Cloud with IoT devices

Why the Gap Between IoT Innovation and IoT Security Won’t Be Bridged Any Time Soon

In Europe alone, the size of the IoT market is projected to reach heights of over €200 billion by the close of this year.

This growth in popularity has led to an increase in IoT app development. However, in order to retain the pace of innovation necessary to meet market demand in a safe manner, IoT development has to tackle the associated security issues that continue to arise in the IoT space.

While manufacturers and developers are eager to put their IoT products into their consumer’s hands, very few of them are taking the necessary security steps that tackle key issues such as data management and access.

In order to not see innovation hampered by unmet security concerns, it is crucial then that developers and manufacturers understand the biggest threats that the IoT faces. Failing to do so will hamper their long-term innovation as more consumers both need and demand security solutions.

1) Not enough updating and testing

As it stands, there are in excess of 23 billion IoT devices across the globe, with a predicted rise to 30 billion by the end of the current year, and exceeding 60 billion by Christmas 2025. This enormous influx of technology is not without its costs.

Arguably the largest problem faced by tech companies and innovators is that they’re all too happy to pay insufficient attention to their device’s security risks. It’s not uncommon for many devices to undergo a poor level of testing, and many devices get inadequate updates to patch design vulnerabilities or meet the latest security threats. Some receive no updates whatsoever.

From a cybersecurity perspective, this can lead to devices quickly becoming prone to attacks. Even if it was highly secure when the customer purchased it. This is not dissimilar to the issues faced by the first computer systems, where automatic updates were found to be one of the best solutions.

Much of this issue comes from the business practices behind these companies and innovators. While they provide a secure product at launch and promise support, they are all too quick to move onto their next product, leaving their device to lag behind when it comes to the latest security.

This move not only degrades their original product but can harm the industry as a whole. If persistent security issues aren’t tackled, then consumers may not just turn away from the companies involved but the concept of the IoT as a whole. After all, it only takes one large-scale data breach to see the IoT receive negative press across the world.

To combat this problem, many users are moving towards trying to protect their activity and data on these devices by connecting them to Virtual Private Networks (VPNs). However, while this is a step in a more secure direction, they have to make sure they’re picking the right one. Far more efficient would be for the companies themselves to handle this problem for them.

2) Shipping with a default username and password

Another issue faced by the IoT is its vulnerability to DDoS attacks, such as the Mirai botnet. Nowhere is this more prevalent than with the companies providing devices with default usernames and passwords, and not instructing customers to change them immediately.

Default usernames as passwords are much easier to hack than unique ones. So much so that many governments warn companies against providing IoT products that ship with vulnerable default login information – such as the common “admin” username.

However, these cautions are little more than guidelines, with nothing set in legal stone, and zero repercussions by way of fines to motivate companies to change. Similar to the implementation of the GDPR, these need to be fixed laws that alter the way companies do business.

In the case of Mirai, the sole reason that it was so effective is that it was easily discovered by IoT devices that used vulnerable default login information. Infecting them was largely effortless.

Not only is a company that uses default login information being lazy, but they’re exposing their customers and business to a potential DDoS brute-force attack that puts them all at risk. This risk is compounded by the increasing rise of digital and IoT products. All aspects of our lives – from health to home heating, to productivity – is finding its way online. Giving hackers a much wider range of avenues to find victims.

3) Ransomware and malware

Alongside any rise in technology will be a rise in the number of ransomware and malware attacks on them. This is no different for IoT devices.

Traditionally, ransomware uses different types of encryption to lock users out of their devices, however, there’s an increasing number of combinations of ransomware and malware that merge the different avenues of attack.

For example, ransomware could both remove your device functionality while stealing your valuable user data. Something as simple as an IP camera could be used for stealing sensitive information from your home or office. It could then lock you out of use and have all the sensitive information sent to a bad agent who will then hold it and access to your device ransom. Such activity has even extended to home televisions.

With even more IoT heading towards the market place, there is undoubtedly going to be a rise in network vulnerabilities and malware attacks. Without addressing the aforementioned vulnerabilities that expose devices to these risks user experience could significantly decrease and the finances of consumers would likewise be put at serious risk.

There are strategies consumers use to shield themselves from ransomware. For example, customers should always encrypt their financial information over public networks using VPNs and likewise invest in a comprehensive insurance policy to help cover financial losses as a buffer in the event that an attack is successful. But the onus of responsibility can’t only be on ordinary people. Industries such as web hosting, for example, have all had to compete not just on price, but on the level of security they can offer their customers. It is high time that the IoT industry does the same before customers start forcing the need upon them.

Why the divide exists

While it would seem logical that IoT security and innovation would go hand in hand, the most successful business practices don’t always make this the case.

Although attacks from ransomware, malware, and DDoS attacks can cripple the user experience and expose customers and businesses to risk, it is still more profitable to focus on innovations of design and functionality. Due to market competition, being a company that provides the latest product takes precedence over proving the product is the most secure.

This, more than anything, is why the divide exists and will continue to exist. However, with increasing IoT devices comes increased security risks, so companies unable to provide increasingly secure devices will likely find themselves innovating in the areas that customers don’t actually want. After all, there’s never been a time when data security has been more prevalent in consumers’ minds.

 

Staff Writer at CPO Magazine