The Challenge of Software Updates for Vulnerable IoT Devices

2501

The Internet of Things (IoT) is emerging in every aspect of our lives, from home automation, factory automation to smart cities and public spaces. In an IoT network, the devices are continually sharing data, processing publish-subscribe sensor data, co-dependent tasks, optimizing solutions over the cloud.  Like other data sharing networks, the Internet of Things is susceptible to identity thefts, security breaches, and infiltration.

The security of an IoT network is only as good as the individual security features of edge devices in the network, i.e., the weakest link. If one device is compromised, all other devices on the network and the central system can be compromised. Since IoT requires mass installation of data collection sensors, the vulnerability in one of the devices can impact thousands of devices and ultimately your organization’s data. Numerous OEM manufacturers are involved in the production-supply chain of IoT devices and sensors. The vendors set the devices with default login and passwords. Next batches in the production also come with the same default login and password. After an IoT implementation, for home or work, the default login and password are never changed. These and other loopholes make IoT devices highly vulnerable to malicious attacks.

Many OEMs involved in the production of IoT devices lack deep expertise in embedded device, firmware and standards and protocols security. Even more disturbing is that from a profit maximization perspective, it doesn’t often make sense for IoT device and component manufacturers to make the necessary investment into securing their edge devices. Consequently, security is not made a priority. Such devices are susceptible to unencryption and interception attacks by hackers.

Software updates keep the new bugs, issues and security threats in check. Involvement of multiple companies at various production steps causes misalignment of incentives in providing software updates for IoT devices. Apart from that, most of IoT devices have low processing power and small memory which is just enough to perform the allocated tasks. IoT devices aren’t sophisticated enough to feature proper security standards and to deliver software updates via the Internet. Many IoT devices are too critical to stop the operation for software updates. Even if an IoT device is sophisticated enough to accommodate software updates and can afford to shut down for such updates, the intensive energy consumption will decrease its life span. These real-world conundrums faced by the industry and IoT device manufacturers.

IoT devices are built to last 15-20 years. Long lifecycle of IoT products makes it impossible to design a product that remains invulnerable over such long span of time. Frequent software and security updates and on-going customer support are expensive yet what are practical solutions to this problem plaguing the IoT industry? Post your comments below.