5 minute read
Secure home IoT needs an industry and supply chain wide approach
Whether presented with a DDoS botnet, stealing compute resources to farm cryptocurrency or covertly invading their owner’s privacy – IoT security is the source of a range of problems for users, enterprises and IT teams alike, writes Tom Klein, Senior Director of IoT Business Development, DigiCert.
Yet its popularity persists. The IoT is empowering transformative use cases in cities, industries and consumer’s homes and its growth seems unstoppable. In fact, Mckinsey estimates that 127 new devices are connected to the internet every second of the day.
Yet those devices are also filled with basic security problems such as hardcoded passwords, insecure components and firmware that can’t update. That could be the reason why in 2021, Kaspersky recorded breaches on 1.5 billion IoT devices. Furthermore, implementing proper security in the IoT supply chain is critical to ensuring digital trust, or that end users have the confidence to use devices securely.
Given the common weaknesses, the explosion of IoT popularity is an increasingly risky proposition. Those incredible capabilities that IoT devices might bring could similarly bring serious risks.
The IoT supply chain
Wherever these weaknesses first emerge, the problem lies within the long and inconsistent supply chain that IoT devices travel from design to eventual release. Along the way, they’re faced with designs that don’t consider security, insecure components, manufacturers who don’t understand cyber threats and consumers who have no way to tell the difference between a secure and insecure device.
One of the big problems of this situation is that even if most producers within that supply chain act securely, another part of the ecosystem can introduce fatal flaws. One device can be built and designed with secure components, but it may still be shipped with a default password – providing an easy way for attackers to exploit the device.
Similarly, there are few mechanisms to govern that supply chain in its entirety. While there are many IoT standards that can be used, few are authoritative enough to govern the entire supply chain or industry. That may be what is required in order to both seize the possibilities of the IoT, while protecting against the threats that often emanate from it.
Matter devices will be labelled, empowering consumers to make choices about IoT security
A standard for smart homes
One area of IoT – smart homes – may be getting one. Matter is a new standard from the Connectivity Standards Alliance (CSA) which confronts the enduring problems for smart home devices – interoperability and security.
A smart home is meant to be a seamless environment in which a variety of household functions such as connected locks, lighting, cameras, or air conditioning, can be connected and centrally controlled. However, smart home devices are often siloed between vendors, meaning that devices cannot speak to one another or work together.
From that problem, a collection of tech giants and industry bodies have banded together to design Matter – which they describe as ‘an industry-unifying standard to deliver reliable, seamless and secure connectivity.’
Matter is essentially a single Internet Protocol based standard – or language – which certified devices will be able to ‘speak’ to one another and interoperate seamlessly.
Inherent to this standard are significant demands about the security of certified devices. Matter provides a layered approach to security – one which will ensure the privacy, integrity and availability of every transaction that a certified device is involved in. Those provisions are also self-contained, meaning that it will never have to rely on the security of underlying technologies like Wi-Fi.
Certification demands that IoT devices be crypto-agile. Threats to security are an escalating landscape and the standard of protection needs to be flexible and evolve. Matter is not a one-and-done, but an ongoing effort to make home automation viable and secure long into the future. Countries continue to produce new regulatory standards and consumer protections on a global scope.
Securing the links in the chain
The Matter standard is explicitly centred around Public Key Infrastructure (PKI). This is important because it allows manufacturers to endow each device with a unique identity. Manufacturers will embed a certificate into a device during the manufacturing process. Then, as that device travels the IoT supply chain, its identity can be verified as a secure Matter-certified device at every link on that chain.
One of the key assets that Matter has over other standards is its supporters. The standard is a collaboration between Amazon, Google, Apple and the CSA membership – all of whom hold a huge sway over the broader IoT supply chain. Whether it’s through producing their own hugely popular IoT assistants or being some of the biggest vendors of IoT devices in the world, this collection of innovators may be able to lead the broader supply chain to create more secure IoT devices.
Only when devices have met these Matter security and communications standards can they be certified to interact with other devices, and thus interoperate seamlessly with the leading home automation product manufacturers.
Matter will also be an important marker of quality when consumers are shopping for smart home IoT devices. In many cases, they have no way of understanding the security levels of one device over another. Matter devices will be labelled, empowering consumers to make choices about IoT security and, in turn, creating market incentives to manufacture secure devices.
The road to widespread IoT security will be long, but it still has to be travelled if we want to seize the opportunities that the IoT presents to us. That journey can be accelerated with industry and supply chain wide approaches that account for the various stages of development which devices undergo. The arrival of Matter is a good beginning but there is still more work to go to ensure digital trust in the IoT supply chain.
Intelligent Connection For high speed charging
Charge portable electronic devices at high speed with the Intelligent Connection feature available across the Sollysta USB A+C range.
Discover the Range
