexities of the systems involved and their intricate integration needs, it becomes even more critical to ensure that you get the minute details correct.
Because security is such a complex topic, even if you are a security expert, you can still have major security issues. For example, take a look at this recent incident with Symantec. It’s not just Symantec, late last year, Juniper, a company that provides network security equipment, also had issues with its security equipment. If you do a quick search online you are bound to find countless other similar incidents.
In addition to getting it right the first time around, security is also a continuous rat race between the hackers and the software/hardware vendors. Over time, after diligently looking for security issues, hackers do find vulnerabilities. This has been proven with even the most secure software packages that tend to be the foundation of many services (e.g. OpenSSL with heartbleed). Issues like these are bound to happen, but this makes it critical that everything involved is kept up to date on a timely fashion.
IoT devices generally have an additional “attack vector” that many times gets overlooked. It’s that these are generally devices that don’t have much computing power. This leads to vendors making unwise choices from a security perspective.
I am excited to see the IoT phenomenon and will continue to be a part of it. Given the security implications, though, I hope that the vendors are paying the due attention to security. Unfortunately, generally, when you find out that this wasn’t the case, it’s already too late. I also hope that the vendors stay in business because, even if you could keep a device functioning after a vendor goes out of business, you would be a sitting duck!
By the way, this issue is not just with the devices that target home users, there have been plenty of security issues in other markets as well, including hospitals. As an example take a look at this Hospira infusion pump notice from FDA.