BROADBAND WORLD FORUM 2018, BERLIN: Growth in the IoT market is paving the way for new types of security risk, with no single approach likely to be able to address all of the issues, executives here said.

While IoT is seen by operators and manufacturers as a way of creating new growth, connecting homes and transforming industries, this will bring with it the need for different approaches to security. And the proliferation of low-cost IoT devices in the home connected to high-speed networks means consumers are in a critical position.

Asher Besserglick, VP of R&D for SAM Seamless Network (pictured, second right), said: “The problem is moving from the enterprise space to the home space, and the same things we see in the enterprise that need a lot of resources to handle are moving to the home where we don’t have the amount of resources to handle the same thing.”

But he was also quick to defend the consumer: “At the end of the day, customers don’t really care about networking and security, they don’t have the knowledge, they don’t have the time, they don’t have the financial resources to take care of that. The solution needs to come from somewhere else, and it’s not their fault that they’ve bought a $2 piece of equipment on eBay, because that’s the way the world is going,” he said.

Marcio Avillez, SVP of business development at Cujo AI (pictured, third right), noted consumers may not be the only innocent victims: “The poor operator, who has the average Joe as his customer, is at the mercy of the devices brought into the home. And it’s none of their fault either. I think there is an opportunity to do something there and you have to have a technology that takes advantage of the one point of control in the home, which is the router,” he said.

Tech safety
While the router was identified as a critical tool in the security battle because traffic can be analysed at that point before being passed into the operator network, 5G will also have an impact in this regard.

Mikko Hypponen, chief research officer for F-Secure (pictured, third left) picked up on this: “One clear change 5G will bring in the security sphere is that there will be more and more IoT devices going straight to the network with 5G, rather than using Wi-Fi. And this means you can’t secure them in the same way that you do today: most IoT security solutions being provided by IoT vendors today rely on analysing the network traffic at the Wi-Fi level.”

This also means device-level security will be an important part of the chain, in particular making sure devices are properly updated and protected: “It’s rare to find a fully-patched, up-to-date system being part of a botnet. It’s always outdated machines, outdated computers, and increasingly outdated IoT devices. And we’ve located more than 40 families of botnets which don’t affect computers at all, only IoT devices,” Hypponen said.

But Besserglick warned IoT devices are “zombies from the day they reach the network”, because “nobody is going to patch a $2 device. So any solution that comes into play has to take that into account.” Continuing the theme, Avillez said: “It’s exhibit A for why the solution cannot depend on the people who make devices.”

Besserglick observed: “With the explosion of end devices and the explosion of residential networks, it’s not going to be enough to look only at the network core to see what is going on. It’s going to be too late, and too little, and it’s going to have to go down to the end device. A herd of IoT devices attacking the network will not be stopped by looking at the aggregated traffic of everything three, or four, or six hops up the line.”

Device protection
Thomas Kallstenius, programme director for security and privacy at Imec (pictured, second left), said part of the solution will come from categorising devices into trusted, untrusted, and “some point in-between”. But he acknowledged: “It is difficult to forsee that there will be no untrusted devices on a network. I think we will have to live with that situation. If you look at a network in a smart city, there will be devices coming in and going out, and we can’t really trust some of them.”

Even when an attack has been detected, the resolution may not be easy. Avillez mulled: “Are we going to take the home off the network? The device off the network? We have to have an ability to identify the bad behaviour, and recognise it, and then stop it without taking all the devices off the network, because some of them are quite critical nowadays.”

Kallstenius observed: “In the good old days, if we were under attack, we would take down the network, change a few settings in the firewall and bring it back up again. But in many cases, we cannot do that now: think about an airport, where planes need to land, you still have to operate the systems despite being under attack. That is the real challenge.”

For Hypponen, one thing that is clear is that “operators will be putting more and more security in their own products that they deliver to consumers, and we’re already seeing examples of that.”

But this comes with its own challenges.

“We give security products and security companies a lot of access to our data so they can secure it, the same way that you give physical access to physical security guards: you have to trust them. So, choose your vendors carefully: ask your vendors what kind of data they are collecting. Most security products work over the cloud, so that means they will take data out of the network and send it to the cloud: how do they anonymise it, how do they encrypt it, and how do they delete it when they no longer need it?”