Why IoT Security Is Like a Time Machine from Dr. Who
While there are real problems to be addressed with IoT security, much of the proposed solutions seem to be generic, failing to take into account the human factor of hacking and the economic factor, says Derek Kerton, founder of the Kerton Group and founder and chairman of the Telecom Council of Silicon Valley.
The Economics of Hacking
“If nobody cares about hacking your device, that is more important than how good your encryption is,” Kerton says. “Economics dictates security. But it also dictates the cost-benefit analysis for the hacker. If you are doing security merely from an engineering perspective, it is like coming up with the world’s best technology but not having a business plan or a value proposition.”
Of Hacking, Time Machines, and Bike Locks
Instead of giving up on the plans for ambitious technology because of an inherent security risk, Kerton recommends that companies ask: “what is in it for the hacker?” and “how can we make it so that there is less in it for him and make it hard enough for him not to do it.” You don’t want to be the lowest hanging fruit for a hacker.
“This reminds me of the TARDIS time machine and spacecraft in Dr. Who,” Kerton says. “It looks like a normal police box from the outside. But if you knew what it was, you would probably steal it.”
An important trick to avoid getting hacked is to design your application so it doesn't look appealing to a hacker—so it looks more like a police box than a time machine.
The parallels between hacking and theft is often overlooked. Ultimately, IoT security—or any kind of security—isn’t all that different than, say, locking up a bicycle in a public place. “I don’t have to have the perfect lock for my bike; I just have to lock it up better than the next bicycle. The worse the bicycle is, the better my security is. That’s just economics. If you have a crappy bike with a decent lock, nobody is going to steal it.”
That doesn’t mean companies should aspire to have subpar technologies to bolster their security, but that they should aspire to understand the mindset of a hacker rather than focusing solely on technological solutions.
In the economics of hacking, everything isn’t necessarily about money. Prestige or bragging rights are often a part of hacker’s payback.
To improve your IoT security, try to understand what would drive a hacker to target your technology in the first place.
As Sun Tzu said millennia ago: “To know your enemy, you must become your enemy.”