IoT Security Through Obscurity?

Sarolta Bán

A recent Dassault Systèmes blog What’s next in the Internet of Things?  discusses the company’s view of the IoT and, of course, addresses the lingering concerns about the potential security risks in IoT-connected devices and the threats of hacking and infiltrating public IoT networks.

The article offers the following comment from Krisztián Flautner of ARM: “In theory, IoT devices are quite attackable because the security on them is often not very good. But, at the same time, you also have to know a lot about those devices and how they’re configured. To me, I’m not actually sure if the [hacking] threat goes up or down.”

I find this attitude a bit cavalier.

It is true that IoT networks tend to encompass myriad disparate IoT devices. It’s also true that all too often, system designers use a variety of standard and non-standard communication protocols to communicate with those devices. And the blog article seems to suggest that security through obscurity is sufficient.

But there is an inherent problem in trusting network security to the current disarray in IoT implementations. In fact, the haphazard approach to device connectivity leads to poor (not to say amateurish) implementation and creates software vulnerabilities that are easy to discover and exploit even without intimate knowledge of those devices and their bespoke configurations. A well-known case is the TCP/IP ports left open in the Jeep Cherokee telematic system that allowed hackers to break into the vehicle’s CAN bus (TCP port scanners are freely available).  In a recent DEF CON event, hackers found 47 new vulnerabilities in 23 IoT devices.

The suggestion that the sheer number of disparate IoT devices and configurations provides an adequate security shield violates a fundamental of system security: a system should be secure even if everything about it, except the encryption key, is public knowledge (Kerckhoffs’s principle).

The IoT security community cannot hide behind the pseudo-security provided by lack of communication standards (or, conversely, the fact that there are so many of them). Exactly the opposite. The industry must adopt standards, best practices, and the assistance of “white hat” hackers to secure industrial IoT networks.

Furthermore (and this is the main reason for writing this article), ineffectual use of standards and best practices and the lack of adequate semantic standards result in systems that are not only less secure, but also difficult to maintain and scale.

Industry should encourage the use of standard methods and protocols for device discovery, data exchange and management, data semantic, and heterogenous network interoperability. These will accelerate adoption and, yes, make IoT networks more, not less, secure.

Image: © Sarolta Bán (Used With Permission)