The Internet of Things security crisis continues apace. New botnets crop up to conscript routers and security cameras, hackers exploit medical devices to compromise entire hospital networks, and smart toys still creep on kids. Internet infrastructure company Cloudflare, though, has spent the last 18 months working on a fix.
Cloudflare's traditional offerings range from content delivery to DDoS defense, but today it's announcing a service called Orbit, which it conceives as a new layer of defense for IoT. It has the potential to make connected devices more secure than ever---but also raises a few questions in the process.
Instead of focusing on patches and protections on individual devices, Orbit provides a sort of tunnel that they can automatically use to access the internet. Think of it as a VPN between IoT devices and the internet.
"The traffic to and from [IoT devices] will pass through Cloudflare’s global network. The idea is we’ll patch it in place," says Cloudflare CEO Matthew Prince. "What sits behind us might still be vulnerable, but it buys some time for the software developer or the hardware developer to get the patch itself right and for people to apply that patch over time. So it’s an additional layer of security."
In other words, if a product experiences a security issue, Cloudflare can respond in the cloud, for example implementing a virtual patch or blocking connectivity from maliciously compromised units. That way owners of those devices have at least some protection while they wait for the manufacturer to come out with an official fix.
Cloudflare will offer multiple data security options (from IP verification up to full cryptographic connection signing) to ensure that data moving through the security layer is protected. The company adds that it doesn't keep data logs. "Data passes through our network, but it’s very ephemeral," Prince says. The company will also offer Orbit as a standalone product that IoT companies can use without also paying for other Cloudflare services.
Orbit has already attracted at least one high-profile client in Qualcomm, along with the smart lock company Lockitron, and the industrial control company Swift Sensors. The service doesn't replace firmware updates and other important endpoint protections (security on individual units), but should provide some structure to an out-of-control security climate. Many IoT companies simply don't have a solid grasp on security; partnering with Cloudflare at least gives a measure of protection. One fear might be that companies will rely on Orbit as a panacea, but given that the alternative too often constitutes no investment in security at all, any protective step could be an improvement.
Still, every approach has tradeoffs. In Orbit's case, you exchange lack of IoT oversight for centralized control. If your smart lightbulbs use Orbit, another service suddenly has access to your daily life and data, too. You may never even realize it. Cloudflare also says it counts router manufacturers among its clients, which adds another layer of complexity. Routers need a security boost more than almost any other device, but in the process, Orbit gives Cloudflare fundamental access to your internet connectivity and browsing data.
That's not even necessarily a question of trusting Cloudflare. It's a matter of exposing yourself to a new set of vulnerabilities; a recent Cloudflare bug highlighted the problems that can arise from concentrating responsibility for many internet services in one place.
"The idea isn't a bad one, especially when you consider the alternative," says Ang Cui, an IoT security researcher and CEO of the endpoint defense company Red Balloon of the general concept that underpins Orbit, not Cloudflare's specific implementation. "I would rather one company come out and do this better than average, but if they implemented it poorly then this becomes a really attractive target and that could be super terrible. The privacy concerns are real."
IoT companies will decide whether those tradeoffs are worth it eventually, but the urgency for some sort of fix will only increase. "If you just walk through the basic assumptions there are going to be more devices connected to the internet, manufacturers of those devices are not somehow magically going to be able to write perfect code, and it’s going to be impossible to convince my dad to upgrade his toaster," says Prince. "Inherently you have to shift the security model, it can’t just be done on the device itself. The network is the logical place to deploy that security."
At the same time, products like Orbit will require new awareness campaigns that help people understand that companies they've never heard of might have access to their devices. Especially since it's a tradeoff being made on their behalf. "It's important that all the implications of what is essentially an always-on VPN service, enabled by default out-of-the-box, are fully understood by consumers, ISPs, IoT vendors, security professionals, government regulators, and privacy advocates alike," says Roland Dobbins, a principal engineer at the network security firm Arbor Networks.
In the meantime, at least Orbit represents a new approach. Given how little else has worked so far, that's what IoT security needs the most.
