Last updated at Tue, 18 Jul 2017 21:02:56 GMT

Let me tell you a story….

…a few months ago, I was going home from an airport in an Uber with my wife. We recently bought a house and were looking for some renovation work and discussing few ideas on the way. The very next day, I received a call from an unknown number—the caller said “Hello Mr. Dutta, I am [caller's name] calling from [company name]. I would love to discuss the home renovation project you are planning to undertake in your home”. At this point his words started blurring as my mind was racing in different direction on how did this guy know all these details? Was it the city that informed them? Was it UBER? The timing was crazy! That got me thinking…

Security and usability

Everyone loves UBER. It's quite easy to hail an UBER at a tap. But can UBER be a privacy risk? Can we say that for a better experience and usability, my privacy can be compromised?

I started digging deep into this relation. I realized that in websites when security measures like CAPTCHA are added, it makes the website more secure, but the conversation rates for those websites drop significantly as usability is reduced.

Looking at health care systems, in certain types of insulin pumps, a physician has all the vital information, including the patient's blood glucose level, the moment a patient steps into the clinic. To enable this, the insulin pump has an always-on Bluetooth sensor. This convenience comes at the cost of high security risk, where it's possible to tamper with the device remotelywith serious consequences.

Finding a balance

Such examples make us believe that security and usability are two antagonistic goals within system design. Simson Garfinkel, in his doctoral thesis at MIT, argued that there are many instances within which security and usability can be synergistically improved. This is possible by revising the way that specific functionality is implemented in many of today's operating systems and applications. Garfinkel further explains that in every case considered, it is shown that the perceived antagonism of security and usability can be scaled back or eliminated by revising the underlying designs on which modern systems are conceived. The errors in system design, computer user interfaces, and interaction design can lead to common errors in secure operation.

By identifying and correcting these errors, users can naturally and automatically experience more secure operation. For instance, an emerging area is Internet of Things (IoT) devices—this area can benefit hugely from an established set of patterns/ rules/ framework which is optimized for security operations.

Widespread attacks

In September 2016, we saw a record-breaking Distributed Denial of Service (DDoS) attacks against the France-based hosting provider OVH. That attack reached over one Terabit per second (1 Tbps), and was carried out via a botnet of infected 150000 IoT devices. Less than a month later, a massive and sustained Internet attack caused outages and network congestion for a large number of web sites. This attack was launched with the help of hacked IoT devices, such as CCTV video cameras and digital video recorders, and impacted websites from high-profile organizations, including Twitter, Amazon, Tumblr, Reddit, Spotify and Netflix.

Mirai”, which was used to hijack the connected IoT devices, exploited the default usernames and passwords set by the factory before the devices are shipped to customers. Mirai is capable of launching HTTP floods, as well as various network DDoS attacks, including DNS floods, UDP floods, SYN and ACK floods, GRE IP and GRE ETH floods, STOMP (Simple Text Oriented Message Protocol) flood attacks.

Securing usable IoT and making secure IoT usable

While such incidents are scary, IoT devices are awesome!!! They make our lives easier. The potential for IoT is limitless. However, while security is a potential risk, we cannot afford to seize the opportunity to exploit IoT capabilities to its fullest.  What we need is discipline—some kind of governance or rule book on how to securely use these products.

Garfinkel refers to them as simple patterns.Developers and the organizations that employ them must analyze their risks, the cost of proposed security measures, and the anticipated benefits. Be it security or usability, neither should be added to a system as an afterthought. Instead, security and usability must be designed into systems from the beginning. By providing pre-packaged solutions to common design problems, patterns can address this deficit.

A great example of a Usability Pattern is “Copy and Paste” or “Drag and Drop” that have dramatically changed the usability of computer systems. Similarly, Security Patterns, such as using the Secure Socket Layer (SSL) to “wrap” cleartext protocols and Email-Based Identification and Authentication for resetting passwords, have allowed developers untrained in security to increase the security of their systems. Patterns that align security and usability of IOT devices can create that much-needed rule book for the IoT developers.

I want to leave you all with the thoughts that IoT systems must be viewed as socio-technical systems that depend on the social context in which they are embedded to function correctly. The security mechanisms will only be able to provide the intended protection when people actually understand and are able to use them correctly.

You can further read about independent IoT research complied by Tod Beardsley here, and read about danger of default passwords in IoT by Deral Heiland here.

Thank you for reading!

Saurabh Dutta,
Director of UX, Rapid7