Traffic Light Security For IoT
Written by Harry Fairhead   
Wednesday, 09 November 2022

The US is set to introduce user friendly labeling for IoT devices - as if labeling solved the problem. It may sound like a good idea but there are big problems. Labeling for energy consumption is easy - for security not so easy. 

Transparency is one of the big problems with security in general and IoT devices in particular. So you buy a new black box IoT device and at once you have to give it permission to connect to your network. From this point on you are operating on trust. Who knows where the device will connect and what it will download. What is worse is that a typical network doesn't show what is going on in any form that is intelligible without special tools and even special training. Do you know who is on your network at the moment and where the packets are going? Even if a device is safe when you installing over the air, updates mean that it doesn't necessarily stay safe.

The latest idea is to apply a labelling system similar to the well known Energy Star labelling program designed to promote energy efficiency. Who could say that this doesn't work? We all at least look at the rating when buying new goods and only ignore a better efficiency if there is some overwhelming reason to go for some other feature.

energystar

Having a rating system on IoT devices sounds attractive at first (does it?) but you can quickly see that there are problems. The energy rating is a one-dimensional thing that can be measured fairly reliably. IoT security is a vague concept at best and is probably only describable as a multidimensional measure. It is suggested that a barcode be added to the labelling so that users can find out the details - whether they will understand the details is another good question.

An existing scheme introduced in Singapore seems to be catching on - Germany and Finland look to be about to adopt it. Clearly we need a worldwide standard if it is to be economical to implement and easy to grasp. At the moment the suggestion has the backing of Amazon, Cisco, Intel, Google, Samsung and so on. No doubt there will be an approval process that will be controlled by some sort of alliance from the big tech companies. However this is likely to be be no more than a set of tick boxes - has the device got encryption, does it use secure updating and so on. This is only slightly reassuring and does nothing for the unknown quantity that you are connecting to your network. Yes it has secure encryption, but does it have any back doors? Does it connect to a manufacturer's server and upload data on your usage irrespective of any permission you withhold. To implement a scheme to certify IoT devices at this level would be a very tall order indeed.

So what is the solution?

The best solution, and it really is the only solution we have, is open source. If I can read your code I can be reasonably confident that I know what the black box that contains it is doing. I might not notice the back door that you have hidden, but sooner or later someone will - that's the "many eyes" principle for security. As I said at the beginning - transparency is a great aid to security.

So can we have a big star for open source as a security feature?

My guess is that there is no way that this would feature in any security validating scheme run by big tech.

iot secsq

More Information

Statement by NSC Spokesperson Adrienne Watson on the Biden-⁠Harris Administration’s Effort to Secure Household Internet-Enabled Devices

Related Articles

Secure Coding Best Practices for 2022

The Importance of Securing IoT Devices

Happy Developers Think More About Security

The State Of Secure Software Development - Three OpenSSF Courses

Making Light Work Of The IoT

To be informed about new articles on I Programmer, sign up for our weekly newsletter, subscribe to the RSS feed and follow us on Twitter, Facebook or Linkedin.

 

Banner


TypeScript 5.4 Adds NoInfer Type
12/03/2024

TypeScript 5.4 has been released, with the addition of a NoInfer utility type alongside preserved narrowing in closures following last assignments. 



Dart Adds WebAssembly Support
20/02/2024

Google has released Dart 3.3 with experimental support for applications compiled to WebAssembly, along with new extension types and a revamped JavaScript interop model.


More News

raspberry pi books

 

Comments




or email your comment to: comments@i-programmer.info

 

 

Last Updated ( Wednesday, 09 November 2022 )