What did we learn from the IoTSF 2018 conference?

The day began with us hearing from John Moor, Managing Director at the IoT Security Foundation who explained a lot of IoT users are already on the hook – the regulation hook that is – we know it is coming, but in what different forms, is the worrying part!

The audience were also introduced to a recent report: ‘Consumer IoT: The naughty or nice list’, which essentially suggests everyone should have a vulnerability disclosure policy, but research from the IoTSF found out of 30 companies asked only ten percent actually did. One other crucial point Moor highlighted was that all users should not be using a default password, something so obvious and simple yet something we are all guilty of.

Professor Paul Dorey, Chairman of the IoTSF explained the foundation is all about recognising the scary headlines and threats we often see when it comes down to IoT security, and doing something about them. The main aims include:

• Awareness of the security issue
• Understanding what to do
• Being motivated to do it
• Being able to implement and assure

The IoTSF wants to progress solutions and aims to drive for adoption with confidence. Dorey added: “We need to keep up with innovation and enable supply through demand, then we can reduce barriers and grant free open access. But most importantly avoid duplication, we really don’t want to make what has already been made before. It’s purely just a waste, and instead we want to work with solutions that have been made to help people.”

The day clearly expressed the foundation’s main mission, to make it safe to connect, and to increase awareness, knowledge and skill.

Tyson Macaulay, Chief Product Officer at Infosec Global in his keynote speech said: “It took four years to write my book, there wasn’t much out there and now how times have changed.” There is so much material out there now, but it is essential you know which ones to trust. He added: “IoT needs to move from static thinking to dynamic thinking, and the IoTSF is here to help with that.”

Security is whatever you need, and however you need it. Macaulay compared it to an all you can eat buffet! He also gave some example of dynamic IoT security:

• In-field provisioning updates
• Interoperability
• Agility in crypto and identity
• Hardware – based security
• Service discovery and boot-strapping
• Micoagents with brains
• Secure cloud
• Outsource to experts

The message that was constantly repeated throughout the day was that people need to take security more seriously. Dr Gilad Rosner, Founder of Internet of Things Privacy Forum said: “Everyone has clicked ‘I agree’ once to something that haven’t read – we are all guilty but it can be quite serious.”

Dr Rosner explained that the important thing to remember when it comes to IoT security was the users control and management, and there are key elements to having user control and management:

• Data minimisation
• Using words such as ‘Ok Google’ and ‘Hey Siri’
• Making it easier for people to delete data
• Making it easier for set data to disappear after a certain period of time
• Making it easy to withdraw consent

If you have at least some of the powers then you can gain and retain the control and management of your data, and more importantly your security.

Dr Rosner said: “I find myself all the time having to remind device manufacturers to encrypt everything to the maximum degree possible.”

The IoTSF conference also addressed how to disconnect and disassociate yourself, a newer area in IoT security, which has evolved due to the extent and capability of today’s devices. The key teachings here were obviously to avoid connecting to ports that you cannot guarantee will be safe. Dr Rosner said: “You should never charge a device or connect to the WiFi unless you yourself know it is a secure connection.”

In fact people are now also being warned not to plug devices into USB ports in cars that aren’t their own, as they can pull data straight away, and realistically how hard is that going to be to disconnect that data?

The answer is extremely, and the sad thing is that is what our society and industry has developed into, a place where we are tools to use things that can benefit us the most as a lot of things are no longer secure.

Although the annual IoTSF conference did install a lot more reassurance within me, as there are a lot of precautions and tools you can use within IoT to be secure, it did also open my eyes as to how many day to day things can be a security risk, and in the world of IoT you do have to take these extra steps to make yourself and businesses secure.