It’s clear to everyone in the technology industry that the Internet of Things (IoT) is facing some serious security trouble. Now, even those who aren’t particularly tech-savvy know that there’s some work that needs to be done in this regard.
What exactly are the biggest security threats that come with IoT devices? And, an even more important question, what can we do about it?
What is the IoT?
This one is pretty easy to explain if you aren’t already sure. Essentially, it’s just smart devices. This can be something incredibly useful like a heart-monitoring implant, convenient like a smart thermometer or refrigerator, or simply odd, such as a toothbrush that takes pictures of your teeth or a fork that vibrates when you’re eating too fast.
What are the biggest security threats to IoT?
The company (or the consumer) just doesn’t care enough
Computers and Internet applications have regular patches. So regular, in fact, that many consumers get annoyed with the constant need to install an update or restart their computer. However, this is done for a reason.
Regular patches are necessary to keep up with vulnerabilities that are discovered, either by the company itself or by malicious outside forces. Because of this obvious need, many of the viruses that everyday consumers encounter are their own fault (such as downloading malicious files or falling for a phishing scam).
However, this same understanding of the need for updates has not taken place in the IoT market yet. Because of the lack of regular patching and updates, IoT devices can get more dangerous the longer you have them.
Additionally, many IoT devices today are made by experienced hardware vendors who do not have enough experience with software and security to create a product that is defensive against attacks.
What to do?
It is important that these hardware companies recognize the risks associated with the IoT and take proper precautions.
Of course, some companies do, in fact, offer regular updates for their smart products. However, what do you do when a consumer does not understand the need for regular updates on things like a toothbrush, so they opt out?
While companies are starting to be more invested in the importance of security of IoT devices, the education is developing at an even slower rate in the public. Not only do the companies that make these products need to be more invested in their security, but the consumers do as well.
Of course, the option to add automatic updates is always there. Even if certain users will choose to opt-out, it would likely increase security overall.
While it would be nice if consumers would research beforehand and only buy products that they knew would have regular patches by an established company, this isn’t likely to happen on a large scale. Therefore, it is likely up to the companies to provide regular, automatic patches to their IoT devices.
More devices to attack
It seems that the real danger a large number of unprotected IoT devices could cause came to greater attention in the Dyn distributed denial of service (DDoS) attack in October 2016. The hackers were able to use smart cameras to affect many large service providers online, such as Netflix and Reddit.
As there are more devices on the market, the fear of an even larger DDoS attack increases. As reported by Network World, Or Katz from Akamai (one of the service providers that helped mitigate the first of the large IoT DDoS attacks linked to Mirai malware) stated, “Once upon a time, the Internet of Things held unimaginable promise. Then came Mirai...and all the associated attacks, and suddenly the promise seems more like a threat.”
Even if consumers don’t purposefully avoid updates sent by active companies, at a point in the near future there could simply be too many devices in the average home to remember to update each one.
Of course, the idea of entering a smart car remotely to make it bend to the whim of the hacker frightens consumers, leading them to understand the need for intense security. However, as we’ve seen, even seemingly unimportant devices such as IoT cameras must be required to have just as much security.
What to do?
The issue here is, still, making consumers and producers of IoT products understand that initial security and regular patches are non-negotiable, even regarding those products that you might not think are important such as your smart fridge or toothbrush.
Hackers aren’t the scariest possibility out there
Believe it or not, but corporations don’t always have your best interest at heart. This has especially been brought to the attention of many people recently because of Vizio settling to pay $2.2 million over allegations that it spied on its customers with 11 million smart TVs.
This company secretly collected data about its users’ locations, demographics, and viewing habits. Why? To sell the data, of course. Corporations are selling more of their users’ data than ever before possible.
Rather than secretly spying on its consumers, certain companies openly use this personal information. For example, many companies, such as BP and Appirio, gave their employees FitBits to monitor their health. With this information, they were able to get lower health insurance rates.
In fact, Appirio was able to save $280,000 by giving a FitBit to their 400 employees. While it’s great to encourage people to live a healthier lifestyle, the ethical concerns are obvious. Employees should be hired and retained because of their skill level, not because of the amount they are able to save their employers on health care.
Additionally, the employees participating in this program might have limited rights with how their health data is then used. For example, certain companies such as Radio Shack “have attempted to send or even sell gathered data to other companies,” according to CIO.
What to do?
While there is no certain protection against users’ data being stolen, considering Vizio was secretly recording its users’ information, devices will often come with a contract in which you must agree to allow them to sell your data.
For users that are concerned about their personal privacy, it’s important not just to skip over the contract, but to actually read it. This way, users can choose to not buy products that store and sell their personal information.
Even if companies don’t sell your data, don’t forget that they often keep it. Take, for example, the Amazon Alexa that was wanted as evidence in a murder trial. Fortunately, Amazon would not give the information “without a valid and binding legal demand properly served.” Yet, the fact that many companies store your information is important to remember when considering IoT security.