Making Security User Friendly

Serious tradeoffs between technology accessibility and other optimization factors, such as power and security, can crop up especially in the early days of a new product’s design. A new product appeals to a certain category of users who need it to perform well enough that the technology can move forward. They are willing to overlook rough edges in the product and sometimes even glory in the levels of sophistication necessary to get it set up and running. Those that can wear the effort as a medal.

In the early days of color TV, the television set needed a regular tune-up to compensate for the drift in the circuitry so the picture converged properly, had the right color balance and was correctly sized and centered. In the sunset days of tube TVs, it was considered a fault if any of those things went out of perfection.

A similar situation existed in the early days of WiFi solutions and routers. It used to a big deal to install a new router. Even adding a new device to the network was more difficult than it should have been. Routers had many options but few resources available to help educate people how to use features beyond the out-of-the-box configuration. That meant most people used the defaults for everything, including the default system password. Many still do and are experiencing the security implications of that. Thankfully, much of that has now changed. Many routers don’t even have a notion of a default password—every device ships with a unique password into the admin account.

Apple was the company I first noticed that had a different attitude with consumer products. Others may have come before that, but Apple at least made it fashionable for technology to be approachable. That does not mean dumbing it down. Instead, it put technology in the context of what users want to do rather than how a device is architected. That was a big step forward, and many companies have learned how powerful it can be.

Today, routers have improved a lot, and I even have devices on the network that can auto-configure the router. But significant issues remain, such as software updates. How many people are keeping the firmware for these devices up-to-date? I have some devices that email me when firmware updates are necessary, and when I go into their web-based interface, everything is prepared for me to do the installation.

The battle among ease of use, security and power is a constant. In some cases, it is only after a technology has been used by enough people over enough time that use models clearly mandate adding additional layers of management that make setup and maintenance a breeze.

I see similar things happening in IoT, but the stakes are a little higher than in the commercial device arena. What networking standards should be used and how secure they are is an important tradeoff against power. Reliability of connection would make mesh networks appear more attractive, especially when some devices are mobile. But that requires devices to stay awake a lot more. How do these systems and networks get created and maintained?

Still, a lot of talk goes on about how insecure many home automation solutions are, and that bothers me. What bothers me even more is that I have no real way of knowing how secure a product is. I can look at a spec and decide that one with 150M this and 15G that is better than one with lesser figures—but how can I know which one is more secure?

Device manufacturers have to start paying heed to this. I understand that it may not be possible to provide a full security/vulnerability scorecard, but I do need to know what steps they have taken and how they plan to ensure that the devices can be safely updated when vulnerabilities are found.

I had a rude awakening about this just a few months ago when a friend, who was helping out with the installation of some new equipment, needed to get into the admin account of my router. I forgot to provide him with this information before I left, but I needn’t have worried because he managed to break into it very easily. Apparently, this was a known vulnerability, but I didn’t know that a patch was available. That company’s reputation slid down a few notches in my books—because the vulnerability was actually quite basic and because of their failure to ensure their installed devices stayed safe.

If these companies have not learned enough from the consumer market to make devices for the industrial IoT market, which is much newer in terms of penetration, how can they trust their data, their networks, their operations? It is time for the industry to take security seriously. They have to convey that message to the users and find a way to do it in their data sheets and product literature. Don’t just tell me protocols you support, make me feel that your product is safe and that you take security seriously.