Market forces will not improve IoT security, because bad security drives out good.
Bruce Schneier writes this article on IoT calling for a regulatory framework to enforce security standards in IoT devices where the market will not. I agree with his main point, the market will not fix the problem, because (cheap) bad security drives out good.
I would add an amplification, however, that home routers, DVRs and many other appliances generally do have a firmware update capability. What we need is a standard framework for making owners aware when there is a vulnerability affecting them, and when there is an update available.
I think we can achieve this with the DNS global directory. Much like we added sender policy framework to DNS to help deal with spam, we need to work on a device security policy framework.
Right now everyone is pointing and laughing at IoT security. We’re in that wild west era that cheap routers went through half a decade ago. But we can fix this.
If vulnerabilities and available updates were in a directory, devices could check whether they need to update themselves, and either just do it, or alert their owners. We’d need to work out a global device model identifier (possibly a MAC address to model registry) then for each model record any software versions that have vulnerabilities, and also the latest available version.
Once we have a model naming framework and a vulnerability database, sufficiently smart devices can check their own status, and IoT hubs could also monitor the needs of their less intelligent spokes.
This doesn’t solve the problem of unsupported devices where no update is available, but where a device is detected to be of a vulnerable version with no patch, routers could potentially automatically block or throttle it.
A further step would be to record in DNS what the “normal” access needs of a device are. For example a DVR might be known to only need to talk to its manufacturer, to YouTube and Netflix, and a handful of other TV sites. This policy could be used to auto-configure a firewall to block access outside this set, so that it is not possible for a subverted device to originate a denial of service attack against anything on the internet.
If you are deploying IoT for business, you should be limiting the scope of what the devices can do, but realistically unless this is automated it’s unlikely to get done.
As a first step I want to see home and business WiFi routers offering a separate network for IoT devices that limits the connectivity of devices to minimise the damage if any “go rogue”. Good routers already offer a separate “guest network” to sequester less trusted clients from your main network.
The next step is building a standard way for firewalls to learn that new device X should have filter policy Y applied to its traffic.
If you are worried about the risk your IoT devices present, right now there is one thing you can do:
If you have a home or office IoT installation, I recommend putting your IoT devices on your guest network, and configuring your router to place a reasonably low traffic limit on guest clients. This protects you from being that infuriating neighbour who lets their dog bark all night.
(This article originally appeared on Medium.)