Even though it would make sense to build in security from the ground up, the focus of IOT hardware vendors has been on connectivity and shipping fast. And why not? As long as IOT devices sell, the fact that they might have some terrible security flaw that requires replacement next year is just an extra bonus.
1. If you have been following the Gluu Twitter feed, you’ve probably noticed a lot of articles
posted recently about Internet of Things (“IOT”) security (or lack thereof ).
If you bother to read any of these articles, you will discover that none of them provide
any answers as to how a mobile application can share user data while calling APIs and
web access management system, or how the API server can determine if a Request for an
API by a certain person, using a certain client should be honored. It’s a weird situation
where the people (and even some of the journalists) know that the emperor has no
clothes, but the API developers and IOT experts are going about business as usual.
Even though it would make sense to build in security from the ground up, the focus of
IOT hardware vendors has been on connectivity and shipping fast. And why not? As long
as IOT devices sell, the fact that they might have some terrible security flaw that
requires replacement next year is just an extra bonus.
Leveraging existing security standards for IOT has challenges. For example, IOT devices
are more resource constrained than phones–they have slower CPUs and less memory.
2. They are disconnected from the Internet more often. Some devices might not ever
connect to the Internet, although they may connect to a local network. Some devices
might not even have IP: they may connect only via Bluetooth or some other wireless
network protocol.
Let’s take a simple example. You have a tablet, and you want to use it to choose a
Netflix movie on your TV, pre-heat your oven for the brownies, and tell your robot-butler
to take out the ice-cream. Luckily, your oven, TV and robot-butler have APIs. But
how will they know it’s you who made this request (maybe your kids don’t have ice
cream permission…)? And how will they know to trust your tablet, which communicates
on your behalf?
The answer to IOT security is to not re-invent 15 years of access management
experience. The patterns and protocols that is now available to protect Web resources
should be carried over to IOT. This would provide a solid foundation for incremental
enhancements in security.
3. I think that security needs to built in at the chipset level. This may sound crazy, but
the idea of embedding a web server into a hardware device seemed crazy in the mid
90′s. The two most promising APIs for IOT security are OpenID Connect and UMA.
These profiles of OAuth2 provide open standards for authentication and wam
software system.
When people think about security, they tend to focus on all the bad stuff that can
happen without security. Many wonder, “When will there be another 9/11 security
event that forces user behavior to change?” I think this is the wrong way to look at it.
We need security because it would enable us to lead richer, more productive lives. In
other words, the opportunity cost of not having security far exceeds the costs of
breaches. What could we do if we had security?
Article resource:-https://www.smore.com/k410w-oauth2-chipset-the-answer-to-iot