Cloudflare's incredible solution for IoT security: Use our services
And, oh for $DEITY's sake, yet ANOTHER best-practices standards organization?
Traffic bouncer Cloudflare has outlined what it claims is the solution to the perennial internet-of-things security problem: pay it.
The company points out what most security experts have been saying for some time: IoT devices are a security disaster, they are going to grow exponentially, and when people can't even be relied on to update their browsers, having billions of unpatched internet-connected devices is a disaster waiting to happen.
And so Cloudflare has come up with its solution: route everything through us.
This does not come as a huge surprise. The company does tend to offer the same solution to every online problem: Distributed denial of service (DDoS) attack? Route your traffic through us. Man-in-the-middle attack? Pay us to deal with your data. Too many spam comments? We have a paid service for that. Need encryption? Guess what?
But that doesn't mean that the company's new Orbit service is a bad idea. In fact, it may very well be a good or even great idea given the state of the current system for securing online devices.
The basic idea is quite simple: in the same way website owners pay Cloudflare to sit in between them and their visitors, IoT manufacturers will pay for the Orbit service to sit between their devices and the public internet.
The manufacturers will configure their devices to only go through Orbit, which gives them (or, most accurately, Cloudflare) the ability to not only shield tech-ignorant consumers from hacking efforts, but also apply virtual security patches across all of its devices at once.
Although this is far from ideal since it introduces a proprietary layer to the open internet, the reality is that it could be a lifesaver for IoT companies, which have persistently shown themselves incapable of carrying out decent security audits on their products and continue to make basic errors, like hard-coding passwords.
And, to be fair to Cloudflare, the company has shown itself to be very capable of handling huge amounts of traffic without lag or collapse.
The million-dollar-question of course is: how much does it cost? Cloudflare told us that the fee was based on the number of devices and the bandwidth required but wouldn't provide an exact figure.
If the cost is $10 a year per device and an IoT company can offer the extra security as part of a premium package – alongside cloud recording or similar – then it is probably a great deal.
But if the idea is that it will be supplied for free to customers who buy the product and don't sign up to an ongoing service fee, then the price is going to have to be much, much lower for there to be any kind of significant take-up.
Of course, the biggest security risk comes from companies offering low-price IoT items that don't require ongoing fees. So while Cloudflare's new service may help improve mid- to high-end IoT products' security, the huge risks from the low-end are unlikely go away. So expect plenty more DDoS attacks from zombie webcams.
And then there is the fact that if lots of IoT manufacturers chose to use this service, it would make Cloudflare a single point-of-failure and hence a huge target for hackers. And Cloudflare, like any company using software, is not immune to bugs. Bugs that can provide an enormous wealth of information.
Oh please god no, not another one
One thing we do have to pick on Cloudflare for, however: in the official notice of the new service, the company notes that it is "introducing the industry's first IoT alliance – made up of a group of IoT companies and experts in the field – that will be committed to forming best practices and standards for protecting connected devices and ensuring the resilience of the Internet of Things."
Far from this being the "industry's first IoT alliance," this effort will only add yet more overhead and confusion to a massively overpopulated world of internet-of-things alliances, consortiums, organizations, groups, working groups, feuding government departments, security experts pushing for laws, legislators and consumer agencies pretending not to hear, and god knows what else.
Below is a partial list of the people working on IoT security and best practices. We wonder why on earth Cloudflare thinks it's a good idea to add yet another one to the list. ®
That barren landscape of Internet of Things standards bodies
- The Open Connectivity Foundation
- The IoT Security Foundation
- US Department of Homeland Security
- US Federal Trade Commission
- US Department of Commerce
- US Department of Transportation
- The Thread Group, which is focused around Google's plans for IoT and smart home standards, including Weave
- The Industrial Internet Consortium, whose main concentration is on testing standards but whose members clearly intend to influence new standards
- The AllSeen Alliance, which is headed up by the Linux Foundation and also plans to develop an interoperable platform and certify products to work with it
- Apple's HomeKit self-contained ecosystem
- The prpl Foundation, which has just released secure embedded computing guidelines
- The IEEE P2413 project, also working on a standard framework
- And the Internet Engineering Task Force, which has a number of working groups looking to develop new IoT standards