Should IoT have an Expiration Date?

I have a large collection of phones, PDAs, tablets and other electronics that are no longer valuable contributors in my gadget stuffed life. Many of these devices predate significant Internet connectivity while others are clearly part of the Internet of Things (IoT). Piles of lifeless devices sit in cabinets in my office clearly having passed their expiration date. They are too slow for my current expectations or simply fail to operate as originally intended. But what about those IoT devices which aren't dynamic and still function in their intended purpose? Electronic door locks, alarm systems, intelligent light switches don’t have much of a user interface nor do their functions drive much expectation for change. The marketplace advancement in those categories has been slow and differentiation hasn’t driven much demand for replacement. So does this mean since they work that they must be safe? Who defines when these IoT devices are posing a security risk or implementing unsafe modes of communication, thereby past their Use By Date and ready for expiration?

In the days of 900 MHz cordless phones and baby monitors, TV news broadcast reports of people listening into phone calls and baby monitors broadcasting your conversations. For safety, replacement products rapidly shifted to other frequencies and leveraged encryption or signal processing to restore privacy. These devices were effectively reported as being past their Use By Date. Furthermore, as devices proliferated the 900 Mhz frequency call quality in neighborhoods would degrade rapidly driving many consumers to upgrade.  The old devices would be removed from use and the new devices would improve security. The rapid growth in IoT vendors, device varieties, versions and improved functionality make it almost impossible to sort out the health of every IoT device to determine if you are approaching their expiration date.

Ask me what version of software is on my smart phone and I can tell you down to the decimal point. Ask me what version of software is on the keypad at my door, or whether it uses a properly encrypted communication protocol, and it might take me 30 minutes of heavy research. How is a consumer expected to even know that they should worry about their keypads? My keypads leverage Z-Wave and since April of 2017 all new devices must leverage a new Z-Wave encryption standard. How does a consumer know if a recently purchased product is up to par or already expired? Security researchers have shown older keypads could be remote unlocked by an unauthorized user. Worse yet, I can't even find a visible model number, version or date on many devices, plus many have no display which could update its status as expired. 

Ten years ago, electronics and gadgets were independent islands of technology and communications. A baby monitor would talk to the base station and that was it. A phone wasn't very “smart” and would only talk to the phone company. Today, a smart phone talks to the cloud, transforms with new applications and the next thing you know you aren't just listening to a waking baby, you are remotely controlling everything in the house. The technology in these things sends vast amounts of data to the clouds across the Internet to transform your digital world. Underlying the bits of information conveying your requests is valuable Identity Information about your IoT devices. If we start thinking about a household as an enterprise, modern cyber security tells us we should understand our inventory and assess the vulnerabilities. If the clouds know our IoT Inventory it seems like some simple data analysis could tell a lot about our household enterprise’s IoT cyber health yielding incredible situational awareness. 

While many IoT devices do not have displays, at the very heart of their value is their ability to communicate with the Internet. Identity Information is shared to discern which device is in which household. Imagine a use case leveraging the Identity Information coming from your IoT devices, such as manufacturer and model numbers to start comparing against vulnerability databases within the clouds. The numerous applications and clouds that seem to be peering into my Household IoT Enterprise could easily let me know about the cyber safety of my home. Applications fill folders on my smart phone and while they provide a significant amount of information about functionality, they don’t provide any visibility into the cyber safety or compliance of the devices themselves. Why are we not expecting more of remote automation providers? Wouldn't it be valuable to have the alarm system application go red if it was depending on insecure IoT? 

As much as we think of IoT as an insecure invasion, the short half-life and massive amounts of data produced enables a revolution in data analytics that could actually accelerate cyber security by bringing increased visibility to the level of insecurity a consumer has in their midst. Complex correlations of IoT Identity Information with Vulnerability Databases are simple for Clouds and Online Services, while consumers really don't need much more than a message like “Trust Me, Safe To Use” or “IoT Expired, Insecure!” Shouldn't we expect our applications that leverage clouds to not just highlight functionality, but also the current insecurity level?

October is National Cyber Security Awareness Month which is an annual campaign to raise awareness about the importance of cyber security. The Internet touches almost all aspects of everyone’s daily life, whether we realize it or not. National Cyber Security Awareness Month (NCSAM) is designed to engage and educate public and private sector partners through events and initiatives to raise awareness about the importance of cyber security, provide them with tools and resources needed to stay safe online, and increase the resiliency of the Nation in the event of a cyber incident.