In this Edition:
Change Edition

Get Smart: Securing the Internet of Things

Photo: iStock

So much is already so smart. Today, if you were so inclined, you could  buy smart breadmakers that let you remotely check the status of your bread. Or a smart thermostat that would learn your family's behaviors and intelligently manage the temperature of your home. You could even purchase smart toys that listen to what your children are saying and respond.

But in the not too distant future, everything will be this smart, and everything this smart will be connected. This Internet of Things (IoT) represents the third wave of computing. The first wave focused on computation—making the basics of computing work. The second wave centered on networking—connecting all of these computers together in a global network. The third wave, of which we are in the early stages, aims to make computers part of the physical world in which we live. Computation, communication, and sensation are being woven into everyday objects, all of which contain, and indeed are, computers.

IoT offers tremendous potential to society in a wide array of fields. Consider the case of healthcare: in the early 20th century, the primary global health issue was controlling infectious diseases like tuberculosis and diphtheria. Now, in the early 21st century, people in developed countries need to manage chronic conditions like heart disease and diabetes, which require sustained changes in people’s behaviors in terms of diet, exercise, and medication. The World Health Organization estimates that 60 percent of all deaths worldwide are now due to chronic conditions. IoT systems can offer meaningful interventions here by helping people achieve desired changes. The combination of smartphones, wearable devices, and new kinds of home monitoring systems make it possible to accurately track a person's sleep patterns, physical activities, food intake, and medication. This information might be used by individuals to understand their own patterns, as well as by doctors and health coaches to offer personalized interventions that are just within a person's grasp. But with great potential benefit comes great potential peril, and we need to ensure that IoT systems are built with security and safety in mind.

What Makes Security for IoT Different?

Security for IoT shares much in common with today’s security concerns for desktop computers, cloud computing, and enterprise systems. But one difference lies in the many ways in which these problems will be exacerbated by IoT. For example, ransomware, in which an attacker holds your data or your computer systems hostage, takes on new meaning if the attacker can take control of parts of your smart home or the autonomous vehicle you are in. Spyware will also be much harder to detect, since it might be in any of the devices you use.

IoT also poses some challenges for security that are unlike that which we have encountered in earlier waves of computing. The most obvious challenge is scale. Soon there will be hundreds of networked devices per person. And while it is relatively easy to configure a security policy for a single device, the same cannot be said for securing hundreds of devices, each of which might have a different user interface.

A second major challenge is the diversity of IoT devices. Some devices, such as tablets and glasses, will have a great deal of computational power and can run security software. However, the vast majority of devices will be low-end systems and cannot use conventional security software.

A third major challenge is managing security in the face of emergent behaviors, which are unexpected behaviors that arise due to complex interactions between devices. A friend told me that a person once annoyed a bunch of people wearing Google Glass by shouting out “Ok Glass, take a picture,” causing everyone’s wearable to take a picture. That is a trivial example. But what if the same logic were used by an attacker who has found a software vulnerability in a smart toaster and causes it to burn some toast? The networked smoke detector sets off an alert and automatically opens up the windows, allowing a thief to easily enter. This is a contrived scenario, but it demonstrates the challenges of understanding the overall safety and security properties of a system when it is comprised of parts that were not explicitly designed to work with one another.

A fourth and final challenge is that most IoT manufacturers have little experience with cybersecurity. Traditional software companies that are also looking to develop IoT hardware already understand the need for good security practices. However, many hardware manufacturers—which include makers of automobiles, household appliances, toys, lighting, medical equipment, and more—often do not yet realize that they also need to be software companies. This means having employees who understand good software engineering processes, using tools for developing and testing secure software, knowing how to create and distribute software patches, and having experience in best practices and in avoiding common mistakes. But that is exactly what they need to be and do.

A Path Forward to a Secure Internet of Things

The IoT landscape is still very chaotic and will continue to be so for the foreseeable future. However,  there is still much that researchers and policymakers can do.

First, we need to push for requiring cybersecurity education in computer science curricula. Today, it is possible for an undergraduate to get a degree in computer science without having taken any courses in cybersecurity. In a world that has IoT, that should not be so.

Second, we need better ways of disseminating best practices in developing and deploying IoT systems. Many security issues are easily avoidable, but developers keep making the same basic errors over and over again. We need to establish centers of excellence to gather, analyze, publish, and disseminate best practices in formats that are easy for developers to use. These might include checklists, design patterns, and code samples that developers can copy and paste.

Third, we need more data sharing between IoT manufacturers about failures in safety and security. Large-scale data breaches are the digital equivalent of the Tacoma Narrows bridge collapse. However, very little information about the root causes is ever published, making it hard for the entire community to learn from mistakes. Many people have argued that we need something like the National Transportation Safety Board (NTSB), which investigates major accidents with our railroads, highways, and aviation systems, for data breaches . Its goal would not be to assign blame, but rather to determine probable causes for a failure; evaluate the effectiveness of procedures and cybersecurity systems; and offer actionable recommendations.

Fourth, we need more investigation into the effectiveness of cybersecurity insurance for manufacturers of IoT devices. Manufacturers respond to incentives, but there are currently few forces pushing them for stronger cybersecurity. Several organizations have proposed mandating cybersecurity insurance for companies, as it could offer market-based approaches for compensating people who experience data breaches or material loss due to IoT system failures. Cybersecurity insurance might also improve software engineering, as insurers would likely set premiums based on level of experience and adoption of best practices.

Fifth, researchers analyzing the security of IoT systems need better and clearer legal protections. The Digital Millennium Copyright Act (DMCA) offers few exceptions for researchers doing good faith research. The Library of Congress is currently tasked with granting exemptions, but the exemptions have to be renewed every three years and tend to be very narrow. The most recent triennial review granted exemptions for independent verification of security for consumer devices, motorized land vehicles, and medical devices, which does not cover many IoT systems.

Sixth, we need more funding for large research centers on IoT safety and security. There are still many fundamental and long-term research challenges that need to be addressed before IoT systems can be successfully deployed at scale. However, federal spending on research has been fairly flat for the past few years, as has industry support. The end-result is smaller ideas with shorter time horizons, making it hard to reach critical mass and achieve major breakthroughs.

There is only one point in time when a global computing network will be created, and only one time when the foundation is laid for how computation, communication, and sensing will be woven into our physical world. That time is now. The Internet of Things offers tremendous potential to society, but only if we can make these billions of these devices and systems understandable, reliable, and secure. We need to be sure that we’re just as smart about our Things as the things themselves will soon be.


Jason Hong was a fellow in the Cybersecurity Initiative. He is is an Associate Professor in the Human-Computer Interaction Institute at Carnegie Mellon University. Hong is also the CTO of Wombat Security Technologies, a company he co-founded that delivers software-based cyber security awareness and training solutions.