Harmony the key to IoT security
The internet of things is constantly evolving, as the threats that go hand-in-hand with it. Anna Hayes looks at the ioXt Alliance, a group tackling the issue of IoT security on a global scale.
As the Internet of Things (IoT) continues to evolve in new and unexpected ways, the question of security and privacy is one that is becoming more and more pertinent.
Approximately 14.2 billion connected devices will be in use this year, with that number expected to grow to 25 billion by 2021, according to analyst Gartner. To that end, device security hasnever been more important when it comes to keeping threats firmly locked on the outside of your home or business network and the ioXt Alliance is tackling this issue head-on by promoting an internet of ‘secure’ things.
The ioXt Alliance was founded in the Spring of 2018, after several large IoT device manufacturers and protocol standard groups met to discuss issues that caused friction in the widespread adoption of connected devices.
The group’s chief technology officer, Brad Ree, says: “The lack of a harmonised set of security standards was one of the primary issues the group felt needed to be addressed. With the goal of harmonising across many protocols and ecosystems, it was decided that ioXt would be formed to address product and service security.”
Brad believes that more stringent compliance regulations are required.
“We believe security best practices do not go far enough to drive the companies who are not providing baseline security in their products, as compliance to the standards are not verified and made visible through simple markings on the products.”
The ioXt Alliance consists of a group of technology device manufacturers, test labs, IoT standards groups and public policy organisations that are developing IoT security requirements that are verifiable through third-party compliance testing labs.
“These requirements may be used by the retail channel, system integrators and product managers when identifying products for their channel. The Alliance also supports IoT security policy efforts between our member companies and government organisations,” Brad says.
At the heart of the process is the ioXt Security Pledge: eight guidelines aimed at reducing the chance of falling prey to any would-be malicious access.
The eight principles of the pledge are:
- No universal passwords: products would come with their own unique passwords or require the user to create one before the device could operate. Universal
passwords are rarely changed and attackers can gain access to devices through lists of shared universal passwords.
- Secured interfaces: manufacturers should implement a ‘secure by design’ measure on external communication interfaces.
- Proven cryptography: manufacturers should use proven and standardised cryptography, specifically those that are well developed, proven, reviewed and standardised instead of proprietary developed algorithms that haven’t been subject to the same scrutiny.
- Security by default: products should be secured at the time of purchase; the user can then choose whether to decrease or increase the security level.
- Signed software updates: it is critical that products be updateable, and those updates must be cryptographically signed to prevent tampering during deployment. The product must not use unsigned as they could be fraudulent.
- Automatically applied updates: manufacturers should automatically deploy security patches and updates in a timely manner; the user should not have to be the administrator on their devices.
- Vulnerability reporting program: companies offering internet connected devices should provide a public point of contact as part of a vulnerability disclosure policy, allowing users and security researchers to report issues, which should then be acted upon in a timely manner.
- Security expiration date: there should be transparency around the period of time for which a manufacturer will provide security updates for a device, in a similar way to how warranties are offered. This will allow user to make an informed decision before they purchase a device.
The Alliance also provides an interface between IoT public policy efforts and device manufacturers.
Brad explains that all security requirements will be third-party verifiable.
“Manufacturers will have a clear set of requirements and compliance tests which they can give to their engineering teams. Retail purchasing managers may also reference these requirements and request compliance test reports from third-party test labs.”
The increasing sophistication in malicious attacks however will always remain a cause for concern, and Brad says that regulators are vehemently scrutinising the IoT market to address security issues. The problem is that, often, the regulators are only working within their own state or country.
“This will create issues for global manufacturers, and integrators who need to address these local regulations. ioXt is working hard to harmonise these different requirements, and provide a single security passport which can be used for each of the markets.”
But this fragmentation of regulations is a threat in the rapidly growing industry, as there is no end-to-end security standard across multiple protocols which, in turn, makes the translation point in a network vulnerable to attacks.
“The weakest point in the system becomes the target. However, the strength of a fully interoperable IoT system is that an integrator can combine the best sensor/actuator from one network into another network to provide an optimal solution. Without common security standards, an integrator may introduce low security devices into a mission critical network and not be aware of the risk they introduced.”
At present, ioXt is working with a variety of decision makers in the supply chain, including ecosystem managers from several ‘works with’ programs, buyers in the retail channel and public policy regulators.
For white label products, managing brands can specify the ioXt requirements and require test lab compliance reports. This allows the managing brand to verify compliance without having to build its own in-house testing lab.
The first batch of products will be available in early 2020.