The Race for a Universal IoT Security Standard

February 1, 2017

On October 21, 2016, the DNS provider Dyn experienced the biggest distributed denial of service (DDoS) attack in history. Although it was short lived, it caused an outage to many of the sites and services dependant on Dyn, including Twitter, Netflix and Reddit.

This DDoS was caused by a virus running on insecure devices, with most of the attack focused on DVRs and webcams produced by a low-cost manufacturer. These devices that have generic root passwords hard-coded into their firmware are enough to give any security engineer nightmares. Hackers were able to use that generic password to commandeer 500,000 devices around the globe, which is what made this particular DDoS so devastating.

Security experts have always warned us that a network is only as secure as its weakest point. Internet of Things (IoT) means that the number of points in each network is set to mushroom, with Cisco expecting between 50 and 200 billion smart devices to be online by 2020. So how do we avoid another, possibly worse, IoT catastrophe in the future?

The Search for a Universal IoT Security Standard

Some voices have called for government regulation of IoT devices, although it seems impossible to police manufacturers based in other countries such as China. What about personal responsibility? In practice, consumers may have dozens of IoT devices in their homes, while businesses may have thousands or even millions. Even the most responsible users don’t have the skills or resources to personally verify each device on their network.

So it seems the responsibility must fall on the industry to create a robust, versatile security standard for IoT devices. The standard needs to address certain requirements such as:

  • Privacy-first — The data created by IoT devices is extremely sensitive, ranging from personal biometric information to industrial production data. Encryption and handling of this data is the top priority.
  • User-focused and configurable — Users should be able to manage security in ways that suit them, especially as IoT devices will be used as part of a larger interoperable network. Configuration needs to be easy, without exposing users to additional risk.
  • Easy updates — Out-of-date software is a huge vulnerability, so how will users manage a network with thousands of devices? The management of updates should be a part of any security standard.

The Groups Working on a Security Standard

Several organizations are competing to produce the industry standard for IoT security right now.

The biggest is the AllJoyn Protocol, promoted by Microsoft, Sony and Qualcomm, and managed by the Linux Foundation. This protocol is designed specifically for devices communicating over Wi-Fi and has built an early lead in the market. Its rival is Intel’s Open Interconnect Consortium, which has agreements with DLNA and the UPnP Forum. Their IoTivity protocol seems to be a direct challenge to AllJoyn.

Meanwhile, plenty of people are talking about the Thread Group, which has the backing of Google’s consumer IoT product, Nest, plus the support of companies like Samsung and processor manufacturer ARM. The Thread Group’s standard uses IPv6 and is specifically designed to be low-energy. Thread-compatible devices are expected to come to market early next year.

Other groups are working on their own standards, or trying to merge existing standards. With a huge commercial advantage for whoever creates the winning standard, it’s hard to predict right now which standard will win out.