IoT Security Issues and Obstacles

IoT Security Issues and Obstacles

IoT security – why we need to protect the Internet of Things, we see security is an absolutely critical component of any IoT system. Without proper security, vulnerable devices can threaten the privacy and safety of consumers, enterprises, and governments. Why are IoT security problems so widespread? How can consumers, enterprises, and governments address these issues?

IoT is powerful because it uses various sensor networks to generate massive data, use that data to perform actions and create valuable insights. Because IoT requires mass‑produced sensors and devices, a vulnerability discovered in one sensor/device can affect thousands or millions of sensors/devices.

So you might wonder why these sensors/devices are initially vulnerable. As discussed in the previous article “Future Botnets,” a large part of the problem is default passwords and login credentials that are never changed on the devices.

To build a sensor or device for an IoT application, multiple companies participate in the supply chain. If you are building a router, you might start with chip manufacturers such as Broadcom, Qualcomm, or Marvell.

The specialized chip is purchased by the original device manufacturer (ODM), which then builds the rest of the router around the chip. Finally, a brand‑name company buys the device, adds a user interface and other features, puts it in a box, and sells it to consumers.

Original suppliers use default passwords and login credentials so that the next party in the chain can easily start up the device. The problem is that the next party usually does not change these defaults, leaving them in the hands of consumers.

Although this seems obvious, another issue is that many companies building these sensors or devices are new to IoT. Because they have just entered the IoT market, they are unfamiliar with security and often do not make it a priority. After all, integrating security is more expensive and may lengthen time‑to‑market.

Consequently, data sent by these sensors/devices may not be encrypted during transmission, allowing third parties to intercept and understand it. Moreover, new IoT companies place sensors/devices on networks (e.g., home networks) without isolating them from each other, so a compromised device can give an attacker access to the entire network and all other devices.

Barriers to Change

We are all familiar with software updates for laptops, tablets, phones, etc. Why don’t we receive them for vulnerable IoT devices? First, someone has to create and distribute these updates, but the incentives for companies are very different.

Chip manufacturers have thin margins on their chips, so they are motivated to do as little engineering as possible and have little reason to provide ongoing support. Instead, they focus on developing and shipping the next generation of chips.

ODMs, whose names do not appear on the final product, are similarly motivated to minimize engineering effort and have little incentive to provide continuous support. They are busy upgrading to ensure compatibility with the next chip version.

The final step – the consumer‑facing brand – has a stronger motivation to provide ongoing support because it bears the product name, but it may be unable to address newly discovered vulnerabilities that originate earlier in the supply chain. The barrier is a lack of incentive at every step to take IoT security seriously and to provide continuous support and updates for older products.

However, not all responsibility can be placed on companies. Physical constraints also limit the ability to deliver necessary updates.

IoT devices typically rely on low‑power, low‑memory sensors and actuators. Processing power and storage are expensive and consume more energy, so IoT applications use just enough capability to perform their tasks. Because of limited processing and memory, many sensors/devices cannot perform over‑the‑air (OTA) updates.

OTA updates also require a network connection. Many IoT applications have intermittent or unreliable connectivity, which further constrains software updates.

Even when updates are possible, other reasons may prevent them from being pushed. Shutting down a computer for 15 minutes to install an update is one thing; shutting down a nuclear reactor’s safety system for 15 minutes is another. For life‑critical IoT applications, a few minutes or seconds of downtime may be unacceptable.

For non‑critical IoT applications, you might not want to push updates because they consume a lot of energy. Many IoT devices are battery‑powered, and frequent updates would significantly reduce their expected lifespan.

Another barrier is the long product lifecycle of IoT devices. While laptops or smartphones are expected to last 3‑5 years, IoT sensors and devices may need to operate for 15‑20 years. Creating a product that remains secure for such a long period is essentially impossible, requiring continuous support and frequent updates, which are costly and face the aforementioned obstacles.

So how should consumers, enterprises, and governments deal with IoT security issues?