Should connected devices carry an IoT security-star rating?
According to a recent report from the Internet Society and Consumers International, 28% of people who do not own a smart device won’t buy one due to security concerns. And eight in 10 consumers surveyed think privacy and security should be assured by either regulators, manufacturers or retailers.
In parallel, manufacturers complain that it’s expensive and time-consuming to ensure products sufficiently address all possible security concerns. And that it doesn’t necessarily pay off in terms of increased sales and market share either. Consumers who are comfortable with taking the risk will buy anyway, and consumers who aren’t — like those above — will still remain unconvinced.
This isn’t a healthy state for any market to be in. And it makes me wonder if all smart devices should be made to carry a security-star rating. Just like those used to show energy efficiency, for example Energy Star in the U.S., or crash safety in the automotive industry, such as Euro NCAP in Europe.
Why were early smart devices so insecure?
The problem is that the security of smart devices has, until now, been an afterthought. And neither the end user nor the device maker was willing to pay for it. And the industry, somewhat naively, completely underestimated how big a deal security would become. (Why would anyone want to hack my smart baby monitor?)
Although things are improving, we’re a long way from having a level of security that’s trusted by end users as much as, say, HTTPS and SSL certificates are for websites. And this situation is unlikely to change, in my opinion, without the creation of some kind of independent regulator. The issue is just too big to be left to manufacturers and retailers to resolve on their own.
A good place to start would be to address the security issues revealed by the most well-publicized hacks to date. And this needs to happen fast, before demand for smart devices starts to evaporate. And by fast, I mean something in place during next year; it can’t be five years from now.
What would this security look like?
Something very similar is underway in the chip industry. Arm, for example, is developing a Platform Security Architecture (PSA) that recognizes that an Arm-based smart device is only as strong as its weakest link. A single vulnerability could compromise the entire device.
To combat this, Arm PSA aims to layer in security from the silicon level upwards. It targets four broad sources of insecurity: communications, physical (silicon), product lifecycle and software — the most common vulnerability of all.
Public Knowledge, a U.S. consumer rights organization, has also produced a white paper urging the U.S. government to mandate some kind of cybersecurity shield mark to denote that a connected device is secure. The paper details what such a program would look like and how it should be implemented, assessed and adopted.
Why it must be a star rating
What I love about star ratings is how simple and effective they are. Nobody would buy a car with a 1 out of 5 safety rating, which is why car manufacturers don’t build cars that unsafe. With stars, you get a pull from the end user and a push from the manufacturer to ensure a minimum standard is reached.
You also give the consumer the opportunity to pay more for products with higher ratings and the extra piece of mind this gives. And IoT device manufacturers will then struggle to sell devices that are unfit for purpose — those which have little or no security — no matter how low the retail cost.
That said, products that have been hacked to date were not necessarily the cheapest or inherently insecure. The problem is when you develop a smart device or system you need to think about thousands of things, and you only need to overlook one to leave a vulnerability that a hacker can later exploit.
There’s nothing smart about an insecure smart device
Security must be built into a smart device from the design phase, through component procurement, and all the way to the end of life for that product. Just because a smart device is old doesn’t mean it should become insecure.
And in the real world, a device manufacturer should also be able to update or patch any security loopholes that may appear in the field. That means support for over-the-air firmware updates and software patches, too.
Consumers’ lack of trust in smart devices won’t be reversed until their security is given a total overhaul. And the future growth of the smart device industry will be severely hampered. A security-star rating is desperately required. And soon.
All IoT Agenda network contributors are responsible for the content and accuracy of their posts. Opinions are of the writers and do not necessarily convey the thoughts of IoT Agenda.