Verimatrix Labs: How a Lack of Concern for IoT Security Affects Us All
The Internet of Things world is progressing quickly – so quickly in fact, it is estimated that in three years’ time, the total number of connected devices will potentially skyrocket up to 50 billion. IoT development is progressing so rapidly in a wide range of areas that even if we refuse to adopt such connected technology in our private lives, it is inevitable that we will be dependent on it to some degree in the not-so-distant future.
For example, from an economy standpoint, IoT has the potential to monitor and control vital resources, including water supply, electricity, natural gas and even power plants. There has also been talk of equipping the military with autonomous “cyber soldiers.”
In the medical field, IoT is anticipated to improve human health with devices designed for 24/7 health monitoring and the instant identification of illnesses – including viruses to some forms of cancer. The IoT may even present the opportunity to automatically treat patients.
And in our personal use, the IoT can simplify and improve the safety of our daily lives by automatically operating vehicles and controlling our home security and maintenance.
But as quickly as the IoT field is growing, developments in the security of connected devices aren’t yet keeping up. Recent unprecedented and massive DDoS attacks on the DNS service Dyn, which affected massively popular websites including Netflix and Twitter, demonstrated how countermeasures to the misuse of IoT devices continue to remain an afterthought.
Several other recent examples of attacks on IoT devices have enabled hackers to gain dangerous and potentially life-threatening capabilities through IoT-enabled devices like the gas and break capabilities of several high-end cars, children’s Barbie dolls, insulin pumps, birth control and many in-home and wearable devices. These reported incidents should call for widespread concern for the impacts that can be caused by IoT misuse.
So why are IoT devices so insecure?
Although massive quantities of similar IoT devices do exist, their diversity makes it extremely difficult to impose security standards. And because the field is comparatively new, time to market is of the essence for manufacturers of IoT devices. The focus is on having the latest and greatest devices, rather than designing them, and purchasing them, with security in mind.
It can be all too easy to overlook the need for security of the newly IoT-enable devices that we may recognize from our everyday lives (thermostats, webcams, etc.), but it is crucial to be cognizant of the fact that they have never before been intended to stay constantly connected. The downfall of many victims is that they brushed off concerns by making the assumption that if it’s new, it must be secure – or that it can be updated later on. The fact of the matter is that many IoT devices are being built according to security standards from 30 years ago, and it is incredibly difficult to update the security of a device once it is prevalent in millions of households.
How can security of the internet of things be improved?
Despite the potential pitfalls of IoT devices, I don’t think their development is anything that can, or should, be stopped. IoT promises a better and more comfortable life, but to really achieve that, we must motivate the industry to build more secure devices and educate consumers about the risks associated with their devices.
A first step toward greater IoT security would be to establish a rough minimum standard for security that must be built into every single connected device. This standard could enforce basic requirements such as signed updates or enforcements of a password strategy or could even impose secure data transfer relying on pre-individualized keys – like the approach HIMMO provides.
The administration could potentially increase consumer awareness by imposing fines or confiscating devices if an end-user has been repeatedly attacked. Similar rules have already been established in some countries where, for example, operators of Wi-Fi hotspots have the responsibility to track those who connect or to implement reasonable security measures. But imposing fines should not be the focus of any IoT measures – the goal needs to be to generate greater awareness of the fact that everyone who operates an IoT device has the potential to impact public security.
However, regrettably, this is not likely to happen without a wakeup call in the form of a major hacking incident. I can only hope that the incidents will be moderate and call for step-by-step increases in security like we have seen with Wi-Fi technology.
Have you taken measures to secure your IoT devices?
If not, what are you waiting for?