Michael Richardson on IoT device security at RIPE89

• IoT security updates are often neglected, creating vulnerabilities.
• Standards like SUIT and regulatory efforts aim to enhance IoT safety.
• Consumer and regulatory cooperation are crucial for effective security.

Introduction

Michael Richardson is the Chief Scientist at Sandelman Software Works, with over 28 years of experience in network and systems architecture consulting. His work focuses on security architecture as part of integrated system performance engineering. He is also a member of the IETF (Internet Engineering Task Force), where he co-chairs the Routing over Low-power and Lossy Networks (ROLL) working group. He is active in the security domain, specifically in IPsec, BTNS, and various authentication working groups, and has authored RFC4025 and RFC4322.

So the biggest problem, in my mind, is that we don’t actually own our devices.

IoT security updates remain a weak link

Many Internet of Things (IoT) devices lack a reliable mechanism for security updates, which is a major vulnerability. Michael Richardson, an expert in IoT standards and security, highlighted that despite the importance of maintaining updated software, manufacturers often hesitate to implement automatic updates due to concerns about user settings and device stability. This reluctance stems from a fear that firmware changes might disrupt device functionality or inconvenience users, leading to consumer dissatisfaction. As a result, many devices remain outdated and susceptible to cyberattacks.

Also read: Sateliot expands 5G NB-IoT satellite constellation

Richardson pointed out emerging standards, such as the IETF’s SUIT (Software Updates for Internet of Things), which aim to make the update process more reliable and reduce risks associated with outdated firmware. SUIT provides a framework for delivering software updates in a secure manner, ensuring that devices are protected against known vulnerabilities. By adopting such standards, manufacturers can help ensure that IoT devices remain functional and secure throughout their lifespan.

Also read: RIPE 89 kicks off in Prague: Highlights of Days 1-3

However, a lack of consumer awareness further exacerbates the problem. Many users are unaware of the need to keep their devices updated or lack the technical knowledge to do so. This creates a gap that cybercriminals can exploit, highlighting the need for manufacturers to create user-friendly update mechanisms and educate consumers about the importance of security. Collaboration between standards bodies, manufacturers, and users is critical to establish a more robust IoT security ecosystem.

Regulatory efforts and impact

In several regions, governments are stepping in to address IoT security challenges. For example, the UK has mandated that updates must be available for a specified time frame, pushing manufacturers to comply with basic security standards. This regulation came into effect in April this year, requiring all IoT devices to ensure update availability. Ensuring continued support for devices is crucial, especially as they are often used for years beyond their initial purchase.

Similarly, California is looking to implement a similar directive, although its enforcement timeline remains unclear. The regulatory environment is still evolving, but Richardson believes these steps are moving in the right direction. He highlighted that while these mandates may lead to increased e-waste, they are necessary to compel manufacturers to maintain security standards. Despite this downside, prioritising consumer safety and data protection is worth the cost.

These regulations aim to establish a precedent for the industry. By enforcing these measures, governments are sending a clear message that security should not be an afterthought in IoT development. This can lead to a shift in how manufacturers approach product design, focusing on building security into the core of their devices. Richardson also mentioned that these efforts would be effective only if supported by stringent enforcement and penalties for non-compliance.

Balancing consumer privacy and security

One of the major problems Richardson discussed is the monetisation of user data by IoT manufacturers. Companies often use surveillance-based business models to generate recurring revenue, which introduces additional privacy and security risks. The use of connected devices to collect and monetise personal data allows companies to subsidise device costs or generate continuous income after the sale. However, this business model often conflicts with users’ right to privacy.

Also read: Exploring IoT projects: innovative applications and benefits

Consumers need to decide whether they are willing to pay for a subscription to maintain device security or allow manufacturers to monetise their data. Richardson emphasised that a lack of transparency complicates the situation, as many consumers are unaware of how their data is used. The introduction of subscription models for security updates could offer a solution but places additional financial burdens on consumers, raising questions about the accessibility of secure IoT devices.

Also read: IoT solutions: Transforming industries and enhancing lives

Richardson highlighted the importance of true device ownership and the right to repair. When consumers have the right to repair their devices, they can ensure that their devices remain operational without depending entirely on the manufacturer. This approach empowers consumers, aligns their interests with those of the manufacturers, and ultimately enhances IoT security. True ownership also allows consumers to make decisions about their devices’ privacy settings, reducing their dependence on manufacturers for updates and limiting data monetisation opportunities.

Closing thoughts

The interview closed with a discussion about the future of IoT security. Richardson noted that regulatory measures, improved standards, and user education are all necessary components to tackle IoT security vulnerabilities effectively. He reiterated that the collaborative effort of stakeholders—including governments, manufacturers, and consumers—would be required to create a safer IoT landscape. Regulatory measures hold manufacturers accountable, while standards provide a foundation for secure updates and device management.

Richardson also discussed the role of education in fostering a security-conscious consumer base. Many users are unaware of the potential threats posed by unpatched vulnerabilities in their IoT devices. By raising awareness and providing clear guidance, manufacturers and regulators can help bridge this knowledge gap. User education is essential in reducing security risks, as informed consumers are more likely to take proactive steps to secure their devices.