Evaluate Weigh the pros and cons of technologies, products and projects you are considering.

A word on words: How to communicate about security in IoT

Among the many security challenges facing the connected device industry, one of the most significant is a non-technical one: how to talk about security. As the scrutiny on and awareness of security continues to increase in the aftermath of the near daily headlines about security breaches, more and more people are talking about this critical topic, and its relevance to the long-term adoption of connected devices. However, as the rate and breadth of those conversations increase, common misunderstandings run rampant, which impede the ability for consumers, businesses and governments to truly grasp the underlying problems — and make meaningful change. With the right understanding on how to talk about security in IoT and as it relates to connected devices, the industry can truly drive towards that meaningful change. Here are a handful of focus areas:

Privacy versus security

These terms are often conflated to refer to the same topics, but they are actually distinct concepts.

Privacy is the ability to make decisions about your data. For example, privacy refers to the idea that a user decides who is granted access to user data. A common refrain in the current internet age is that “privacy is dead.” This largely refers to the idea that pieces of technology, including connected devices, enable a company to identify individuals, track their location and learn their habits. However, it is important to note that the fundamental definition of privacy is indeed alive and well: the user chooses to install such a device and allows the manufacturer to do with that data whatever the manufacturer outlines in the End-User License Agreement (EULA). While it would mean that the user would not have access to many of the benefits that are delivered by such smart devices, the user does indeed have the choice whether or not to buy and install that device.

By contrast, security refers to the efficacy of those decisions being carried out. For example, when a user installs a connected device in the home or office setting and approves the EULA, allowing the device vendor to track, analyze and monetize the data, the assumption is that only that vendor is allowed access to that data; when security is compromised, other entities — whether they be casual hackers, nation states or some other actor — obtain unauthorized access to that data.

When people talk about privacy and security issues related to connected devices, these two concepts are often conflated, even in some cases where the terms are used interchangeably. But they are truly discrete topics. There is a hierarchical relationship that should be noted, however: security violations inherently result in privacy violations, but privacy violations are not necessary security violations. For example, if during set up of a connected device the user opts out of allowing the device maker to share data with third parties, but then the device maker shares that data anyways, that is a privacy violation. But it is not a security violation. By contrast, when a hacker exploits a connected device — for example, a connected baby monitor — and uses that compromised device to spy on the user’s baby, then both privacy and security have been violated.

This distinction is important because both topics are important, but for different reasons. Each requires different considerations that have varying impacts on disparate stakeholders. Considering only one of these concepts does not inherently adequately also consider the other, nor should it.

Marketing claims can be dangerous

One of the most misleading terms across the entire security spectrum is “military-grade security” or its twin sister “bank-level encryption,” claims that run rampant across the glossy marketing websites and product packaging of the connected device industry. Such terms seek to convey confidence in the user that this product has effectively built security into the solution; “if it’s good enough for them,” the logic would suggest, “then it’s good enough for me.” Forcing this assumption is like the manufacturer of a budget car implying they are in fact a luxury car instead, because it uses “luxury-grade air pressure” in its tires; while the underlying fact may be true, it attempts to make an association in the mind of the purchaser that is not valid.

All that such security claims are really saying is that where encryption is utilized, this device uses the same encryption standard as what military or banking systems use. This implies that good encryption results in good security, but that is not necessarily true. Good encryption practices are part of a good security posture, but not the panacea that such a claim would suggest. Furthermore, the claim suggests that adversaries attack the encryption mechanism, and so if a defender just has strong enough encryption, that alone will thwart such attacks. Yet, that’s not how adversaries deploy attacks in a modern context. Modern adversaries don’t try to break the encryption, they try to find the keys to the encryption, or access the data where it is not encrypted, or steal the credentials of a powerful user who can decrypt the data.

Instead, connected device manufacturers should focus their messaging on the fact that security is a process. Achieving meaningful security entails an effort over time. It requires resource investment. It requires the sometimes uncomfortable moments of confessing vulnerabilities and describing the remediation. Admittedly, the average consumer user probably won’t have much appetite for a thorough white paper analysis on the security program a given product manufacturer has in place; but they should at least be treated with the respect to have insight into a summary of how security is considered, rather than just be fed a dangerous and misleading claim.

Taking security in IoT seriously

In the aftermath of virtually every major security breach, the enterprise victim often releases a statement saying that, among other things, “we take your security seriously.” The organization may genuinely mean this, and may genuinely take the appropriate steps to deliver on this claim, but what makes or breaks this claim is what follows it. In the case of many retail credit card breaches stemming from connected POS terminal exploits, the prevailing approach has been to provide consumers with credit monitoring. While this is a nice gesture, it’s little more than that, as the credit card companies themselves already very proactively flag fraudulent activity. Furthermore, this statement is not quantifiable; what does it even mean to take security seriously? How is that defined? How is it measured? Different organizations will have wildly different definitions for this, and so too will any end victim, whether that victim is a consumer, business or government entity.

What would instead be more valuable for connected device companies to do would be to articulate how they take security seriously. What types of security assessments do they do, on what cadence, and what credentials does their assessor possess? What level of executive buy-in do they have from the c-suite about security initiatives, and what number priority is security for the CEO? What type of recruiting initiatives do they have for finding elite talent in-house to pursue their security mission? Being able to describe these concepts will enable manufacturers to better define how they approach security, and will empower purchasers to better determine the level of risk they are adopting in choosing to do business with this manufacturer.

Call to action

The IoT industry has a significant perception problem, in that many people — and especially most security experts — feel that security is woefully inadequate among devices that populate the current market today. However, while this may be true in the majority of cases, it is nevertheless a generalization and not a rule. There are indeed many connected device manufacturers who do a good job with security, who invest heavily in it and successfully articulate to the market how these investments manifest in a more resilient security posture. Given these conditions, two things need to happen:

  1. More connected device vendors need to properly prioritize security
  2. Better, more valid communication about security for IoT needs to happen

If these conditions can be met, the longer-term future of IoT security is bright. If either or both of these are failed to be met, the future of IoT — and security in IoT — is unlikely to improve from status quo.

All IoT Agenda network contributors are responsible for the content and accuracy of their posts. Opinions are of the writers and do not necessarily convey the thoughts of IoT Agenda.