NIST: 17 reasons we can’t trust or certify IoT devices

As Californian lawmakers mull the first US Internet of Things (IoT) security regulations, the US National Institute of Standards and Technology (NIST) is grappling with how it can certify connected things. 

The Californian bill unveiled this week would require makers of IoT devices by 2020 to “equip the device with a reasonable security feature or features that are appropriate to the nature and function of the device, appropriate to the information it may collect, contain, or transmit”. 

But security is just one aspect of trust that people and standards-setting bodies will need to weigh up in future as more things become internet-connected. Cisco reckons the IoT will be made of 500 billion connected objects by 2030 and this could spell trouble for organizations that certify technology for use within government, business and critical infrastructure.   

The NIST, a US agency that tests new technologies and and helps define security standards, has outlined 17 core trust concerns it has with IoT, most of which have “no current resolution” and could undermine users’ confidence in technology that crosses the divide from cyber into physical and are prone to 'bloat' or vendors stuffing in features that aren't necessary and can reduce performance or introduce security risks. 

“‘Things’, and the services to interconnect them are often relatively inexpensive therefore creating an opportunity for functionality bloat,” the NIST authors warn in a note about IoT scalability. 

“This allows complexity to skyrocket causing difficulty for testing, security, and performance. If the average person is associated with 10 or more IoT ‘things’, the number of ‘things’ requiring connectivity explodes quickly and so do bandwidth and energy demands. Combinatorial explosion and functionality bloat are trust concerns.”

Another potential cause of mistrust in the technology is that IoT devices rely on third-party “black box” systems that provide little to no visibility into their inner workings. 

“Black-box ‘things’ can contain malicious trojan behaviors. When IoT adopters better understand the magnitude of losing access to the internals of these acquired functions, they will recognize limitations to trust in their composite IoT systems,” the agency notes. 

Other potential threats to trust include ownership and control of these black-box devices and uncertainty that IoT devices live up to claims made by the manufacturer. 

NIST researchers are also worried about the lack of a “global clock” that syncs security and performance updates across many distributed devices simultaneously. 

“A timing mechanism is needed that applies to all computations and events, however no such global clock exists. Therefore, timing anomalies will occur, enabling vulnerabilities, poor performance, and IoT failures,” NIST notes. 

IoT can further undermine the certification process because testers can't predict how IoT devices will respond to changes in the network.

“Testing concerns always increase when devices and services are black-box and offer no transparency into their internal workings. Most IoT systems will be built from only black-box devices and services. Also, IoT systems are highly data-driven, and assuring the integrity of the data and assuring that a system is resilient to data anomalies will be required.” 

NIST recommends that IoT devices have defined functional and non-functional requirements so that organizations like it can say whether a device is safe to be integrated, and can be approved to communicate with other things. IoT devices could also be categorized according to the chances they may be hijacked for malicious purposes, or be swapped out when something fails.

Should such a grading system for IoT devices emerge, standard-setting organizations like NIST could focus on vetting devices that pose the greatest risk to an interconnected system.