It’s very difficult to make a $12 smart egg tray if you have to spend $500,000 on engineering to follow the checklist.
Chester Wisniewski, principle research scientist, Sophos
It is not going to change quickly, however, even with something like the IoT Trust Framework available. Replacing or boosting security in even the majority of the billions now in use simply will not happen.
As Chester Wisniewski, principle research scientist at Sophos, put it, the framework would, “rectify most common issues with IoT devices, were it to be followed.
“I also want a pony,” he said, “and neither is likely to happen anytime soon. It’s very difficult to make a $12 smart egg tray if you have to spend $500,000 on engineering to follow the checklist.”
Spiezle acknowledged that while some companies have embraced the OTA framework, “others have said the added cost of 11 cents is prohibitive, and others say encryption will impact their battery life. Unfortunately we have yet to see leadership from any of the companies or platforms to embrace these or other security fundamentals.”
Mike Lynch, chief strategy officer at input, sees similar problems. He noted first what other experts have been speaking about for years – that product designers and manufacturers are not necessarily security experts.
Second, “in the eyes of many organizations, building in security protocols is an unnecessary expense that eats into margins,” he said. “Both factors combine to create conditions where security is relegated to afterthought status.”
Finally, “many consumers of these IoT devices are not tech savvy, and asking them to patch firmware may be beyond their technical capabilities or desires,” he said.
Many consumers of these IoT devices are not tech savvy, and asking them to patch firmware may be beyond their technical capabilities or desires.
Mike Lynch, chief strategy officer at inAuth
Still, experts say there are constructive ways to start reducing IoT security risks.
Spiezle said the OTA believes the risks are great enough that vulnerable devices may have to be taken offline, somewhat like what the airlines have done to the Samsung Galaxy Note 7 phones, due the risk of fire.
“Second we are calling for all retailers – Target, Best Buy, Costco, Amazon and others – to review the devices they are selling and to pull products that are either not secure out of the box or not patchable over their lifecycle off their shelves.”
While he did not call for specific government regulation, he said government could help consumers by providing, “an advisory for products that do not meet minimal standards.”
Sign up for CIO Asia eNewsletters.