As if it wasn’t bad enough that IoT devices were rushed to market in a way that allowed massive takeovers and botnets to control them and wreck the Internet, now everyone and their grandmother is going to be selling Home Automation systems, promising to make your life easier. Just look at IKEA. The Swedish home furnishing giant is going to be selling its very own home automation hub and lighting setup. Sounds amazing right? Get your new Flertungnoogin-whatever and your home controller in the same place. You can tell where this is going. All IKEA appliances will connect to this new hub, which means you will be able to roast your chicken from another country and make sure your dishes are clean as well.
What this really means is that companies are more concerned with offering new technologies without really caring whether the market actually needs another version of the same thing. Consumer demand is what it’s all about, but let’s be honest, most consumers don’t care about security until something happens, and then they are all concerned and defensive.
IoT Needs Security Guidelines
What’s really missing from the IoT landscape is a set of rules, a standard by which all devices must communicate in order to be safe. Of course, there are industry players and companies pushing their technologies, but none of them really want to work together to solve the security issues. Even then, there are no rules that require anyone to do anything. As a security expert, I realize that this is what happens with a free Internet, you don’t have to do anything you don’t want to. You can make an app with terribly weak security, you can make any device with weak security, and nobody will care until something happens, and then only some will truly care.
TLS for IoT Security
The worst part is there are easy ways to protect IoT devices, even ones with limited memory and CPU power. For example, each device could be issued a transport layer security (TLS) certificate, used for a 2-way connection between the device and the hub and from the device/hub to a remote server. This 2-way connection is a little more work to setup but would offer a very hardened transport layer, allowing safer communications. Additionally, instead of setting up the device using standard WiFi, where the device acts as a WiFi hotspot initially, manufacturers could build an app that allows the user to enter the details of their WiFi network in and then use either NFC, or in the case of a camera scan a QR code, to pass the credentials to the device so that it can safely join your local network.
In the end, it just requires manufacturers to be a little imaginative, it’s not hard to protect the IoT landscape, you just have to try, just a little. We can put the proverbial “genie” back in the bottle and offer real protection for both home and industrial systems. Whether your device works on Zigbee, Zwave, WiFi, or Bluetooth, or eventually LiFi, there are options to offer real protection and this is not an area where companies should compete. Rather, they should be working together to follow basic guidelines for safe use of electronic devices in home systems. The alternative is a foreign botnet taking over all the ovens in the world and causing them all to set on fire.