The Internet of Things was such a beautiful idea … too beautiful for this world. We watched it move from being a standard talking point of innovation evangelists to being a serious priority for top CEOs the world over. 

After being confirmed by the tech high priests at CES16 it is suddenly falling heavily, rather gracelessly, into the laps of lowly product managers. These poor souls may not dream as big as evangelists and CEOs, but they are the ones stuck with the job of actually making the damned thing work. 

And in this antediluvian world of ours that means dealing with hackers, malware distributors and other malefactors. In other words, we’re all being forced to think about security.

Fly in the Ointment

Without getting into the semantics of exactly what constitutes an IoT device, it’s fair to say that one of the first connected devices that made its way into people’s homes en masse was the webcam. 

In late 2014 it was somewhat concerning that many of these devices were “secured” using default usernames and passwords. In other words, they were not secured. Sites appeared streaming unsecured video to the world at large. And shockingly, these sites still exist. There’s now even a twitter bot that searches for poorly configured webcams, takes screenshots from the feeds and tweets them. It is no small irony that these devices are frequently installed for security reasons.

In fact, professional security monitoring is emerging as one of the break-out services that can be layered onto a connected home. There are several companies out there with offers, including AT&T’s Digital Life, a Nest integration from ADT and Lowe’s home monitoring package available through its Iris connected home offering. 

It is self-evident that nailing the security on a home security solution is, well, mission critical to say the least. Yet, concerns are already emerging. Comcast’s Xfinity Home Security system has been found to have significant flaws. Many more are yet to be exposed.

The market is clearly signaling a desire for these kinds of products. Yet a recent report from Accenture found that for nearly half of those surveyed — security and privacy concerns remained a significant roadblock to IoT adoption. 

Their concerns are well justified. 

Sec Consult recently conducted a study of 4,000 embedded devices from 70 hardware makers and found that many products are sharing the same hardwired SSH login keys and server-side SSL certificates. Hack one and hack them all.

Can the IoT Learn from E-Commerce?

Stuck between market demands and the realities of our tech environment, what’s a poor IoT product manager to do?

Back in the mid-90s it was commonly believed that a lack of security in personal computers was going to prevent online commerce. Software and operating systems were riddled with security vulnerabilities and there was no good way to patch them. At the time the common response of companies was to try to keep vulnerabilities secret. 

This has changed. 

There’s now a culture of publishing vulnerabilities to force companies to issue patches quicker. Automating the process of installing updates to reduce the burden on users has also made a huge difference. We know these are the best steps to reduce vulnerabilities: transparency from companies about known issues, distributing regular patches and auto-updates.

Can this mixture of transparency and regular updates work to secure IoT? To some extent it’s analogous. But the differences are glaring.

Firstly there is the issue of legacy devices. There are millions of vulnerable devices out there with no good way to update them. It’s not just that operating systems are implemented with no good way to update them, there’s also the problem of device drivers and other components which don’t even have source code to update, they’re just “binary blobs.” No one can possibly patch code that’s just binary. Excluding these vulnerable devices from the system will be a huge challenge.

Then there’s a larger commercial issue: the organizations being forced to adapt in the mid-90s were software developers. Now we’re talking about device manufacturers. 

Some of these organizations have spent a hundred years specializing in bending metal and shipping said bent metal into our homes. These same organizations are now tasked with making their devices secure from hackers. There is simply no culture within these organizations to address the issue. 

The same is true for legacy service providers and retailers. External specialists are needed to neutralize the issue, so brands can focus on what they do best.

On the other side we have scrappy start-ups who are so focused on simply getting to market that security is an afterthought. Often they have neither the resources nor the incentives to think about what their product will be doing in six months. It’s tough to think about updates when just getting it working in the here and now is difficult enough.

The Bottom Line

The bottom line is that back in the late 90s the market clearly indicated a desire to buy goods online was being hampered by concerns about the integrity of the Internet. Those concerns were addressed by vigilant software engineers implementing systems that could respond to evolving security challenges. The result is online commerce as we know it today. The same process will play out in the IoT space.

Solutions are being proposed. Some take the rather dubious route of using the router as a central monitoring device, such as the Luma, F-Secure and Dojo. At the communications layer the AllSeen Alliance has implemented Security 2.0 for their open source AllJoyn protocol. There are dozens more.

Providing services such as security monitoring over the Internet of Things is an enormous opportunity. The revenues from these services will dwarf the investment required to secure them. As is always the case with security, there will be no killer app. Just vigilance, persistence and a little prayer.