Do we need an IoT 2.0? asks Ken Munro, partner at Pen Test Partners. Being brave enough to take a new approach to an old problem is how technology gets adopted. It’s how pioneers from Steve Jobs to Elon Musk have revolutionised industries.
Right now, I believe we need a similar shake-up in the IoT. Manufacturers are following the path of least resistance to grab market share, but vulnerabilities then surface that compromise the integrity of the product and the market as a whole, stymying adoption. But what if there were a way to reinvent the IoT?
The biggest problem with the Internet of Things is, well, the Internet. It’s a public highway and that makes any device connecting over it susceptible to attack, even more so when you consider that hackers can purchase and reverse engineer IoT devices making it even easier to then hijack others already deployed. This is particularly noticeable in the consumer space where IoT devices can expose home networks and the user’s data.
Many consumer devices use the Wi-Fi network to connect to the Internet and this creates numerous issues. Unconfigured, the device will often act as an access point with a default PSK, making it an easy target. Configuration is often difficult and the device may malfunction during set-up. Even if you do succeed, some devices will open up ports on the home firewall with the consumer none the wiser which as we have seen can lead to the creation of super botnets. Plus if the user changes their ISP or router it can be troublesome to reconfigure the device.
If it were possible to remove the internet from the equation, many of these problems would resolve themselves. The problems of malware, ransomware and botnets used for DDoS attacks would be mitigated. There would be no risk to personal data, no opportunity for device aggregation, and no risk of rogue firmware updates. The user would be able to enjoy a seamless experience with security layered in by default. Conceivably we’d have a user utopia.
So, what’s standing in the way? Why are we so hooked on Wi-Fi? The primary reasons are of course cost and bandwidth. The cost to the manufacturer from piggybacking off the user’s broadband connection is zero and it costs the consumer nothing extra, keeping product price points low. Using an alternative network is bound to incur some additional expense and then there’s the prospect of contracts to govern data transport costs, both of which are distinctly unpalatable to the vendor.
But think of the advantages. Near zero configuration, association with an established user account helping authentication, no risk of attack, and the bonus of client segregation so that in the event of compromise, the risk to the user are minimised. This isn’t the stuff of Science Fiction; it’s achievable today using mobile data networks.
Telematics units in connected vehicles have been using these networks for some time to relay data securely so why can’t the IoT? Yes, there is a cost for the embedded SIM and airtime, but given that the volume of data exchanged by these devices is relatively small, it would be negligible and far outweighed by the security benefits.
Granted the application of these technology would have its limitations. It wouldn’t work in high bandwidth applications such as CCTV, for instance, but a smart thermostat or utility meter needs requires very little bandwidth. And vendors would need to make sure that the supply chain, which would now include the operator or M2M provider, had made provisions to prevent exposure through segregation, for example. One need only recall the Jeep attack, which saw a lack of segregation on Sprint’s network, to see that mistakes can happen.
Yet the mobile market is making significant headway in this arena. We’re already seeing the eSIM joined by eUICC, R-UIM and CSIM cards to make over-the-air provisioning and updating straightforward. It’s these technologies that are used in the Apple watch 3, for instance. Going forward, Virtual SIMs will offer even more interesting, low cost solutions while mobile data is now a commodity, with costs continuing to drop.
Is the high-risk freemium model of the Internet viable in the longer term? Or should we be considering alternative networks now before we see malicious attacks discredit the IoT? Sadly, I think it’s only once we see attacks that impact the user, such as ransomware, and tougher regulation, that we may see manufacturers rewire the IoT.
The author of this blog is Ken Munro, partner at Pen Test Partners