IoT Security as Externality: Cluelessness, Denial, and more

Not my problem.

That’s the 3-word definition of an externality: something that you don’t need to deal with, because the adverse consequences are not affecting you directly. This has been an issue for cybersecurity forever (Schneier, 2007), and it is widely known that the issue is particularly pressing with IoT (Schneier again, 2016).

I have been writing material on IoT device security as my day job for a few months now. But I also speak at conferences, where the public is more general: if there are device vendors in the room, I am not sure of what they think about this, so I mention the issue.

After doing so a few times, I got convinced that this “Externality of IoT Security” is rapidly becoming THE issue around IoT, and possibly the entire internet. We are deploying devices today that do not include any kind of security, because nobody cares.

We don’t care for a variety of reasons.

Some of us are clueless:

  • Some vendors. Some vendors, initially many of them, have no idea that security could be a problem. Typically, this occurs with vendors of gadgets and other devices that don’t seem to be related to security in any way. Today, such cluelessness should become uncommon, as IoT-based attacks make headlines.
  • Most users. That’s one of the scariest aspects of this. If a hacker ensures that pwned devices keep working normally most of the time, the end users will most likely not even notice a problem. Most IoT devices are unattended; if they work normally, there is no reason to worry.

Some of us are helpless:

  • Merchants. Most devices are sold by some local/online store. Don’t expect these guys to provide much help, though. I tried to ask a few questions, and the best answer I got was a pointer to the vendor’s product support page (which said nothing about security, of course).
  • Some users. Some users may worry about security, but their actions are quite limited, unless they have some understanding of security and computing.

Some of us optimize profits:

  • Builders. The device builder is often some unknown company in China or elsewhere, which builds a device and sells it to vendors that will integrate it in their offer. At best, these guys follow the spec provided to them: they are low-cost companies, they cannot afford to work otherwise.
  • Some vendors. The device vendor is the company with the brand name. They may care about security because of potential liability and bad publicity, but in most cases, this remains a bad economic calculation. Adding security will cost them more than not, so they don’t.
  • Users. When making buying decisions, many users (including businesses and governments) will not include security as one of the important criteria, often favoring price. That of course pushes builders and vendors to ignore security.

Of course, not everybody thinks like that. Some companies include security in their priorities, or at least understand that security should be one of their priorities. This is a step forward, but they can still be a long way from secure products, because of two very common attitudes.

Some of us are in denial:

  • Vendors. Denial is often visible when an attack occurs. This may of course be part of a communication strategy, but there are two strong indicators of denial. If the communication uses “highly sophisticated” to describe the attack, or “highly unlikely” to describe its exploits, then denial is likely. It is dangerous, because the vendor may then decide to minimize the impact of its actions, whereas in reality, most attacks we se today are rather simple, and most exploits are not implemented because “bad” business models remain unclear. For instance, insulin pump vendors have been in denial. Wirelessly controlled pumps can be hacked and could be used to kill people; this is not used today, most likely because this is not a tool that they are used to (although it has many advantages), but that can change any day.
  • Users. Denial is obvious for many users, who know that there is a risk and will nevertheless not take any action. An example from outside of IoT is our behavior towards passwords, which are often much weaker than what our knowledge of security issues would mandate.

Some of us lack expertise (or don’t apply it appropriately):

  • Vendors. Some systems include security measures, together with poor design or implementation. The Jeep attacks became legendary, some attacks on Philips Hue bulbs have been quite sophisticated but generated more buzz. In both cases, security measures were present (firmware update, authentication, usage restrictions and more), but their implementation was not sufficiently secure.This could be a lack of expertise, a lack of judgment, or a combination. In the end, the result is the same: they got hacked.

Denial and lack of expertise are different, of course. In these cases, security is not strictly considered as an externality. However, these attitudes also show an underestimation of their liability level, meaning that IoT security is not sufficiently considered as being their responsibility, and too much considered as an externality.

Today, poor evaluations of responsibility levels are the main blocking point for IoT security.

As long as most people and companies consider IoT security as somebody else’s problem or underestimate their required contribution, we will not see any significant progress. This is why externality is THE issue to be addressed today.

And this is no small issue. It is very easy and tempting to establish a parallel between IoT security and climate change. Climate change is an externality, and many powerful people are trying to address it. Yet, even with international treaties, it largely remains an externality for most actors.

IoT is not on the same scale in terms of life-threatening impact, but it is facing the same issue with similar actors. Global solutions are not going to come easy.

2 Comments

  • Tiana R. wrote:

    I was about to write tons of things but actually, the following three lines, from schneir’s blog, that you referenced at the very beginning of your article, summarizes my thoughts:

    “Information security is not a technological problem. It is an economics problem. And the way to improve information security is to fix the economics problem.”

    Some people spend time to create needs and wants, and competitiveness creates a kind of race that is getting uncontrollable, and more particularly with “gadgets”.

    As the final end user has so many choices, almost anyone can come and propose a service that probably already exist, yet, it does not matter because people like to have “the choice”.

    In my opinion, the best solution (but not my favorite one) would be a natural self-regulation of the market, namely, few big actors/companies must take the lead and stop this frenetic race to “the-most-connected-device”.

    The only analogy I have in mind right now is the law of jungle where natural predatorS (I insist with the “S”) must control some different territories.

    I don’t think that government and laws can be a solution as some people suggest, unless those laws are applied to the whole world instead of only few small countries.

  • I agree with you on the importance of economics in that area, but like Schneier and others, I am afraid that the market will not spontaneously regulate itself.

    There is a very strong incentive in IT markets to get a product out before the others to grab a dominant position as fast as possible, and no incentive to slow down and design a secure offer.

    So, including security in a connected product today is a strategic mistake and a waste of money. Time to market is so much more important.

    Customers don’t really care either, and I don’t see cloud vendors or MNOs saying things like “you’re out of my cloud/network if you system isn’t secure”.

    So, I am not a fan of regulation, but there is no credible alternative today, and the time is counted. When some hackers takes down a big chunk of internet or kills a few persons, then regulation will step in hard in panic mode, and that doesn’t sound good.

Leave a Reply

Your email is never shared.Required fields are marked *