Most IoT devices sold nowadays are sold as a piece of hardware. You pay once for the hardware and it is expected to work for a long time. As a result, the vendor is under tremendous pressure to keep the manufacture price of the hardware low; it entirely dictates their profit margin.
Because there is pressure to reduce manufacturing costs, every component comes under scrutiny. Do we need 64MB of RAM, or can we get by with 32? A less capable CPU will shave 50 cents off the BOM cost. The hardware capabilities are reduced to the bare minimum, and unfortunately for security, features like cryptography tend to be demanding of hardware resources. The vast majority of IoT devices in the wild are simply not capable of strong crypto as it is presently used.
Traditional software costs nothing to duplicate. There are two common business models:
The software industry is moving to subscription plans because consumers expect regular updates and support. They also expect to get new features, but hate to pay for them. Software vendors incur large costs to support and update a software product after it has already been sold.
Much of the support and update burden is security patches.
IoT devices mostly use the “buy once, use forever” model. Unfortunately, this means that the vendor has little incentive to update their device once it has been released. Updates cost money. They would prefer that customers buy a new device and throw away the old one.
There are some businesses which discount hardware costs by selling an ongoing subscription (e.g. Internet or cell phone service), but in these cases the service is valuable and the hardware is a necessary cost. You wouldn’t pay $5/month to use an IoT lightbulb, for instance. Where a service must be provided for a long time, it is usually priced into the up-front purchase price. No IoT lightbulb costs $200 to manufacture.
As a result, IoT vendors rarely release security patches for their products.
IoT devices use different CPUs to those found in a modern laptop or desktop. They are always less powerful – sometimes dramatically so. Where a typical (2016) laptop will have 8GB of RAM, there are CPUs in IoT devices which have less than 20 bytes (yes, bytes!) of RAM. There are several reasons for this:
There are thousands of architectures in common use. I discuss a few common classifications in hardware classes.
The result of all of this is that not all IoT devices are capable of strong cryptography. At the time of writing (2016), IoT devices with the same crypto capabilities as a desktop PC are rare.
This isn’t as simple as “Moore’s Law will fix it”. The non-cost benefits (power, development effort, predictability) of smaller CPUs are enormous. It’ll be a long time before we can fit something with the power of a Raspberry Pi (400MHz 32-bit ARM, 50-5000mW) into the space and power envelope of a TinyAVR (4MHz 8-bit AVR, 5mW) – and the AVR would still boot faster.
Software (firmware!) is usually developed alongside the hardware device. It’s very common for firwmare to be developed by someone who isn’t a specialised software developer (often they’re electrical engineers first and learn software development on-the-job). They are therefore less likely to be educated in security practice than a software developer.
Software/firmware is also seen as a cost and usually takes longer than the hardware development. It therefore delays release to market and is abbreviated as much as possible.
IoT devices operate in all imaginable physical environments – underwater, inside human bodies, in space.
As a result:
Remember, a Fitbit is a $100 computer whose purpose in life is to be shaken. You would never do this to a regular computer!
Despite mainstream media reporting, IoT devices already surround you and control much of your life. You don’t know that they exist. You’re certainly not aware that they need to be maintained.
Many classes of IoT devices – building controls, SCADA devices, medical implants – need to operate for a long time with no human intervention. For the security practitioner, that means that they need to operate securely for a long time with nobody patching them or monitoring them.
An unpatched Windows XP machine on the Internet will be compromised within a few minutes, but at least someone will notice that it has been compromised. The IoT devices in tomorrow’s news story have already been deployed somewhere and forgotten.
On the desktop, practically all machines run Windows on an Intel CPU. On servers, Linux or Windows on Intel. On phones, iOS or Android on ARM.
On IoT devices, there is no dominant platform. There are hundreds of different CPUs and dozens of different operatings systems. Many devices use a custom operating system or no operating system at all. Even stock operating systems are heavily customised.
If an attacker compromises iOS or Windows, they can reuse the same method over a massive install base. Because they’re constantly attacked and have strong corporate backing, they’re very robust at this point in time.
IoT devices are all different. They’re generally very easy to compromise, but the same exploit isn’t usable against many devices. Given that attackers have a finite amount of time to spend attacking and exploiting devices, they’ll spend their effort on more lucrative (effort * impact) targets.