For years, the Internet of Things has been synonymous with a high-tech vision of the future in which almost everything is thoroughly interconnected and can exchange information. Linking the real world and the digital world should provide greater convenience, information, efficiency, and security. However, there are still some problematic areas that we urgently have to address when it comes to security.


Post by Matthias Schorer, Lead Business Development Manager, IoT, EMEA at VMware


The subject of IoT (Internet of Things) has been with us for more than 20 years. All of you have probably already heard or read something about the “intelligent refrigerator” that is always kept well-stocked by automatically re-ordering milk, cheese and meats when they’re running low. This magical self-filling pantry of sorts was supposed to demonstrate the potential of the interconnected world, but it didn’t quite work out that way. Aside from the lack of adequate food distribution channels, a lack of network coverage was also an issue for a long time. The latter has since improved and will no longer be a problem thanks to the upcoming 5G mobile network standard. Increasing digitalization of our economy and society is providing further impetus to realize a fully interconnected world.


Skepticism Among Consumers

While the potential and the promises of greater convenience, useful information, and optimized resource utilization are impressive, consumers are worried about their privacy and are afraid of hackers. In an annual consumer survey, more than half of respondents were worried about their privacy and one in three feared an attack by hackers. It thus seems nearly paradoxical that one-third of current users in the study use IoT for building and apartment security.


These fears are not entirely unfounded, since there are several problematic areas in IoT security:


Problem 1: Lack of patch management

While office computers and communication devices such as smartphones and tablets receive new updates on a regular basis that fix recently discovered security vulnerabilities, this is often neither planned nor technically possible for IoT devices.

Solution: IoT solutions need a standard patch feature to fix security vulnerabilities through software updates.


Problem 2: Lack of Quality Assurance

Security experts warn about the inadequate quality assurance of IoT devices. In the battle for market share, manufacturers are neglecting security so they can beat competitors to market. This tendency is further strengthened by short product cycles and low profit margins.

Solution: Standards for quality assurance are needed to secure the devices against hacking attacks. Additionally, bug bounty programs have proven their usefulness in product development. In these programs, security experts search specifically for software bugs and receive a reward if they find any. Even large rewards are often worthwhile for manufacturers because they save costs on recall campaigns and improve their reputation.


Problem 3: Lack of “Design for IoT”

The hardware for IoT devices has to be specially developed to be permanently connected to the Internet. This makes them potentially accessible and attractive to hackers.

Solution: IoT devices need a security architecture that uses encryption technologies for local data storage and employs a dedicated co-processor to perform encryption operations.


Problem 4: Privacy Protection

Many IoT devices collect service data and send it to the manufacturer, for example to perform maintenance before an impending defect. Such data streams must also be adequately secured because the IP address may render a person identifiable and thus, fall under the scope of the new European General Data Protection Regulation (EU GDPR).

Solution: The data connections must always be established over encrypted connections with strong authentication. While this typically requires additional effort to set up, consumers will accept that in order to protect their data.


Problem 5: The Security Concept Ends at the Customer

Even if the hardware and software supplied by the manufacturer are comprehensively secured, a poorly or entirely unsecured user interface can create a security risk. Disabled password prompts or easy-to-remember and thus easy-to-crack passwords make it easy for hackers to access IoT systems.

Solution: User interfaces must be secured to minimize the human risk factor. These include requirements for secure passwords and the use of SSL transmission.


Problem 6: Outdated Compliance Policies

Existing security policies at IoT device manufacturers are often outdated and may not cover transmitted user data. This data is on a gateway and can be viewed by IT.

Solution: Compliance policies must become part of product development, and user data may only be available on the gateway in encrypted form.


Isn’t this all just theory?

Granted, this all sounds very theoretical but unfortunately it isn’t. Hackers long ago realized their own potential in IoT solutions and exploited what vulnerabilities they could find. For example, the “Mirai botnet”: this was a network of hundreds of thousands of poorly secured and unpatched security cameras that three American students used in August 2016 in one of the then largest series of denial-of-service attacks and thereby crippled large parts of the Internet.


Fiat-Chrysler earned undesired notoriety as well. Computer experts hacked a Jeep Cherokee made for the US market remotely by exploiting several vulnerabilities in the infotainment system and promptly switched off the engine for demonstration purposes. This resulted in incalculable damage to the manufacturer’s reputation and a recall of 1.4 million vehicles.


The intelligent refrigerator mentioned at the beginning can also become a target for hackers. One model from Samsung had a nominally secure connection to the Internet, but the SSL certificate was implemented incorrectly and permitted
man-in-the-middle attacks.


Manufacturers therefore still need to ensure maximum security for their IoT solutions and to agree on standards. Users too, should be concerned about security aspects and take them into account when making purchases. After all, a chain is only as strong as the weakest link.


Learn more about IoT Security: