We here at Machine Design recently published an article about the major trends expected for IoT in 2018. One of the key developments discussed is that security as a standalone feature has been replaced by embedded security. That means that no longer will companies rely on one standalone service like McAfee or a single firewall protecting the entire network. Instead, all connected devices will have security built into its design. However, this is the new hurdle for IoT devices: the software update.
Keeping IoT Devices Updated
According to CNET, in 2017 8.4 billion connected devices came to the marketplace. By 2020, the number is expected to grow to 20.4 billion. In other words, another 6 billion devices per year are expected over the next two years. The connected edge device has always been the weak point of the system, and hackers know this. In October 2017, Netlab 360 discovered the IoT-reaper botnet, which was hijacking 10,000 devices a day. Weak IoT devices resulted in the Mirai botnet creating an internet outage in 2016 by hacking DVRs and webcams.
Updating the software in connected edge devices is a challenge. According to Alex Balan, chief researcher for security company Bitdefender, people often ignore update prompts or are unaware when they are available. Companies also are slow to send out updates. Kevin Haley, a director of security response for the security company Symantec, urges companies to make the update processes simpler for consumers. He stresses that it’s unrealistic to expect your average consumer to become security experts.
Government and User Action
To be less reliant on the software update as the only line of defense against malicious hacks, some are arguing for government regulation to create new standards. Conducted in November 2017, the Gemalto Survey found that many are in favor of government regulation for IoT security. According to the survey, 61% of businesses want regulations to clearly define who is responsible for securing IoT devices and data at each stage. 55% of businesses also want to know what the repercussions of non-compliance are. In general, the majority of organizations (96%) and consumers (90%) are in favor of government-enforced IoT security regulation.
And the government has started taking action. Last August, Congress passed the Internet of Things Cybersecurity Improvement Act of 2017, which would affect the security of wearables, sensors, and internet-connected tools sold to federal agencies. The bill ensured that any devices sold to the U.S. government would adhere to strict security guidelines and enforce security updates to all existing and new devices. While a step in the right direction, it leaves several industry and consumer devices untouched. Critics argue that regulation will halt innovation. However, organizations are more afraid of the exposure of their devices in the market. Security should not be seen as a bump in the road toward innovation, but rather, part of the journey. Would one say that an airbag in a car was an impedance to innovation?
The Norton Core from Symantec is a protection gateway. Essentially acting as a security router, it protects your network devices even if they’re not updated.
Part of the efforts for better security is coming from industry efforts. Companies like Bitdefender and Symantec have created security hubs, which act as protective gateways to online connections. These hubs will protect devices regardless if your device is updated. Symantec’s Norton Core and Bitdefender’s Box 2 are subscription-based models. For $99 a year, the hubs will constantly be updated to the latest security features.
The cost of updating these boxes might be a burden to some. So for the end user, and for organizations that have thousands of devices in their network, better implementation of device managers and over-the-air updates are needed. Proper deployment of device managers, with all devices properly connected to the network, can push updates to connected devices and update in the background, taking the user out of the equation. By automating security updates, devices will also be up-to-date and ready to handle the next hacker attack.