Years ago, a Broadway hit was born – "The Sound of Music." Maria was a novice nun who couldn't conform, who needed to take in all of life and live on the edge. A famous song from that musical, sung by the Reverend Mother was, "How do you solve a problem like Maria?" This is a bit the same issue with IoT today. It is growing rapidly – too rapidly for the technology, actually – and is placing individuals and businesses "on the edge" in terms of security.
Haste Makes Waste
In their haste to get the next best thing out there for consumers, IoT developers rush through design. And in their haste to have that next best thing, consumers are gobbling up anything with the term "smart" in front of it. At the latest CES show, for example, there were smart toothbrushes and hairbrushes – why? Compounding that, are the wearables in use by the medical and other industries, individuals bringing their own IoT devices for use in the workplace, and an amazing lack of concern about the potential consequences on the part of everyone involved, from idea to purchase.
In this case, haste may very well make waste in the form of security breaches we cannot even imagine yet. Think of it this way – every time a single device is connected, a door opens for a hacker.
Awareness But No Major Effort
A very recent study of the Ponemon Institute reported that 80% of IoT apps are not tested for potential security issues. Furthermore, while the majority of IT security pros surveyed (84%) stated that they were highly concerned for vulnerabilities and about 75% stated that mobile and IoT apps posed serious threats to security risks.
With all of this concern, however, there is still a lack of a sense of urgency. More devices are designed and brought to market with little-to-no security testing. Why?
- One of the reasons may be that there has not yet been a major hack that would bring worldwide attention. When an individual consumer's IoT home security system gets hacked, it doesn't even make the evening news.
- Another reason may relate budget constraints and the need to beat out competitors by being the first to market.
- Still a third reason is that IoT technology itself is so new that lots of developers do not truly understand the potential security issues and impacts of hacks to a device as small as a Fitbit or a smart toaster.
All of this is not to say that absolutely no one is concerned for security. Medical device manufacturers and designers of smart car technology are probably leading the pack right now, because they understand that security breaches in their niches could impact lives in devastating ways. But even if security became the highest priority tomorrow, there are enough older devices already out there, that a big and visible hack is almost inevitable.
Proactive measures, such as fixing binary code and installing cryptographic key protection, are certainly a start. But once those devices are thrown out there for consumers to use in connection with all of their other devices, even these two measures are not without vulnerability.
Educating the Consumer
It is easy to say that it is the consumer's responsibility to ensure that his/her devices are used with security in mind. But most consumers are woefully ignorant regarding the vulnerabilities of purchasing and putting into use every new cool device that comes along. There is an assumption that security has somehow been taken care of by the manufacturer. And manufacturers may indeed be leaving themselves open to legal liabilities when serious consequences occur – the body of law and precedent in this arena are just beginning to be considered.
The very least that manufacturers of IoT devices can do right now is to make security a top priority. As an industry, there should be standards set. In the meantime, they need to educate consumers on methods of self-protection, to include the following:
- Creating segmented networks. There should be separate networks for PC & mobile and for IoT devices. This way, the least secure connections (IoT devices) will not be able to access personal information of data at work.
- Consider the need for such things as toasters, toys, and refrigerators to be connected to personal Wi-Fi networks.
- Create strong and unique passwords for routers and every connected device
- Keep routers and any firmware updated. The more updated these things are, the less vulnerable they are. You might want to consider investing in a newer good wireless router which will have more protections.
- It may be a pain but wireless networks and features should be disabled when not in use for a period of time (vacations, business trips, etc.).
Solving the Problem
Maria was sent away from the convent to live in the real world. IoT developers may need exposure to the "real world" of vulnerability, perhaps through a major breach that has huge cost, before they really get serious about device security. It actually happened recently, when a breach of IoT devices knocked out a slew of sites (Amazon, The N.Y. times, Twitter, Reddit, Airbnb, PayPal and more).
The question, was this big enough to get everyone's attention? Will it move the industry to set standards and finally make security a top priority? Bigger hacks are sure to come, and the industry needs to step up to the plate with some serious proactive measures.