The Internet of Things defines numerous connected devices to the Internet with the goal to advance the quality of people’s lives, both personally and professionally. They represent the interface between the digital and the physical world. SecurView Cameras, Insteon, Samsung TVs, cooling systems, and many more have recently made headlines for the ‘’wrong reasons’’. They were not mentioned for amazing innovation. They were mentioned for vulnerabilities which may lead to privacy and security breaches.
The Internet of Things (IoT) or connected devices are fascinating. They help with our daily tasks, and make our lives easier and more comfortable. However in most cases, companies or manufacturers do not enable strong privacy and security controls by default. The weak protection on such intelligent devices can harm individuals, violating the their privacy and personal security. Cyber criminals might use these weaknesses to access the devices, and gain controls on the main corporate network.
Security breaches due to IoT are definitely not a new sensation. In 2013, weaknesses in the Insteon home automation system allowed someone with the know-how to take control of household devices. In the same year, Samsung caused a big scandal when reports of vulnerable cameras on their TVs allowed hackers to spy on users. This was also the year Charlie Miller and Chris Valasek hacked into a Toyota Prius and a Ford Escape using a laptop. The vulnerability allowed the team to take control and remotely operate the car’s steering, breaking, and headlights.
Internet of Things initiatives are failing
Around three-fourths of Internet of Things initiatives are defined as failures according to Cisco Systems in a survey conducted earlier this year. In 2014, Cisco Systems estimated that there are 14 billion IoT devices and projecting 50 billion in 2020. Additionally, according to the Internet Society, 99% of all products will be connected to the Internet. IoT will be even more part of our lives, it will be integrated into temperature control, building security, health technologies, traffic management, monitoring of customer behaviour, etc., we will have even more categories of IoT devices, including:
Smart health and wellness
Smart homes and buildings
Smart mobility and transport
Smart manufacturing and industrial IoT
Smart farming and food security
Gartner’s definition of the Internet of Things is: “the network of physical objects that contain embedded technology to communicate and sense or interact with their internal states or the external environment.” This definition is perfect to understand and realize the related risks to IoT devices. In fact, “Trust” is an essential concern as important data will be transiting over the networks and will be available through those connected devices. While users are concerned around the reliability of those devices and their results, privacy and security related challenges will grow due to the complexity of an interconnected environment. Challenges to secure and preserve confidentiality, integrity and availability will be a concern, and will increase over time. Vendors and manufacturers must undertake a tremendous effort to integrate security in the early design of any IoT device. They will need to be transparent with their customers, and clearly define boundaries around data ownership.
Despite the big challenges, companies are still initiating new projects around IoT devices. However, if you are a customer or a manufacturer, do you have the right answers to these questions:
In an era where traditional patch management is a challenge, how will that be addressed for an IoT network?
How can you eventually discover a misbehaviour in your IoT network?
What about IoT devices that control human lives ? Who will take that responsibility and who will be liable?
Privacy and security crucial for trust in the Internet of Things
A 2014 TRUSTe survey emphasized that 60% of consumers have basic awareness around IoT privacy risks, and 87% are concerned about their personal data. IoT users certainly care about protecting their privacy. The right controls and protection are key for consumers to gain trust in the technology. In 2015, a study by HP recognized that 80% of IoT devices raise privacy concerns, 70% do not use encryption, 80% have weak passwords, and 90% gather personal information.
An IoT infrastructure involves the interconnection of embedded components with electronics, software, sensors, and network connectivity. If one of the component is vulnerable, it can affect and impact the resilience of the entire ecosystem. Therefore, attackers do not need advanced skills or tools to attack IoT devices and gain access to other interconnected systems. With the rise of cybercrime as a service, anyone could potentially become a cybercriminal which makes it even more concerning for the future. Tracking the individual, stealing personal information, using the devices as bridges to other systems – these are just a few possibilities.
Undeniably, IoT devices require security and privacy features built-in and considered from the initial design and architecture stages. This includes data collection, data storage, data process concerns.
Notwithstanding the failure of many IoT projects, as well as all the privacy and security concerns, companies remain positive about the potential of IoT, and are continuously launching new products. There is a massive growth of IoT devices, and unfortunately these devices do not take in consideration the security and privacy concerns. It is crucial that manufacturers understand the risks behind a minimum viable product which can cause harm, and potentially even take a human life e.g. a connected pacemaker. All these concerns should be addressed by regulators, agreed by companies and enforced by regulations. Building an ecosystem where security and privacy are the priorities is the way to go. With this mindset, the state of privacy and security for IoT will likely improve over time, and continue to enhance people’s lives.
Collaborating on IoT privacy and security
In April 2017, the Linux Foundation together with 50 companies launched the open-source consortium, EdgeX Foundry, and announced an IoT framework for security, standardization and interoperability.
The Open Web Application Security Project (OWASP) has also launched an open source project around secure IoT framework. The OWASP Internet of Things Project “is designed to help manufacturers, developers, and consumers better understand the security issues associated with the Internet of Things, and to enable users in any context to make better security decisions when building, deploying, or assessing IoT technologies.”
As the industry rallies, resources are increasingly available to every manufacturer and developer. Unfortunately, many IoT developers are still not applying the right framework or security best practices, as well as adhering to legal requirements for data privacy and regulatory compliance.