|Traffic Light Security For IoT|
|Written by Harry Fairhead|
|Wednesday, 09 November 2022|
The US is set to introduce user friendly labeling for IoT devices - as if labeling solved the problem. It may sound like a good idea but there are big problems. Labeling for energy consumption is easy - for security not so easy.
Transparency is one of the big problems with security in general and IoT devices in particular. So you buy a new black box IoT device and at once you have to give it permission to connect to your network. From this point on you are operating on trust. Who knows where the device will connect and what it will download. What is worse is that a typical network doesn't show what is going on in any form that is intelligible without special tools and even special training. Do you know who is on your network at the moment and where the packets are going? Even if a device is safe when you installing over the air, updates mean that it doesn't necessarily stay safe.
The latest idea is to apply a labelling system similar to the well known Energy Star labelling program designed to promote energy efficiency. Who could say that this doesn't work? We all at least look at the rating when buying new goods and only ignore a better efficiency if there is some overwhelming reason to go for some other feature.
Having a rating system on IoT devices sounds attractive at first (does it?) but you can quickly see that there are problems. The energy rating is a one-dimensional thing that can be measured fairly reliably. IoT security is a vague concept at best and is probably only describable as a multidimensional measure. It is suggested that a barcode be added to the labelling so that users can find out the details - whether they will understand the details is another good question.
An existing scheme introduced in Singapore seems to be catching on - Germany and Finland look to be about to adopt it. Clearly we need a worldwide standard if it is to be economical to implement and easy to grasp. At the moment the suggestion has the backing of Amazon, Cisco, Intel, Google, Samsung and so on. No doubt there will be an approval process that will be controlled by some sort of alliance from the big tech companies. However this is likely to be be no more than a set of tick boxes - has the device got encryption, does it use secure updating and so on. This is only slightly reassuring and does nothing for the unknown quantity that you are connecting to your network. Yes it has secure encryption, but does it have any back doors? Does it connect to a manufacturer's server and upload data on your usage irrespective of any permission you withhold. To implement a scheme to certify IoT devices at this level would be a very tall order indeed.
So what is the solution?
The best solution, and it really is the only solution we have, is open source. If I can read your code I can be reasonably confident that I know what the black box that contains it is doing. I might not notice the back door that you have hidden, but sooner or later someone will - that's the "many eyes" principle for security. As I said at the beginning - transparency is a great aid to security.
So can we have a big star for open source as a security feature?
My guess is that there is no way that this would feature in any security validating scheme run by big tech.
or email your comment to: email@example.com
|Last Updated ( Wednesday, 09 November 2022 )|