Making the Internet of Things More Secure

Watch the 4.5-minute video here or on YouTube, or read the transcript below:

Transcript

dotmagazine: What is the overall security situation with the Internet of Things?

Klaus J. Müller: I’d say, overall, it is actually a mess. There are surely examples of companies and products that do have security in mind and also manage to produce secure products in the IoT area. But overall, it’s very bad, I think, because – especially in IoT – you see many companies that have little experience in producing IT. 

They are used to using IT as a consumer, they are using IT – but entering the field of IoT, they start to be a producer, and they manufacture IT-integrated devices. So they are producing computers, and they have very little experience in that, and they underestimate the challenges that they are facing with that.

dot: How can unsecured IoT devices be made more secure by the user?

Müller: The user should try to use all of the features that the manufacturer gives him to secure his device. Which means taking seriously things like passwords – do choose a proper password, not so much just changing passwords, but particularly choose a proper password (not just 1234, or something like that); install updates, in case this does not happen automatically. So everything that the manufacturer does not do for you or has taken away from you, try to use that.

dot: How can IoT devices be designed to have a higher level of security from the outset?

Müller: The manufacturers should try to do as many of the things that are needed to operate the device securely automatically. Which means: updates, patch management, updates via secure means, maybe operating a device so that the user does not have the ability to choose a bad password. So yes, try to use it to operate securely, but maybe it works without giving the user the chance to show that waschoose a bad password. So maybe take away decisions that the user might have a bad decision on, and make sure that it operates securely anyway. And also try to make visible that the device is secure, so that the product that you produce differentiates from products from other vendors that don’t see security as important.

If you look at modern smartphones: At least you’re being bugged by the smartphone telling you “you should install this update” – that’s the least. Even better would be if an update is installed automatically. Now, this can be argued about – whether it’s a good or a bad idea. But, I think that’s a very good approach to have updates installed. But at least provide a means of having a very easy install, so that there is nothing much that a user would need to do. Or give the user a timeframe, say, “OK, within those two weeks you would need to install that. If you don’t, we’ll just install it without asking you”. So that there is little chance that the user will not install the update.

So there are several areas where the vendor can take away decisions from the user, because he might make a bad decision – he’s not aware of the problem. 
 

19 years ago, Klaus J. Müller started to focus on securing classic IT infrastructures. Ever since he has been working on it network and system security, analysis and optimization of network infrastructures and system hardening. The experience in this field proved valuable when securing IT as part of a product: in the Internet of things. Realizing that the mistakes that were made in the past 30 years are not being used to prevent history from repeating bugs him tremendously.

As a qualified electronics technician, additionally holding a degree in electrical engineering, he knows and understands both worlds. He tries to prevent worse things from happening by working in open source projects, giving talks, and writing technical articles.