Cybersecurity in a Consumer IoT World: Why Should I Be Worried?
I’m a self-confessed geek and early adopter of new tech (when I can convince my long-suffering wife of its merits). Home automation has been something of a recent hobby.
When cooking, I can set a timer with my voice. When the countdown elapses, it triggers an audible alarm and the Wi-Fi light bulbs in my house will flash. If I fail to notice these, at some point the smart smoke alarms will send a notification to my smart watch to indicate that my dinner is on fire. I can then invoke plan B and order takeaway using my voice via my digital assistant.
Smart Devices – A Global Trend
Most folks I speak to (even outside the tech industry) have some form of smart devices in their home, whether it’s to stream or watch media, to keep an eye on their pets and property, or a wearable such as a smart watch.
Statistics show this is a global trend. In fact, within the next year the number of consumer-connected Internet of Things (IoT) devices is predicted to overtake the human population, currently at circa seven billion. By 2020, Gartner predicts the number of consumer IoT devices will have nearly doubled to almost 13 billion devices. See ZDNet article. Gartner also predicts that in the same timeframe, IoT will be in 95% of new electronic product design. See: Is IoT security being regulated?
Powering these devices are an array of sensors—microphones, cameras, GPS, accelerometers, health data, thermometers, and barometers to name a few. These are constantly gathering information from the environment to support their feature sets.
IoT Security Concerns
From a security perspective there are some obvious concerns:
- Home networks don’t have the sophisticated firewalls and intrusion detection systems that enterprises generally have.
- Consumers don’t always follow security best practices, such as changing default passwords.
- IoT devices often have a rapid hardware lifecycle with little or no ongoing vulnerability mitigation provided by the vendor.
- Consumers may have an assumption that security will be dealt with by the vendor.
- Some IoT devices require manual patching, which many users will not do. (If it’s not broken, why fix it?)
- Devices like webcams can require routing rules set up to allow access from the internet, which makes these devices a particularly easy target.
- Teleworkers may use their home broadband/network, which may contain vulnerable or compromised IoT devices that could be an attack vector.
There have already been some high-profile IoT vulnerabilities disclosed or exploited, such as the Mirai botnet and this rather alarming automotive hack amongst others, but it’s likely these are just the tip of the iceberg.
IoT devices are designed and manufactured by a broad spectrum of vendors, ranging from the tiny crowd-funded startups through billion-dollar ‘unicorns’ to established enterprises. There are some 3,000 companies in the IoT space in North America alone. See Forbes article.
Security’s Varying Role
Security is likely to play a varying role across the spectrum of vendors, with new startups often needing to cut corners to get to market. Gartner predicts that by 2022, half of IoT security budget will be spent reactively (remediating faults and product recalls) rather than on proactive protections.
On the brighter side, there are steps underway toward implementing regulatory policy to define a minimum level of security for IoT devices. Of course, the big challenge will be achieving worldwide adoption and enforcement.
So what can we do in the meantime? Microsoft cited some cyber security statistics earlier this year that make for interesting reading. In particular, the following are very relevant to IoT:
- Eighty-one percent of security incidents are caused by credential theft.
- Seventy-three percent of users use password duplicates.
- Ninety percent of login requests are from credential stuffing attacks.
Some basic approaches that can help are adopting a good password policy (at the very least, ensure you do not re-use passwords across different systems) and being generally risk aware.
It’s also important to keep devices up-to-date with any available security updates supplied by the IoT vendor. It’s worth noting that not all IoT devices can be patched, and for those that are patchable, it can be very difficult and requires technical knowledge to apply the update.
Finally, make sure your friends, family, and colleagues are aware of the potential security risks around IoT devices and encourage them to use good cyber hygiene practices to minimize their chances of becoming a victim of cyber-crime.
Robin Rowe is a product manager at Ivanti focusing on security and cloud solutions. Based in the UK, Robin has also worked as a senior solutions engineer, data center project engineer, senior consultant, and customer support engineer.