To explore this issue, we spoke to Danielle Damasius, Principle Program Manager, Azure Sphere, Microsoft. Azure Sphere combines a secure microcontroller, operating system and cloud service to improve the security of IOT devices.
Damasius points to the following three reasons why IOT device security is still lacking:
1. It’s not always easy to update IOT device security
Even if an IOT device has security features, it might not automatically update them.
“If you’re building with security, you have to ask if it’s renewable,” says Damasius. “Do you have an automatic update process that’s efficient, that allows you to renew security over time?”
This isn‘t an easy issue for IOT vendors to solve. They need security experts to build efficient update systems, detect threats and respond to them. They also need infrastructure to deploy updates quickly.
“There’s a lot of room for error and for things to be left out. A vendor might say, ‘Oh, we’re not going to update the devices this month because we want to wait till next month.’” Damasius says.
Maintaining security also adds to device vendors’ costs. “[A device vendor] may have built a product to be secure, but they won’t necessarily have the right resources to stay on top of security, as threats evolve over time,” Damasius explains.
2. IOT devices usually lack end-to-end security
Another problem is that IOT devices often lack integrated security.
“It’s not uncommon for chips to have security built into the hardware. But the question is, does the software or the operating system know how to leverage the strengths of the hardware - do the software and hardware security features stack up? And is the operating system designed for security?” says Damasius.
These are issues Microsoft is addressing with Azure Sphere. Every Azure Sphere certified microcontroller includes Microsoft’s Pluton security subsystem, which creates a hardware root of trust, stores private keys, and executes complex cryptographic operations. Pluton works seamlessly with the Azure Sphere operating system, built specifically for IoT security.
The operating system also has a layered architecture and works with Microsoft’s cloud-based security service, which manages certificate-based authentication, delivers device level failure reporting and updates security on the device over time.
It’s harder to secure devices that aren’t designed with these features. “Don’t expect to be able to fix it afterwards. Your device should be secured by design,” Damasius says.
3. Devices still rely on passwords
Relying on passwords is risky if multiple IOT devices have the same default password. Governments and standards bodies in Europe and the US are moving to try and stamp out the use of universal default passwords.
At Microsoft and across the industry, there’s a broad movement away from passwords to authentication of devices. This is also a feature of Azure Sphere.
“Azure Sphere does not use passwords or user accounts. Instead, we leverage certificate-based mutual authentication, which eliminates this attack surface entirely,” Damasius says.
While these are technical issues, Damasius points out that they’re important for companies to consider if they want to be trusted. “Brands that take on security today will be trusted brands of the future. It’s going to pay off,” she says.
Forward-thinking companies are addressing these problems. For example,
Azure Sphere will enable European energy company E.ON to offer securely connected home technologies like home car chargers, lights, heating and cooling.
Meanwhile, Purell is working to upgrade its hand sanitizers with Azure Sphere. This will allow it to securely connect the hand sanitiser dispensers, which are used in many US healthcare faculties.
As IOT becomes more pervasive, many more companies will also need to tackle these issues.
To learn more about Azure Sphere, register to attend the Azure Sphere Ecosystem Expansion webinar here.
Also, tune in for the IoT in Action Webinar Series to see how Microsoft IoT is accelerating the pace of digital transformation in every industry worldwide.