Exploring Security Economics in IoT Standardization Efforts

TL;DR

This paper investigates security issues in IoT standardization, specifically ZigBee, highlighting economic motivations behind security neglect and proposing recommendations to improve security practices in future standards.

Contribution

It provides a case study on ZigBee's insecurities and offers general lessons and recommendations for enhancing security in IoT standardization efforts.

Findings

ZigBee has notable security insecurities.

Economic incentives often lead to security compromises.

Recommendations include defining security models and enforcing update policies.

Abstract

The Internet of Things (IoT) propagates the paradigm of interconnecting billions of heterogeneous devices by various manufacturers. To enable IoT applications, the communication between IoT devices follows specifications defined by standard developing organizations. In this paper, we present a case study that investigates disclosed insecurities of the popular IoT standard ZigBee, and derive general lessons about security economics in IoT standardization efforts. We discuss the motivation of IoT standardization efforts that are primarily driven from an economic perspective, in which large investments in security are not considered necessary since the consumers do not reward them. Success at the market is achieved by being quick-to-market, providing functional features and offering easy integration for complementors. Nevertheless, manufacturers should not only consider economic reasons but also see their responsibility to protect humans and technological infrastructures from being threatened by insecure IoT products. In this context, we propose a number of recommendations to strengthen the security design in future IoT standardization efforts, ranging from the definition of a precise security model to the enforcement of an update policy.