Tuesday, August 16, 2016

Improving the state of security in the Internet of Things

I've spent the past few months as the Solutions Architect at resin.io, working to improve the security and functionality update process for Internet of Things (IoT) devices. As I've been doing this, I've been learning an enormous amount about the current state of the industry.

It's pretty clear that right now managing and updating IoT devices sucks. There are countless examples of devices being left vulnerable, exposed to the world, abandoned or even intentionally destroyed by their producers because they were too hard to keep updated.

There are a few factors that I see as contributing to this problem:
  • a need for Free/Open tools for securing devices
  • a need for Free/Open tools for updating and managing devices
  • a need for education within the industry

Some more cynical people might replace "education" with "an attitude adjustment" in this list, but I really do think that most of the blame can be placed on ignorance rather than malice here. The tools are important, even crucial, so I'll expand on those points in the future. But even the best tools are worthless without the understanding of why they're so necessary.

A hardware mindset

Most people and companies involved with hardware manufacturing have what I call a "hardware mindset": the idea that a product is designed and manufactured exactly once and then identical units are distributed to the marketplace. This is understandable and a completely legitimate way of thinking when you're creating self-contained devices. If you've been building widgets for decades (or even longer!) then you've gotten very good at this sort of process. You spend a lot of time up front on design, getting it as perfect as you can, but then once you're done with that you start up the factory and move on to the next thing. As long as your widgets aren't catching on fire or falling to pieces under normal use, you don't really have a problem.

The problems do come in when you start talking about connected devices. When you were making widgets that came out of the factory perfectly safe, the only way they became dangerous is if someone intentionally opened them and tinkered with their parts.  And if someone gets hurt when they modify your product, that's really on them.  But once something is connected to nearby devices or the Internet, it's able to be opened up and modified by someone who might be thousands of miles away, and there's usually no external sign of tampering. Even without an actual attacker, it's simply impossible to test every permutation of interactions between your networked widget and all the other devices in the world. Your customers can be hurt by your product without any fault of their own! Suddenly you need a way to fix these issues as they arrive.  You must update your devices in the field to protect your customers.

Simply put, once the device comes out of the factory, you have to stop thinking like a hardware company and start thinking like a software company.

Moving to a software mindset

Software companies work very differently than hardware companies. There was a brief period where the idea was the same -- write some bytes to a disk or CD and ship them out and you're done -- but those days have been gone for decades. Now the goal isn't to produce a single piece of static software but to have a system that allows constant updating and refinement of the product. There can be no assumption that any program is ever perfect or complete or secure. The only way to protect yourself and your customer is to make the process of updating and fixing the software so fast and foolproof that keeping it updated becomes a matter of course.

IoT and hardware companies must begin thinking about their products primarily as software that happens to have a hardware component. This is the only way that the state of security in the Internet of Things will improve.


  1. I would go further, and state the software mindset *must* be present while the hardware is being developed.

    Here's a few things I have been wishing for:
    * OWNERSHIP of the device *must* allow "reselling";
    * original manufacturer *must* lose control of a sold device;
    * control of the device must require some sort of validation/verification;
    * the device may provide only public, a mix of public/private, or just private data;
    * this means access control (and ACLs);
    * the above implies classification of the data flow; this probably means some data flows may be encrypted;
    * encryption begets key management;
    * no single master key, pretty please;
    * in fact, no X.509 certificates -- let's find something more usable;
    * updates to software, ACLs, or key management should allow selection of targets (IoT devices affected);
    * updates should be validated before being applied;

    And more, but my wife calls me now :-)

    1. These are great points! A lot of it comes down to ownership vs. control -- if you bought it and own the physical device but the vendor can make it stop working, do you really own it? (I think the GPLv3 tries to address this.)

      Lots of stuff to think about; I might mine your list for future posts! :)