A Trustworthy IoT?
Dr Barney Craggs
Senior Research Associate
Bristol Cyber Security Group, University of Bristol
In our latest post in the PETRAS series, researcher and cybersecurity expert Dr Barney Craggs asks – how on earth can we build a trustworthy IoT?
As we move towards the exciting future of connected everythings – full of promise and potential for economic value and social good – perhaps this is the time to take a step back and realise that it is by no mistake that the IoT is often referred to as the ‘Internet of Sh*t’. There is a lack of trust in these connected devices, and it is often for good reason.
Take the connected Juicero – at the press of a button on your phone, this technological marvel could squeeze a bag of fruit pulp into a glass. Of course, you had to manually install the bag of fruity goodness yourself, and make sure there was a glass there to receive the juice. Having raised $120M in seed funding, the Juicero finally launched in 2016 for the bargain price of $699, only to cease trading 18 months later. Juicero went away taking investor’s money with it, costing employees their jobs and leaving adopters with expensive door-stops. Economically, the IoT is littered with similar high and low-profile failures.
Then we have the plethora of connected bargain-basement webcams which allowed you to watch Fido all alone at home. Unfortunately for those users, a great many of those cheap cameras were built on poorly executed firmware, with default passwords and little thought as to how they might be updated. One Mirai botnet later and some of the Internet’s largest properties were hamstrung by DDoS attacks utilising this in-built insecurity. For webcam users it was no longer safe to leave a webcam connected, and for the likes of Dyn, Netflix, Reddit, Twitter, the loss of service was reputationally damaging.
Next up were children’s toys, which not only leaked video or sound to anyone who chose to hack into them, but also let strangers talk to kids. We have even had Amazon’s Alexa connected speakers cackling away like demented souls. These poorly executed devices broke that most elemental of human needs, a need for certainty, the need to be able to trust.
It is easy to see how such products came to market. With an expected market size of $457B by 2020, to any company with a modest R&D budget, building a connected anything is an attractive option. But trust in the IoT is harmed by their failures.
Why Trust Matters
The thing is – trust is fundamental to human interaction. It pervades all aspects of society, underpinning every action. Trust is the glue that enables relationships. The most simplistic of definitions for trust echo the concept that trust is an expectation that another party will (or will not) undertake an action. When webcams allow anyone to watch the comings and goings in your home, smart speakers take on demonic laughs or you lose hundreds of dollars as the next greatest thing suddenly goes out of business, how ready are you to keep using your IoT device, let alone buy another?
And that is the problem. Trust is normally built over time. And trust is very hard to regain once lost. As a product developer, to build trustworthy systems, you need to understand far more than the nuts and bolts, the code or the packaging. You need to be able to fit IoT devices into and around human life, to be able to predict how other people (users) will expect your product to behave AND to deliver a predictable device.
To build a trustworthy IoT product, there are three key aspects to trust worth remembering:
To build a trustworthy IoT product, it is important to recognise that trust is not one-dimensional. There are actually four fairly well recognised types of trust.
- The trust you have in other people (interpersonal)
- Trust in organisations (institutional)
- Trust you place in the technology you use (technological)
- The degree to which you actually believe the information you are looking at (informational)
Whilst interpersonal trust isn’t entirely, and always, applicable to the IoT, there is little doubt the other three types of trust are pertinent. A user needs to be able to trust that you, the manufacturer of a device, are not only going to give them a device that does what was promised, but also that it does so in a safe and secure way. Where the use of the device is subscription-bound and ongoing, there needs to be reassurance that you and the service will be around for a length of time appropriate to the user’s expectations.
Whilst all humans are born trusting, our lives and experiences shape and change what, whom and how we trust. Trust is a social construct. As we all lead subtly different lives, each and every one of us has a slightly different view on trust. Trust is both subjective and contextual. It is often built over time through iterative interaction but can be damaged by the most minor of events.
Consequently, trust is not binary. It is too simple to state that one does or does not trust something or someone. The reality is we trust everything and everyone to some degree (otherwise we would never leave the house, it would be far too scary). But that doesn’t mean we would necessarily leave our front doors unlocked. The same can be true of IoT devices. We might be trusting enough to have a connected speaker in a kitchen, but decidedly less trusting about placing one on a bedside table.
So how to build trustworthy devices?
Frankly, one blog could never do justice to all the aspects of trustworthiness needed for the IoT, but, within the PETRAS Hub one aspect of devices that we have focussed upon is their safety and security.
There is little doubt owning a product only for it to start scaring you in the middle of the night, or to suddenly go out of business, reduces overall trust in the IoT but potentially not terminally so – many people have been burnt by a single failure yet still return to the IoT. However, suffering a serious security issue such as finding webcam footage leaked online or a home intruder bypassing a connected lock is less likely to be forgiven. Thankfully, we have as yet, not seen a fatality as the result of a security breach in consumer IoT. Yet.
One can readily surmise that were, say, a connected insulin pump hacked to cause a death, the trustworthiness of at least connected medical devices and potentially all IoT devices would be brought into question.
From this one might assume, therefore, that the most straightforward solution to building a trustworthy IoT would be to simply secure all devices. Anyone with even half an ear to the proverbial IoT security ground knows we are an awfully long way from achieving this – despite vast resources being poured into assurance schemes, physical and digital security advances, standards, policies and guidance. Blockchain-based security may help to secure things but, as yet, goes unproven.
But that isn’t to say we shouldn’t be trying to secure the IoT, we most definitely should. For our part we have engaged with the development community and proposed Security Ergonomics by Design. Within this work we articulate a number of challenges inherent within cyber-physical systems such as the IoT. We also articulate initial design principles that offer pragmatic guidance for software engineers, spanning both technological approaches and existing frameworks from human factors / ergonomics, for the development of safe and secure cyber physical systems including the IoT.
But we should not see Security Ergonomics by Design, or any other framework or technology, as the silver bullet for a trustworthy IoT. They are all needed, but as Ciaran Martin from GCHQ recently put it: “absolute protection is neither possible nor desirable; it’s about having more resilience in the systems we care about the most, those where loss of service would have the most impact on our way of life.”
To build a trustworthy IoT we need to look to where those impacts upon our lives are simply not acceptable. And within those areas we need not only to strive to build secure devices but ensure that they (and more importantly any systems that rely upon them) are resilient.
Being able to trust that IoT systems will resist attack, tolerate the inevitable human error (both by developers and users) and still not impact in undesirable ways will go an awful long way to a trustworthy IoT.
We’ve added these as footnotes as well as alt text links because you can never be too careful when you’re clicking around the web.
Dr Barney Craggs is a Senior Research Associate within the Bristol Cyber Security Group at the University of Bristol. His research looks at the potential vulnerabilities to both human safety and systems availability that arise from information based decision processes, within the three over-arching but interlinked strands of work undertaken by the group: security of cyber-physical infrastructures, software security and human behaviours. You can find him sharing his thoughts on Twitter here: @barneyc
Don’t forget to follow us too @IoTUKNews.