IoT Needs To Get Serious About Security

This headline came across my email the other day, and it really got me thinking: 

"Number of vulnerable IoT devices increases 136%"

How is that even possible? What have we in IoT been doing? It's frankly shameful. It's shameful because we, as IoT practitioners and developers, know better. And we've known better for a long, long time. 

Some Background 

I've been doing IoT since before we called it IoT. As part of a small research team at Sun Labs (RIP Sun Labs) back in 2004, we built the first IoT Developer Kit, the Sun SPOT. It was a kit with 3 32-bit ARM MCU-powered nodes that you programmed entirely in Java. Java on the metal. 

That was a long time before most IoT platforms, and even back then we had Elliptic Curve Cryptography (ECC) available and on by default. In 2006. 

We've Known About IoT Security Forever

I found this in an article from 2021: 

To help you understand the relevance of IoT devices today, here are a few statistics to demonstrate their current and future impact on consumers and the economy:       

• Every second, 127 devices worldwide hook up to the internet for the first time. (McKinsey)       
• In 2021, there are more than 10 billion active IoT devices. (Statista) 
• There are expected to be more than 64 billion IoT devices worldwide by 2025. (Business Insider)       
• IoT has the potential to generate $4 trillion to $11 trillion in economic value by 2025. (McKinsey)

Given this rise in IoT devices, IoT device security is something that should be top of mind for all owners of these devices.

I have written about this for years (see here). Yet so little has changed. 

I did a search for "IoT security issues" and there are articles dating back well over a decade. This has been a known problem since forever. 

So why haven't we (as IoT developers) fixed it? How is that top headline still a headline?

Why Is Security Still an Issue?

I can't be sure, but I think that security in IoT is still an issue simply because folks are, well, lazy about security. Back in the hazy past of my career, I worked in extremely high-security environments. I was very early in my career and I was developing code for high-security networks, so I had it drilled into me every day that code needed to be written with security best practices in mind. All-access had to be restricted to the least number of users possible. That all access had to be authenticated, encrypted, and logged. 

But that kind of development is hard to do, and it takes time and effort — and a lot of testing — to get right. You can read all of that as "expensive" and you wouldn't be wrong. Which is, quite possibly, why security has often been an afterthought. It's expensive. 

Know what else is expensive? Data breaches, device bot-nets, etc. Those are, in general, much more expensive than the initial cost up-front to prevent them would have been. And they are far more destructive. 

If you're developing on Arduino, there are lots of security libraries available. BearSSL, WolfSSL, and SharkSSL to name just a few. And that's just on the transport-layer security. 

If you're developing on Raspberry Pi you have full access to OpenSSL for transport layer security as well as LUKS for data encryption, and Hardware Security Modules (HSMs) from vendors like Zymbit and others.

Conclusions

There really is no excuse for us, as developers, not to fully implement security for IoT devices. As the number of IoT devices has exploded over the last few years (and continues to grow rapidly), it is irresponsible and verging on malpractice not to address security concerns at every level, and on every IoT device and deployment. 

Every device deployed increases the attack surface available to bad actors. And every time another IoT deployment is compromised, we lower the probability that future IoT projects will be seen as safe, reliable, and effective. 

Think of implementing security as self-preservation, if you have to.