Securing the Internet of Things

Technical Consultant, BAE Systems Read time: 5 mins
The Internet of Things is rapidly taking root around the world but security risks abound. Mark Woolger explores this evolving digital frontier.
Secure the Internet of ThingsNot so long ago we lived in a world where we understood and controlled the extent of the interactions between our devices and the internet. When we were finished using the computer we turned it off and it lay dormant until it was turned it on again. Use of the internet and the associated data transfer happened consciously.

What a contrast to life with the Internet of Things (IoT).

Now, many of our devices – like Alexa, smart thermostats and so on – are on 24/7 and their number, as evidenced by CES 2019, is growing fast.  From lightbulbs to vacuum cleaners, children’s soft toys to showers, the IoT is getting into everything and while for some objects we may question the need, many will soon be an integral part of our daily lives.

In order to carry out their function and provide us with the service we want, these devices automatically and regularly connect to the internet and transfer information without needing the intervention of their owner.  In other words, an increasing amount of internet use and data transfer that we would consider “ours” is happening in a more unconscious way. We trust that the data transferred is appropriate, only what is required and happens securely.

Whilst this does give us the services we want, it also introduces a new area of risk.

These devices are attached to our home network thus connected to other devices on it like our phones, tablets and laptops as well as any other IoT devices. Whilst an IoT coffee machine might seem innocuous on its own, without adequate controls it is a potential security weakness for the whole network and thus anything attached to it, from children’s toys to automation technology for the elderly or disabled.

It’s not just when we are at home either. We happily connect to Wi-Fi networks of friends, shops and other businesses so the number of IoT devices that our gadgets come into contact with every day will become very large indeed.

So, what’s to be done?

Secure by design

Right now, suppliers have the challenge of providing electronic products into a competitive market where consumers are sensitive to both price and features, as well as being more agnostic as to where they buy a product from. Internet connectivity can be a relatively cheap addition that adds a new feature to make a product more compelling.

However when viewing and comparing products consumers perhaps do not consider whether the device is likely to have appropriate security controls in place or have been tested for vulnerabilities. This in turn does not incentivise suppliers to invest in this area or to see it as much of a selling point.

Something in this equation should change.

Adherence to standards and security accreditation could well be something that consumers, businesses and governments start to prioritise when it comes to comparing and approving IoT products. The good news is that this is starting to happen. For example, last year both the British Standards Institute introduced a kite mark for IoT devices and Department of Culture Media and Sport publish a voluntary code of conduct for consumer IoT devices.

We may also see consumers seeking out solutions that monitor the activity of devices in their own networks so they can feel secure that their ever increasing array of IoT devices are all behaving as expected, regardless of who manufactured them. This is something that is already in place in many companies and from a consumer mindset perspective is a logical extension to the idea of using antivirus on their laptop.

Over the horizon

The IoT is not going away, and nor should it. The potential for it to have a positive impact is almost impossible to fathom.

But at the same time, new developments must be accompanied by the right security and design. Only then will we fully harness the benefits of the technological revolution – and rest secure in the knowledge that our internet-connected breakfast bowl isn’t harvesting and communicating our bank details.

About the author
Mark Woolger is a technical consultant with BAE Systems
Mark Woolger Technical Consultant, BAE Systems 18 April 2019