Robust IoT security costs less than you think

Most IoT devices are dangerously insecure because of a false assumption that reasonable security is prohibitively expensive and would add excessive time to the IoT product development schedule. Nearly everyone in the IoT community is aware of the media headlines involving a string of high-profile security breaches for IoT devices over the past three years. In each of these cases, after the hacker gained entry, he performed an unauthorized firmware update and took control of the IoT device.

In some cases, the “white hat” hacker later explained the step-by-step approach to successfully hack into the IoT system and then graciously provided full and complete information to the OEM to assist in correcting the issue. Not all hackers are so thoughtful. The OEMs’ subsequent fixes to their fully-deployed production IoT systems were done at great expense.

These public relations disasters also surely reduced revenue as they caused significant loss of reputation and loss of brand value for these OEMs. Had these hackers been malicious, some of these attacks could have resulted in loss of life. How large might a future class-action lawsuit be where an IoT manufacturer is claimed to have placed the lives of millions of unknowing people at risk due to gross negligence?

As an IoT Security professional, the most surprising aspect of these security breaches was that there appeared to be little or no security in these systems. It appeared that security wasn’t even considered. It was once believed by some IoT manufacturers that they could achieve “security by obscurity.” Why would anyone want to hack into our IoT device? You could similarly ask yourself, why would anyone want to break into your home? Doesn’t the fact that your home is one out of millions in the country provide you with “security by obscurity?” I don’t know of any builders who build homes without locks on the doors. So why would IoT device makers build IoT devices without locks on their “doors?” Informed technology executives and professionals know that “security by obscurity” is nothing more than false hope.

The recent parade of embarrassing, high-profile IoT product security breaches raises a logical question, is the lack of security in these IoT systems unusual or is this typical? Sadly, the answer appears to be that it’s typical. HP performed a study in 2015 where it reviewed ten products in the most popular IoT market segments. They found that 80% of these devices raised privacy concerns; 90% collected at least one piece of personal information via the device; and 70% didn’t encrypt communications to the internet or to the local network.

A survey published in Nov 2015 by Auth0 provides a hint to a cause of the alarming lack of security in so many IoT products as well as developers’ and consumers’ reaction to the lack of security:

  • 85% of developers felt rushed to get an application to market due to demand and/or pressure within the previous six months despite security concerns
  • 90% of developers believe that current IoT devices do not contain the necessary security
  • 18% of consumers trust having their personal data tied to IoT devices

There are currently about 6.4 billion IoT devices deployed worldwide, with a rise to 20.8 billion by 2020, according to Gartner. It’s obvious that there exists a serious and growing problem with inadequate security in billions of IoT products, making them highly vulnerable to hacking. Malicious hackers can steal the personal information that they contain and/or take control of these unsecured devices with disastrous results.

The good news is the technology required to prevent every one of these high-profile breaches is readily available. More good news is that this security is quite cost effective. For example, a NIST-certified advanced cryptography IC that can handle ECDH (Elliptic Curve Diffie–Hellman) security protocol along with ECDSA (Elliptic Curve Digital Signature Algorithm) sign-verify authentication adds less than $1 to an IoT device bill of materials.

ECDH is an ultra-secure method to provide key agreement for encryption/decryption. This security IC is microprocessor agnostic and can therefore be added to any IoT system. Implementing this solution requires significant expertise, but organizations can turn to IoT security partners who are capable of providing complete, robust security solutions typically in about two weeks, mostly performed in parallel with other development efforts.

Most IoT hardware will likely operate for 10+ years and should have a security solution that will be secure for their entire product lifetime. The National Institute of Standards and Technology (NIST) document titled Recommendation for Key Management provides guidelines for cryptographic key sizes that will be secure to brute-force attacks in the year 2031 and beyond based on projected increases in computational power. A sufficiently long key with an extremely strong security protocol coupled with best practices can provide every IoT system with robust security for the next 15+ years. The sub-$1 security IC used as an example provides this level of security and is available in a packaged IC footprint as small as 2 by 3 mm. There’s no excuse for IoT product makers to continue to ignore IoT security risks.

Charlie Beebout is the Program Manager for IoT Security Products at Astek Corp. He has more than 30 years of engineering management experience in the IC industry. Astek security experts have more than eight years of extensive experience delivering highly-secure, robust scalable IoT Security solutions for Fortune 100 companies as well as hundreds of smaller companies including start-ups. Charlie holds a BSEE degree from Iowa State University.