Security standards will not protect the emerging IoT platform that will remain vulnerable until post-platform security arrives.
If Akamai, Cisco and Google’s post-platform security and privacy machine learning security systems protecting the web and mobile platforms are indicative of the future, IoT device makers will only be part of a larger security ecosystem. That’s because they will not have the data to train the AI machine learning models.
As a result, IoT post-platform security and privacy will become a layer on top of IoT device security. These five factors are why that will happen.
1. Product developers underestimated IoT security
In their race to market, product developers building for new platforms will underestimate the security and privacy features that should be built into their products. In some cases, this will be an act of commission, but most will be an act of omission because it is difficult to anticipate the vulnerabilities until the products reach the market at scale. Windows and mobile devices experienced something similar. They have been hardened, but earlier in their evolution they were an easy target for cyber criminals.
2. Defending the IoT perimeter and endpoints will fail
There is no perimeter in IoT to defend, and defending the perimeter has failed on all other platforms. One look at the list of largest breaches, and you’ll see most companies victimized by the cyber criminals relied on defending the perimeter. Though much less frequent, mature mobile and PC endpoint zero-day vulnerabilities are still discovered and exploited. A better outcome for IoT devices cannot be expected.
3. Bank robbers go where the money is; cyber criminals go where the vulnerabilities are
IoT in its infancy has demonstrated vulnerabilities attracting cyber criminals due to weak security. Cyber criminals may be attracted to these devices because they are an easier target than mobile and windows platforms.
4. Security and privacy for small memory microprocessor based IoT devices are still being invented
Developers with IoT devices built on larger 32bit processors that run Linux have the option to add strong security based on the 25-year history of Linux’s development. It does not guarantee that product developers will take advantage of Linux’s rich security. But building low-cost and power-efficient IoT devices with microcontrollers and small memory footprints is a new security problem that cannot draw on prior platforms for security. Many IoT devices will be shipped before the IoT platform is hardened, exposing billions of devices to exploits.
You can see in the below comparison of a typical battery-powered microcontroller configuration to web transport layer security (TLS ) that encrypts browser traffic why security and privacy protection built for mature robust platforms like mobile and windows will not fit.
16 KB RAM
128 KB Flash
Low-power WAN with physical layer packet sizes limited to about 100 bytes
Applications that minimize communications to extend battery life
TLS is designed for large bandwidth internet WAN networks.
TLS certificates are over 1 KB and require two round trips to establish an encrypted link.
TLS requires a minimum of 4KB of memory not including its libraries with over 100 algorithms.
Standards to protect IoT are in development by the Internet Engineering Task Force. Part of the transport security of small memory microcontroller IoT devices has been standardized with Constrained Application Protocol (CoAP), a lightweight HTTPS-like protocol, and Concise Binary Object Representation (CBOR) for a human-readable data representation of attribute–value pairs and array data types like JSON used by browsers, but more compact.
For full story, Please click here.