Exploring Security Economics in IoT Standardization Efforts

Abstract: The Internet of Things (IoT) propagates the paradigm of interconnecting billions of heterogeneous devices by various manufacturers. To enable IoT applications, the communication between IoT devices follows specifications defined by standard developing organizations. In this paper, we present a case study that investigates disclosed insecurities of the popular IoT standard ZigBee, and derive general lessons about security economics in IoT standardization efforts. We discuss the motivation of IoT standardization efforts that are primarily driven from an economic perspective, in which large investments in security are not considered necessary since the consumers do not reward them. Success at the market is achieved by being quick-to-market, providing functional features and offering easy integration for complementors. Nevertheless, manufacturers should not only consider economic reasons but also see their responsibility to protect humans and technological infrastructures from being threatened by insecure IoT products. In this context, we propose a number of recommendations to strengthen the security design in future IoT standardization efforts, ranging from the definition of a precise security model to the enforcement of an update policy.