northeastern university seal
News > Blog

The challenge of creating a resilient Internet of Things (IoT)

As we move into a future dependent on IoT technologies, the question of whether or not companies are prepared to make this fundamental shift becomes a key point of contention. This transition — dubbed the Fourth Industrial Revolution by the World Economic Forum (WEF) — is characterized by a fusion of physical, digital and biological domains. The perception of what these devices may be capable of often overshadows their present reality. The purpose of these devices is to give users access to the Internet, and ultimately simplify mundane tasks by making them automated. Unfortunately, the rapid production of numerous IoT devices in a short period of time has led to their general lack of security.

Within IoT security, a majority of challenges stem from IoT manufacturers and the cyber hygiene habits of individual users. An example of this trend derives from poor password protection. Manufacturers give these devices weak or easily memorable passwords to ensure the user can remember it during the initial setting up process. However, the user is not required to change the password following the process. This security shortfall leaves unwitting consumers in the crosshairs of password-based attacks adversaries can exploit these devices with.

In addition to poor password protection, IoT devices oftentimes harbor security issues within their operating system and software. The consequence of this security gap lies in an adversary finding an exploit or bug. Once brought to their attention, manufacturers patch the issues and send an email or text update to the consumers. The flaw in this system lies with the consumer, as the majority fail to run the update unless ‘auto-update’ is turned on their respective devices. Therefore, the current mechanisms in place for ensuring a resilient IoT prove grossly inadequate.

In terms of amending the present system for greater security, a few avenues are under consideration. Within the area of password management, a device can be made to take away the ‘choice’ of the user. Meaning, manufacturers hold the ability to force users to change the password used for the set-up process to a more secure password following. In addition to this simple change, manufacturers may also program devices to update on key patches. Given that IoT devices are based on user data, and part of that information is gathered while the device is in use, a simple modification is to force updates while devices are idle and reboot like normal when finished.

These two examples highlight a modicum of the issues surrounding IoT security. There is no one correct way to make IoT devices more resilient, but securing the most at-risk areas offers a promising starting point. Given that these devices have evolved and become more common in our everyday lives, it is increasingly important to segue the conversation towards creating a resilient IoT. This is due to the fact relying on software with a weak security base will only hurt institutions and individuals alike as we all become more dependent on technology.


Sources and Further Reading