In my previous article (here), I discussed the problems with IoT devices designed with bigger, more costly and more power-hungry components that would be required to support a lifetime of over-the-air (OTA) updates to address the ever-changing security concerns.
In this post, I discuss an alternative approach.
Reduce the complexity of IoT devices by removing most of the security functionality and patching abilities, and putting that functionality into a separate box which I will call an “IoT Hub”. This Hub would be like a home router, where all devices within a home are connected through it (wired or wireless) to talk to the outside world.
All IoT devices in a home would connect through the IoT Hub. The IoT Hub would contain all the security defenses necessary to block all attacks, it would be able to accept software patches, and even hardware patches, if necessary. IoT devices would connect to the IoT Hub via a separate and isolated wired or wireless network. It might use some protocol other than TCP/IP, so that it further reduces attack vectors. In that isolated and secured network, communication is very simple since security requirements are much less.
This concept is not really that foreign. Take an average desktop PC. It has a main CPU, which does most of the work, including security protection.
But there are several other microprocessors in the system. There is one in the hard disk drive. That microprocessor does not have to deal with security threats. The communication over the SATA interface does not have to be protected or encrypted. There’s a microprocessor in the monitor and likewise there is no security threat over the HDMI channel. There’s a microprocessor in the USB hub and likewise there is no security threat between the main CPU and USB hub, or on out to the USB flash drives, keyboards, mice, printers, and other devices.
Hackers have attacked using key loggers to monitor key presses, but that is software running on the main CPU which can be updated. Software is not updated for the microprocessor in the USB hub or in the keyboard or mouse. Basically, a desktop PC with all its varied communication channels to its various components is a trusted and secured “network”, wherein security protections are not needed or minimal.
Think of an IoT Hub with IoT devices scattered around the home like a secured desktop computer. Only the IoT Hub needs security protection in its connection facing the local area network and on out to the internet. It does not need near the security in the IoT-facing connections. Only the IoT Hub needs regular security updates.
With an IoT Hub, IoT devices do not need security functionality or security updates. And some IoT devices would be designed with no intention of OTA updates for new features, thus eliminating the need for any OTA updates. IoT devices can be dumbed down, making them even less prone to hacks. This greatly simplifies the design of the IoT device, which has its advantages as discussed here.
What I have discussed does not cover all necessary aspects of IoT security and it might not be quite as simple as I’m implying. But it is a direction worth considering which could plug up some of the security holes.