Featured Product
This Week in Quality Digest Live
Innovation Features
NIST
New imaging technique reveals how mechanical damage begins at the molecular scale
Theodoros Evgeniou
To leverage AI’s transformational potential, remember that people will determine its context
Michael Fagan
NIST identifies challenges facing device manufacturers
David Moser
A story of customer-centric design
Steven Brand
You never know where the next great idea may come from

More Features

Innovation News
Leader in workplace productivity introduces document automation product
Help drive team productivity with customizable preprinted templates
Stereotactic robot helps identify target and deliver electrodes to target with submillimetric accuracy
Examine nine ways to help understand context, diffuse politics, heal relationships, and find the right work at the right time
Inkbit is overcoming traditional constraints to 3D printing by giving its machines ‘eyes and brains’
Deep Reality Viewer creates stereo, high-definition 3D images without using a monitor
Wing’s shape shifts automatically for aerodynamic loads (e.g., takeoff, landing, cruising)
Process concerns technology feasibility, commercial potential, and transition to marketplace
Identifying the 252 needs for workforce development to meet our future is a complex, wicked, and urgent problem

More News

Michael Fagan

Innovation

Growing the IoT Into a Safe and Responsible Member of Your Household

NIST identifies challenges facing device manufacturers

Published: Wednesday, November 6, 2019 - 12:02

Technology is supposed to help us, but sometimes it feels like for every step forward, we take two steps back. Like many people (and despite my resistance), my family has accumulated a few internet of things (IoT) devices in our home. Our motivation for acquiring them has been to streamline our lives.

For instance, when we needed to be able to play our newborn son’s music anywhere in the house, a Bluetooth speaker seemed a natural fit—and it was. Inspired, we adopted a “voice assistant” for the kitchen to put all the information and entertainment of the internet at our fingertips while we prepared meals. This works great most of the time. The rest of the time, the voice assistant (who shall remain nameless) just ignores me! And if my wife tries, good luck. She’s ignored more often than not; at least that’s how it seems.

Issues with functionality aside, I was resistant to the haphazard introduction of IoT devices into our home for other reasons. Because I have worked closely with computers and technology for my whole career, the fact that these devices are computers is not lost on me. I also realize the many implications of putting an internet-connected, microphone-equipped computer on my kitchen counter. (Will a live feed from my house wind up on a sketchy website?)

Thinking about how to secure these devices can lead to some interesting situations. We all know we should have strong passwords, but can you even put a password on a voice assistant that can read my emails to me (or anyone else in my home)? I can see all kinds of information about my house, but who else has access to my location and other data? What kind of encryption do these things use to protect my data?

Maybe the better question is, how much of my data, if any, are stored on the device or up in the cloud, where who can access it and what can be accessed is unclear? I can use a smart refrigerator to check if we need milk while I am on my way home from work, but does that mean someone could hack my fridge? How about my doorbell camera? As IoT grows in popularity, it’s likely that (despite my resistance) the number of “smart” things in my home will skyrocket, leaving me with many devices that will interact with me and each other in very complex ways. How will I manage the security of so many devices?

These kinds of challenges drive the work I do at the National Institute of Standards and Technology (NIST) in our Cybersecurity for IoT program. Our first publication, NISTIR 8228, focused on the many ways the limitations and new uses of IoT devices may affect the ways users (in the case of 8228, we mostly talk about big organizational users) protect their networks from attack and threats. Like the earlier examples, some IoT devices may simply not have the ability to perform some security or privacy actions. If a device’s software needs to be updated, and that device doesn’t notify you or provide a method for you to update it, well, then that device cannot be updated. It seems obvious when you say it that way, but when you’re buying a new coffee maker, the fact that it might need a software update one day may not pop into your head.

On top of that, the list of gaps in how security and privacy are achieved, and what is supported in devices, may grow long, especially if devices are incorporated before such gaps are considered. NISTIR 8228 draws attention to many of these gaps to help these big organizations think through the challenges of using IoT devices while still using standard security and privacy protections.


Here I am with a number of IoT devices for the home, including a smart hub, a smart doorbell, and a smart light bulb. Credit: Mark Esser/NIST

As we have worked through these aspects of IoT, we also learned that the creators of these devices could use guidance to help them incorporate more security features. This led to our most recent publication, NISTIR 8259, which is currently available as a draft. This time around, we outlined how manufacturers can identify and implement security features in their devices, as well as some considerations for communicating with their customers about the cybersecurity features in their devices. With this approach, we hope that at least some of the challenges identified in NISTIR 8228 can be alleviated, given that the IoT will begin to support the current ways we protect networks.

Beyond those, if manufacturers take these security considerations even further, our hope is that even “more” security ends up being built in and delivered in a way that customers can easily make use of, since even the best security feature may be ignored if it’s a pain to use.

To understand the current state of security in some home IoT products, our team worked at the National Cybersecurity Center of Excellence to do a pilot study on the security of a sampling of small IoT devices marketed and intended to be used in homes, such as light bulbs, outlets, and security lights. Our lab plugged the devices in, hooked them up, and with an eye for good security practice, watched how the devices connected and communicated.

We found that many of the devices support features discussed in NISTIR 8259, but in some cases, there were improvements that the makers of these kinds of products could consider adopting, such as having strong requirements for passwords, as suggested by NIST.

More details about this study and its resulting considerations can be found in the recent draft publication NISTIR 8267, for which we are currently gathering comments. Please note this document is intended for a more technical audience.

We have more work on the way, too, that will continue to help guide all interested parties through these challenges, so maybe I should be more optimistic about the devices I bring into my home. My aversion may be more related to being stuck in my ways more than anything else (I still use a desktop PC, after all), and it is hard to argue with the benefits these devices bring when everything is running smoothly. We shouldn’t let fear of the unknown stop such great gains, and so NIST is helping to light the way to an IoT that can be adopted quickly and securely.

First published Oct. 17, 2019, on NIST’s Taking Measure blog.

Discuss

About The Author

Michael Fagan’s picture

Michael Fagan

Michael Fagan is a computer scientist working with NIST’s Cybersecurity for IoT Program, which aims to develop guidance toward improving the cybersecurity of IoT devices and systems.