IoT requires new ways of thinking about security

As companies like Apple (NASDAQ: AAPL), AT&T (NYSE: T), GE, Google (NASDAQ: GOOG) and others fight for a piece – or the whole pie – of the connected home in the Internet of Things (IoT) era, companies big and small are going to need to think differently about how they secure all these "things."

AT&T Mobility CEO Glenn Lurie talked about his company's foray into the home security and automation market during his keynote at CTIA Super Mobility 2015 in Las Vegas last week. Presumably, the operator knows a thing or two about security, especially as it pertains to the home, and it will be super vigilant about what it connects in consumers' homes.  

The company is working with partners like Nest, the smart home thermostat company that Google acquired back in 2014. The Nest thermostat is one example of a lot of smarts packed into a little device, and while it's gone through its fair share of crashes, iterations and upgrades, it has the super powers of Google to help solve its problems. Others don't have that breadth and scale to tap into when things go wrong.

The problem the industry is trying to figure out is what the security paradigm is going to look like for these devices. "The very troubling thing I think we see right now is … people trying to layer more and more complexity into those systems to try to solve security and other problems or just putting too much intelligence" or computing power into the devices, said Shane Dyer, founder of a startup called Arrayent that supplies its IoT software platform to the likes of Osram Sylvania, Whirlpool and Maytag. There's not enough IT professionals in the world to keep these devices secure when there are billions and billions of them.

The key is to understand exactly what a device is supposed to do, whether it's a garage door opener or front door lock -- things that really need to be secure -- and making sure they're good at doing that task and not adding a lot of unnecessary bells and whistles. "We're still talking about using standards-based security," with things like AES 128 -- "we're not trying to invent another security paradigm," Dyer said. But it's very much an approach toward simplicity in devices and "understanding that if we can keep the complexity in those devices low, it's going to be a lot easier to secure them" rather than subject them to a lot more layers that hackers can infiltrate.

That's easier said than done. Connected cars are an example where there's already a lot of complexity built into them, and the infamous Jeep demonstration showed just how vulnerable they are when hackers get on the case. There's a huge amount at stake and wireless operators will need to step up to the plate and prove they can guarantee levels of security. Just because an operator understands security for communications systems doesn't mean it's got it solved for the IoT world.

Last week, the FBI posted a public service announcement warning that as more IoT devices get into the hands of businesses and consumers, they increasingly become the target of malicious "cyber actors." The FBI is warning companies and the general public to be aware of IoT vulnerabilities that cyber criminals could exploit and offers tips for mitigating threats.

One of its recommendations is for consumers to be aware of the capabilities of the devices and appliances installed in their homes and businesses. If a device comes with a default password or an open Wi-Fi connection, consumers should change the password and only allow it to operate on a home network with a secured Wi-Fi router. That probably sounds simple and basic to a lot of industry veterans, but I suspect it's something a lot of home owners need to be made aware of.

With predictions calling for so many connected things -- Lurie talked about connecting wheelchairs and luggage -- it's paramount that these things be secure. As the industry moves on this path toward more and more connections, everyone needs to keep in mind that adding more complexity isn't necessarily going to make these things more secure -- and in fact, could make them more vulnerable. --Monica